[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [soa-rm-ra] Trust and risk
At 10:17 PM -0400 3/19/09, Ken Laskey wrote: >see just a few responses inline. Most of your >comments will take a little thought to include >but are reasonable. Right now, my Hemingway >moment has passed. >On Mar 19, 2009, at 10:04 PM, Rex Brooks wrote: > >>Thanks Ken, Dave, >> >>Can we set up a three-way conference in the near future, like maybe >>tomorrow? Please see my previous post for context. >> >>Comments inline >> >>At 8:44 PM -0400 3/19/09, Ken Laskey wrote: >>>Dave Ellis and I batted around some ideas this afternoon and I >>>believe we have a pretty clear picture. I've expanded somewhat as >>>I've tried to capture our discussion. Read on and see what you >>>think. >>> >>><trust_risk> >>> >>>Trust >>>------- >>>Trust is a personal perception or conclusion that some entity will >>>perform actions that will lead to an identifiable set of real world >>>effects. Trust can be defined in two contexts: trust as part of >>>interaction and trust of actions in which the trusting party has no >>>active part. >> >>I'd use assessment instead of conclusion, and I still like "personal >>assessment or internal perception" but I don't prefer it so much that >>I'd lose sleep over it. I'd also term the two context types as: >>"interaction-based experience" context with an example of the >>trusting party having interacted previously with the trusted party; >>and, >>"state-based" willingness context to trust based on the trusted >>party's reputation with an example of a trusted service having >>established a reputation for trustworthiness in the ecosystem. >> >>>For trust in the context of interaction, the trusting party is >>>prepared to perform actions as part of an interaction with some >>>party, and that other party's actions can be considered a response. >>>The trusting party expects the response will to lead to real world >>>effects that are desired but which the trusting party cannot >>>accomplish by itself. For example, I submit an order for a book >>>with an online bookstore and supply my credit card information as >>>payment. This implies I trust the bookstore to send me the correct >>>book and not misuse my credit card. >> >>I'd tweak it a bit, with personal experience leading to trusted >>party's willingness to perform actions as part of an interaction. >> >>>For trust without direct interaction, the trusting party is an >>>observer. The trusting party again expects some other entity to >>>perform actions leading to certain real world effects but those >>>actions are perceived to be independent of actions on the part of >>>the trusting party. The expected real world effects may be >>>considered desirable, undesirable, or neutral by the trusting party. >>>For example, I may trust a browser indicating an SSL connection is >>>sufficiently secure that I would be willing to provide credit card >>>information for transmittal to another party. >> >>I'd tweak it a bit with the expectation of the trusting party being >>based on the state of the trusted party's reputation in the ecosystem. >> >>>Trust is based on evidence available to the trusting party. >>>Therefore, trust is not binary, i.e. a party is not completely >>>trusted or untrusted, because there is typically some degree of >>>uncertainty in the accuracy or completeness of the evidence. The >>>evidence may be physical artifacts or a set of information from >>>which the trusting party can assess the degree of trust. >> >>I think what is meant is bi-drectional not binary (purely >>machine-understandable/processable v. human-readable). > >No, I meant binary. Trust is not yes I do or no >I don't. There is (see below) a balance with >risk I need to achieve, possibly a minimum >threshold, but trust isn't [0,1]. Cool. >> >> >>>The degree of trust exists as a property of the trusting party with >>>respect to another party or class of parties. For example, I may >>>trust all police officers. If the trusting party is aware that >>>actions by numerous other parties are required in order to realize >>>certain real world effects, the collection of trust applicable to >>>each step may be considered a chain of trust. However, trust is not >>>transferred from the initial trusting party to others in the chain. >> >>Good point, but the example moves out of the scope of the RA. It >>would be better to say one may trust all reports made by police >>officers in a service such as a criminal history reporting service >>and I think that works better to establish the chain of trust. >> >>>Rather, the initial trusting party has an overall trust with the >>>party participating in the initiating interaction, a trust that the >>>actions performed by all parties throughout the process will lead to >>>the