Tuesday, May 03, 2005


Jamie Lewis has returned to blogging (with a vengeance, some might say), and that's welcoming. Among his latest remarks is a piece on the nature of Trust as it applies to business relationships.

Many (and Jamie names a few) think "trust" is the wrong word for what is more in the nature of risk avoidance, but Lewis points out that the term "trust" is so intertwined with security (going back over 20 years) that attempting to re-define the term is probably more fruitful than trying to replace it. As he puts it: "In short, 'trust' serves as an all-too-convenient alias for a lot of hard problems. If we're trying to really define something new... then we should at least hang the old trust rug on a clothes line and beat the dust and dirt out of it."

Lewis introduces seven "building blocks" of trust:
existing business relationships
* legal agreements;
* cryptographic key management;
* assertions;
* shared policy;
* technical assurance;
* audit and accreditation.

These building blocks, he says, don't all have to be present in a transaction or relationship, but the more that are present (and the stronger they are) then the greater amount of "trust" can be said to exist.

What struck me is that a number of these building blocks are strikingly similar to how humans judge trust among friends and acquaintances. I will put a lot of trust in the assertions of someone with whom I have a long, close relationship, someone who shares my outlook (i.e., "policy"), and has a history of technical mastery of the subject of the assertion (e.g., I would trust Jamie in matters of Identity and Access Management, but not necessarily on humor and comedians).

The difference, to me, is that we trust (or not) other human beings. Trusting a corporation really means trusting those who run the organization - and they can change quickly. Thus the need for multi-ream legal agreements, CPU-gobbling audit applications and media-choking logging services.

One of Jamie's all-time heros is Johnny Carson, who got his start on network TV with the game show "Who Do You Trust" (originally called "Do You Trust Your Wife?"), which relied on the very issues I mention above (relationship, technical knowledge, shared outlook, etc.).

Security and IdM marketeers want to use the "trust" word because of the connotations from human relationships. Redefining the term for business use is, in my mind, futile - consumers don't look up the definition, they rely on (i.e., "trust") what they've always believed to be the definition. Given the somewhat murky differences between the building blocks of human trust and those of the business "trust", I think we need to drop the term completely and come up with something new. And not just "risk management", either. I'll propose "trisk" (trust + risk) as a possibility, with standards bodies setting "degrees of trisk" for transactions and relationships. But I'm open to other candidates.

Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]