Re: [soa-rm-ra] Trust and risk

[Ken Laskey <klaskey@mitre.org>]

see just a few responses inline.  Most of your comments will take a  
little thought to include but are reasonable.  Right now, my Hemingway  
moment has passed.
On Mar 19, 2009, at 10:04 PM, Rex Brooks wrote:

> Thanks Ken, Dave,
>
> Can we set up a three-way conference in the near future, like maybe
> tomorrow? Please see my previous post for context.
>
> Comments inline
>
> At 8:44 PM -0400 3/19/09, Ken Laskey wrote:
>> Dave Ellis and I batted around some ideas this afternoon and I
>> believe we have a pretty clear picture.  I've expanded somewhat as
>> I've tried to capture our discussion.  Read on and see what you
>> think.
>>
>> <trust_risk>
>>
>> Trust
>> -------
>> Trust is a personal perception or conclusion that some entity will
>> perform actions that will lead to an identifiable set of real world
>> effects.  Trust can be defined in two contexts: trust as part of
>> interaction and trust of actions in which the trusting party has no
>> active part.
>
> I'd use assessment instead of conclusion, and I still like "personal
> assessment or internal perception" but I don't prefer it so much that
> I'd lose sleep over it. I'd also term the two context types as:
> "interaction-based experience" context with an example of the
> trusting party having interacted previously with the trusted party;
> and,
> "state-based"  willingness context to trust based on the trusted
> party's reputation with an example of a trusted service having
> established a reputation for trustworthiness in the ecosystem.
>
>> For trust in the context of interaction, the trusting party is
>> prepared to perform actions as part of an interaction with some
>> party, and that other party's actions can be considered a response.
>> The trusting party expects the response will to lead to real world
>> effects that are desired but which the trusting party cannot
>> accomplish by itself.  For example, I submit an order for a book
>> with an online bookstore and supply my credit card information as
>> payment.  This implies I trust the bookstore to send me the correct
>> book and not misuse my credit card.
>
> I'd tweak it a bit, with personal experience leading to trusted
> party's willingness to perform actions as part of an interaction.
>
>> For trust without direct interaction, the trusting party is an
>> observer.  The trusting party again expects some other entity to
>> perform actions  leading to certain real world effects but those
>> actions are perceived to be independent of actions on the part of
>> the trusting party.  The expected real world effects may be
>> considered desirable, undesirable, or neutral by the trusting party.
>> For example, I may trust a browser indicating an SSL connection is
>> sufficiently secure that I would be willing to provide credit card
>> information for transmittal to another party.
>
> I'd tweak it a bit with the expectation of the trusting party being
> based on the state of the trusted party's reputation in the ecosystem.
>
>> Trust is based on evidence available to the trusting party.
>> Therefore, trust is not binary, i.e. a party is not completely
>> trusted or untrusted, because there is typically some degree of
>> uncertainty in the accuracy or completeness of the evidence.  The
>> evidence may be physical artifacts or a set of information from
>> which the trusting party can assess the degree of trust.
>
> I think what is meant is bi-drectional not binary (purely
> machine-understandable/processable v. human-readable).

No, I meant binary.  Trust is not yes I do or no I don't.  There is  
(see below) a balance with risk I need to achieve, possibly a minimum  
threshold, but trust isn't [0,1].

