Trust and risk

[Ken Laskey <klaskey@mitre.org>]

Dave Ellis and I batted around some ideas this afternoon and I believe  
we have a pretty clear picture.  I've expanded somewhat as I've tried  
to capture our discussion.  Read on and see what you think.

<trust_risk>

Trust
-------
Trust is a personal perception or conclusion that some entity will  
perform actions that will lead to an identifiable set of real world  
effects.  Trust can be defined in two contexts: trust as part of  
interaction and trust of actions in which the trusting party has no  
active part.

For trust in the context of interaction, the trusting party is  
prepared to perform actions as part of an interaction with some party,  
and that other party's actions can be considered a response.  The  
trusting party expects the response will to lead to real world effects  
that are desired but which the trusting party cannot accomplish by  
itself.  For example, I submit an order for a book with an online  
bookstore and supply my credit card information as payment.  This  
implies I trust the bookstore to send me the correct book and not  
misuse my credit card.

For trust without direct interaction, the trusting party is an  
observer.  The trusting party again expects some other entity to  
perform actions  leading to certain real world effects but those  
actions are perceived to be independent of actions on the part of the  
trusting party.  The expected real world effects may be considered  
desirable, undesirable, or neutral by the trusting party.  For  
example, I may trust a browser indicating an SSL connection is  
sufficiently secure that I would be willing to provide credit card  
information for transmittal to another party.

Trust is based on evidence available to the trusting party.   
Therefore, trust is not binary, i.e. a party is not completely trusted  
or untrusted, because there is typically some degree of uncertainty in  
the accuracy or completeness of the evidence.  The evidence may be  
physical artifacts or a set of information from which the trusting  
party can assess the degree of trust.

The degree of trust exists as a property of the trusting party with  
respect to another party or class of parties.  For example, I may  
trust all police officers.  If the trusting party is aware that  
actions by numerous other parties are required in order to realize  
certain real world effects,  the collection of trust applicable to  
each step may be considered a chain of trust.  However, trust is not  
transferred from the initial trusting party to others in the chain.   
Rather, the initial trusting party has an overall trust with the party  
participating in the initiating interaction, a trust that the actions  
performed by all parties throughout the process will lead to the  
expected effects.  Each party in the chain has an individual level of  
trust with its immediate interacting party, but this may have little  
or no impact on the overall level of trust of the initiating party.

Risk
------
Risk is a personal perception or conclusion that certain undesirable  
real world effects may come into being.  As with trust, risk can occur  
in the context of interaction or without actions on the part of the  
party perceiving the risk.  The party perceiving risk may take actions  
to mitigate the risk.  For example, I assess a high degree of risk to  
clicking on an email link where I believe the email to be spam, and I  
forgo any possible benefit by not clicking on the link.  Alternately,  
I see a risk in having a hard drive fail and I mitigate the effect of  
losing files by backing up those I consider important.

As with trust, risk is not transferred along a chain but risk may be  
accepted as part of an interaction.  Consider two scenarios.  In the  
first, a sender desires to send a family photograph to another family  
member who acts as the receiver.  The photograph is sent by way of a  
courier service and insured for $200.  While the photograph is in  
transit, the sender has the risk the irreplaceable photograph can be  
lost.  The courier's risk is the cost of the $200 insurance and there  
is no sense of additional risk because of the nature of the  
photograph.  There is an acceptance of risk by the courier but not a  
transfer from the sender; the sender continues to have the original  
risk of loss.

As a second scenario, consider the same sender and courier but this  
time the item being sent is something easily purchased for $200.  Once  
the courier agrees to insuring the package, the sender is relieved of  
all risk except for possibly the inconvenience of the insurance claim  
and purchasing the replacement.  The courier has the identical risk as  
in the first scenario -- the cost of the $200 insurance.

Relationship between trust and risk
------------------------------------------------
A party's actions are based on a combination of perceived trust and  
perceived risk.  If there is little or no perceived risk, then the  
degree of trust may not be relevant in assessing possible actions.   
For example, most people consider there to be an acceptable level of  
risk to privacy when using search engines, and submit queries without  
any sense of trust being considered.

As perceived risk increases, the issue of trust becomes more of a  
consideration.  There are recognized risks in providing or accepting  
credit cards as payment, and standard procedures have been put in  
place to increase trust by mitigating risk.  For interactions with a  
high degree of risk, the trusting party requires stronger or  
additional evidence when evaluating the balance between risk and trust  
when deciding whether to participate in an interaction.

</trust_risk>

Now this is a fairly general discussion of trust and risk.  While a  
decent lead-in (assuming concurrence after some degree of  
modification), what is missing is how this relates to SOA.  Do  
activities in a SOA ecosystem merely mirror other activities, and thus  
trust and risk are applicable in the same ways?  Or, is there  
something special in SOA?  I expect David will tell us there are  
special things, and that is what we need to capture next.

Ken

-----------------------------------------------------------------------------
Ken Laskey
MITRE Corporation, M/S H305      phone: 703-983-7934
7515 Colshire Drive                         fax:       703-983-1379
McLean VA 22102-7508