expected effects. Each party in the chain has an individual >>>level of trust with its immediate interacting party, but this may >>>have little or no impact on the overall level of trust of the >>>initiating party. >>> >>>Risk >>>------ >>>Risk is a personal perception or conclusion that certain undesirable >>>real world effects may come into being. As with trust, risk can >>>occur in the context of interaction or without actions on the part >>>of the party perceiving the risk. The party perceiving risk may >>>take actions to mitigate the risk. For example, I assess a high >>>degree of risk to clicking on an email link where I believe the >>>email to be spam, and I forgo any possible benefit by not clicking >>>on the link. Alternately, I see a risk in having a hard drive fail >>>and I mitigate the effect of losing files by backing up those I >>>consider important. >> >>Excellent. >> >>>As with trust, risk is not transferred along a chain but risk may be >>>accepted as part of an interaction. Consider two scenarios. In the >>>first, a sender desires to send a family photograph to another >>>family member who acts as the receiver. The photograph is sent by >>>way of a courier service and insured for $200. While the photograph >>>is in transit, the sender has the risk the irreplaceable photograph >>>can be lost. The courier's risk is the cost of the $200 insurance >>>and there is no sense of additional risk because of the nature of >>>the photograph. There is an acceptance of risk by the courier but >>>not a transfer from the sender; the sender continues to have the >>>original risk of loss. >>> >>>As a second scenario, consider the same sender and courier but this >>>time the item being sent is something easily purchased for $200. >>>Once the courier agrees to insuring the package, the sender is >>>relieved of all risk except for possibly the inconvenience of the >>>insurance claim and purchasing the replacement. The courier has the >>>identical risk as in the first scenario -- the cost of the $200 >>>insurance. >>> >>>Relationship between trust and risk >>>------------------------------------------------ >>>A party's actions are based on a combination of perceived trust and >>>perceived risk. If there is little or no perceived risk, then the >>>degree of trust may not be relevant in assessing possible actions. >>>For example, most people consider there to be an acceptable level of >>>risk to privacy when using search engines, and submit queries >>>without any sense of trust being considered. >>> >>>As perceived risk increases, the issue of trust becomes more of a >>>consideration. There are recognized risks in providing or accepting >>>credit cards as payment, and standard procedures have been put in >>>place to increase trust by mitigating risk. For interactions with a >>>high degree of risk, the trusting party requires stronger or >>>additional evidence when evaluating the balance between risk and >>>trust when deciding whether to participate in an interaction. >>> >>></trust_risk> >>> >>>Now this is a fairly general discussion of trust and risk. While a >>>decent lead-in (assuming concurrence after some degree of >>>modification), what is missing is how this relates to SOA. Do >>>activities in a SOA ecosystem merely mirror other activities, and >>>thus trust and risk are applicable in the same ways? Or, is there >>>something special in SOA? I expect David will tell us there are >>>special things, and that is what we need to capture next. >> >>I suggest a discussion of how evidence of trust and risk effect the >>trusting party's level of confidence in the eventual outcome in the >>real world effect, e.g. when perceived risk increases. >> > >This still sounds like regular life, not SOA. >What can we specifically say is different or >special to SOA? Maybe somehow tying evidence to >description, especially annotations and >metrics. >Something about the likelihood you'll never be face-to-face. >Something about the unanticipated consumer and the unanticipated use? Right now, my brain is insisting on its right to go into standby mode, so I'll revisit maņana. >Monitoring to collect evidence that may go >beyond metrics, e.g. Frank's "safe"? > >>Cheers, >>Rex >> >>>Ken >>> Sayonara for tonight, Rex >>-- >>Rex Brooks >>President, CEO >>Starbourne Communications Design >>GeoAddress: 1361-A Addison >>Berkeley, CA 94702 >>Tel: 510-898-0670 > >----------------------------------------------------------------------------- >Ken Laskey >MITRE Corporation, M/S H305 phone: 703-983-7934 >7515 Colshire Drive fax: 703-983-1379 >McLean VA 22102-7508 -- Rex Brooks President, CEO Starbourne Communications Design GeoAddress: 1361-A Addison Berkeley, CA 94702 Tel: 510-898-0670
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]