>
>
>> The degree of trust exists as a property of the trusting party with
>> respect to another party or class of parties.  For example, I may
>> trust all police officers.  If the trusting party is aware that
>> actions by numerous other parties are required in order to realize
>> certain real world effects,  the collection of trust applicable to
>> each step may be considered a chain of trust.  However, trust is not
>> transferred from the initial trusting party to others in the chain.
>
> Good point, but the example moves out of the scope of the RA. It
> would be better to say one may trust all reports made by police
> officers in a service such as a criminal history reporting service
> and I think that works better to establish the chain of trust.
>
>> Rather, the initial trusting party has an overall trust with the
>> party participating in the initiating interaction, a trust that the
>> actions performed by all parties throughout the process will lead to
>> the expected effects.  Each party in the chain has an individual
>> level of trust with its immediate interacting party, but this may
>> have little or no impact on the overall level of trust of the
>> initiating party.
>>
>> Risk
>> ------
>> Risk is a personal perception or conclusion that certain undesirable
>> real world effects may come into being.  As with trust, risk can
>> occur in the context of interaction or without actions on the part
>> of the party perceiving the risk.  The party perceiving risk may
>> take actions to mitigate the risk.  For example, I assess a high
>> degree of risk to clicking on an email link where I believe the
>> email to be spam, and I forgo any possible benefit by not clicking
>> on the link.  Alternately, I see a risk in having a hard drive fail
>> and I mitigate the effect of losing files by backing up those I
>> consider important.
>
> Excellent.
>
>> As with trust, risk is not transferred along a chain but risk may be
>> accepted as part of an interaction.  Consider two scenarios.  In the
>> first, a sender desires to send a family photograph to another
>> family member who acts as the receiver.  The photograph is sent by
>> way of a courier service and insured for $200.  While the photograph
>> is in transit, the sender has the risk the irreplaceable photograph
>> can be lost.  The courier's risk is the cost of the $200 insurance
>> and there is no sense of additional risk because of the nature of
>> the photograph.  There is an acceptance of risk by the courier but
>> not a transfer from the sender; the sender continues to have the
>> original risk of loss.
>>
>> As a second scenario, consider the same sender and courier but this
>> time the item being sent is something easily purchased for $200.
>> Once the courier agrees to insuring the package, the sender is
>> relieved of all risk except for possibly the inconvenience of the
>> insurance claim and purchasing the replacement.  The courier has the
>> identical risk as in the first scenario -- the cost of the $200
>> insurance.
>>
>> Relationship between trust and risk
>> ------------------------------------------------
>> A party's actions are based on a combination of perceived trust and
>> perceived risk.  If there is little or no perceived risk, then the
>> degree of trust may not be relevant in assessing possible actions.
>> For example, most people consider there to be an acceptable level of
>> risk to privacy when using search engines, and submit queries
>> without any sense of trust being considered.
>>
>> As perceived risk increases, the issue of trust becomes more of a
>> consideration.  There are recognized risks in providing or accepting
>> credit cards as payment, and standard procedures have been put in
>> place to increase trust by mitigating risk.  For interactions with a
>> high degree of risk, the trusting party requires stronger or
>> additional evidence when evaluating the balance between risk and
>> trust when deciding whether to participate in an interaction.
>>
>> </trust_risk>
>>
>> Now this is a fairly general discussion of trust and risk.  While a
>> decent lead-in (assuming concurrence after some degree of
>> modification), what is missing is how this relates to SOA.  Do
>> activities in a SOA ecosystem merely mirror other activities, and
>> thus trust and risk are applicable in the same ways?  Or, is there
>> something special in SOA?  I expect David will tell us there are
>> special things, and that is what we need to capture next.
>
> I suggest a discussion of how evidence of trust and risk effect the
> trusting party's level of confidence in the eventual outcome in the
> real world effect, e.g. when perceived risk increases.
>

This still sounds like regular life, not SOA.  What can we  
specifically say is different or special to SOA?  Maybe somehow tying  
evidence to description, especially annotations and metrics.   
Something about the likelihood you'll never be face-to-face.   
Something about the unanticipated consumer and the unanticipated use?   
Monitoring to collect evidence that may go beyond metrics, e.g.  
Frank's "safe"?

> Cheers,
> Rex
>
>
>> Ken
>>
>>
>
> -- 
> Rex Brooks
> President, CEO
> Starbourne Communications Design
> GeoAddress: 1361-A Addison
> Berkeley, CA 94702
> Tel: 510-898-0670

-----------------------------------------------------------------------------
Ken Laskey
MITRE Corporation, M/S H305      phone: 703-983-7934
7515 Colshire Drive                         fax:       703-983-1379
McLean VA 22102-7508