Features

Home Home Arrow Features Arrow Stories Arrow Transparency and Assurance: Putting a Measure on Digital Trust

Transparency and Assurance: Putting a Measure on Digital Trust

 

“Action speaks louder than words but not nearly as often,” said oft-misquoted Mark Twain. We learn at a young age that trust is earned through deeds, not empty promises. But there’s also that intangible — though not infallible — gut feeling that either draws us toward someone or warns us away.

 

As difficult as it is to gauge the trustworthiness of a person standing right in front of you, it is nearly impossible to accurately determine which of the millions of online claims are valid. Lacking any kind of specific metrics, how do we calculate the weight of digital trust?

That’s the question put forth by Transparency and Assurance: Putting a Measure on Digital Trust (PDF, 4.0MB), the seventh of eight volumes in which CSC’s Leading Edge Forum (LEF) examines digital trust, a strategy for enhancing business value with security services and technologies while still addressing information risks.

“Digital trust is a serious weighty matter,” says the report, “and the enterprise payoffs come most completely when digital trust investments and efforts are recognized and acknowledged by customers and partners.”


Related Information:

Download Digital Trust, Volume 7.

Learn more about eThreats and countermeasures in Volume 6.

Read the Digital Trust press release.

Participate in the Digital Trust blog.

Learn more about CSC’s Leading Edge Forum.

Contact us and let our experience help you produce results.

Subscribe to the Digital Trust report series (automatically receive all volumes).

 

The report makes four distinct points:

  • It is possible to create and destroy digital trust.
  • There’s more than one way to create and destroy digital trust.
  • If you want to capture value in specific domains of the digital enterprise, then you have to create digital trust in each of those domains.
  • Digital trust has heft — enough heft to generate substantial value. The payoff can be enormous and is worth pursuing.
“Digital trust is defined by the fact that you generate a payoff using security services and technology to create value, not just do a better job of preserving value that already exists,” says Ron Knode, the report’s lead researcher and CSC security expert. “If it doesn’t generate value, then it may be security. But it’s not digital trust.”

An elusive measurement
There are no accepted universal units of measure for trust in any form, including digital trust. It’s not as simple as saying trust costs this amount of money or weighs that many pounds. Nevertheless, many attempts have been made to establish digital trust measurements for all kinds of circumstances.

For example, efforts at measuring digital trust have been applied to:

  • Web sites
  • Software and systems
  • Identities
  • Individual transactions
  • Configurations
In addition, these attempts have been directed at different characteristics intended to represent “trust,” including:

  • Confidentiality
  • Integrity of operation
  • Privacy for personal information
  • Ethical intent in business
The combination of target and characteristic creates individual domains for trust in the digital enterprise. Each of these domains has its own definitions, characteristics, interpretations, measurements and emblems — and they’re not interchangeable. With no existing calculus to directly combine or compare digital trust measures, each domain must create its own separate measure, including all of the accompanying paraphernalia to explain what the measure actually represents.

“You can’t use digital trust in one domain and have it travel over to another domain,” explains Knode. While, for instance, Web sites may use visual emblems — also known as trustmarks — such as Hacker Safe or buySAFE to show they’re worthy of confident use — software and systems must use other measurements, like the Common Criteria, a well-known trustmark that vouches for products that have undergone independent examination against ISO 15408 by labs licensed to perform such assessments.

(Real) trustmarks deliver real value
Even within a domain — such as a Web site — no calculus of digital trust exists. So, it’s impossible to calculate the effect of presenting a Hacker Safe trustmark versus one, two or even three other trustmarks.

But, the report found that Web site trustmarks that enforce real criteria do, indeed, have a payoff. “These trustmarks,” says the report, “are intended to represent the evidence needed by site visitors to generate confidence in the claims of trust made by the enterprise. This is one way to try to establish the ‘evidence-based confidence’ that is so important to confirming and growing digital trust.”

For example, during one two-year test, trust broker ScanAlert compared visitor behavior on 470 Web sites both with and without their Hacker Safe trustmark. With companies such as FTD, National Geographic and Shop NBC participating, results showed an average of 14 percent more sales from online shoppers when the trustmark was visible.

This encouraging discovery was muted a bit by a parallel circumstance — the digital trust impact of trustmarks is diminished by the fact that consumers don’t always understand privacy seals and have even been fooled into thinking a phony one is real.

Moreover, simply because a Web site displays a trustmark does not necessarily mean that trustmark is valid. It can fade, if the organization behind it disappears; it can be empty, if it doesn’t represent what it claims; or it can be imaginary, if it’s just a made-up symbol with no actual trust broker ever having existed.

According to the report, digital trust can be created in four different ways:

  • Third Party: Many Web sites purchase emblems, sold by third-party trust brokers. These emblems say, “On the strength of my word, you can trust this Web site.” And the emblem’s location matters. According to tests conducted by pet product retailer PETCO, the upper left corner of the home page is most effective.
  • Evaluation Against a Specific Technical Standard: A piece of software or a system is evaluated against some specific criteria or passes some kind of test. Examples include the Common Criteria and the Cyber Security Industry Alliance (CSIA) Claims Tested Mark.
  • Built-in Claims and Evidence Displays: Individuals decide for themselves if they trust a particular transaction or system, based upon their own experiences and the evidence provided directly by the source to users.
  • A Cloak of Compliance: Heavily regulated online institutions point to their success at satisfying their regulators as prima facie evidence of digital trust. In this case, the absence of a trustmark, rather than the presence of one, is touted as the ultimate evidence needed for digital trust. Online banks, for example, are so heavily regulated that some of these sites claim that they’re already undergoing tests much more stringent than any created by trust brokers.
The value of digital trust
So while it may be futile to ask what digital trust weighs, we can try to measure it by looking at the transparency of digital trust performance — its features and functions — and the assurance provided by evidence in various forms.
We do know that digital trust has enough heft to:

  • Increase sales and sales conversion rates for online shopping sites.
  • Increase the prices bidders are willing to pay at online auctions.
  • Improve ROI performance for online sales sites by large percentages.
  • Guarantee delivery of e-mail.
  • Serve as legal evidence of delivery and eliminate up to 99 percent of costs for certain types of legal proceedings.
  • Open up entire markets for systems and software that would otherwise be unavailable.
  • Reinforce customer confidence to continue (and expand) online banking.
  • Obtain acknowledgment of quality and preferential treatment for purchase, even if a product is higher priced than competing products.
The rewards are clear, but so are the difficulties in ensuring the transparency and assurance — the evidence — needed to create and maintain digital trust:

  • Digital trust must be created and grown in every domain where value is to be captured.
  • For some domains, there is no obvious approach to generating digital trust.
  • Digital trust can be destroyed by phony claims that are exposed with just one faulty transaction or interaction.
  • Certified security processes and certified personnel do not automatically translate to digital trust payoffs (even though they usually improve performance).
  • Legacy techniques to generate digital trust for static applications and operations do not transfer directly to the dynamic world of SOA and Web Services.
“Digital trust is not weightless,” says Knode. “It has enough heft to generate substantial value.” And that, he concludes, makes the creation of digital trust well worth the effort.
Features

Corporate Governance

Investor Relations

Newsroom

Locations

Blogs, Podcasts, Videos & RSS