Risk and Trust

In my last post I talked about a trust rating. In this entry I will lay the foundations for a formal definition of this concept and set up the context within which to discuss using it to enrich online service delivery.

Let us set the scene by considering the actors involved in an online transaction. Typically there are two - a Relying Party and a Subject. The Relying Party is the one relying on the authenticity of the transaction. The Subject is the entity transacting with the Relying Party. Usually, the Relying Party has more to lose than the Subject if the transaction goes wrong. In most Internet banking transactions, the bank is the Relying Party and the Subject is the bank's customer who is conducting the transaction. A customer who is aware of the threats of Phishing and Pharming attacks could very well consider themselves to be the Relying Party and the bank's website, the Subject of their transaction. Simplifying things somewhat, the Relying Party relies on the successful authentication of the Subject.

Consider then the following assertions:

• Risk is traditionally regarded as a function of the impact of a threat and the likelihood that the threat is realised. The risk associated to a transaction between a Relying Party and a Subject requires context - the risk to a Relying Party is typically greater than the risk to the Subject (usually because the Relying Party carries more liability than the Subject).
• Trust is typically a label assigned by a Relying Party to a Subject. It is a function of the behaviour of the Subject as they conduct transactions with the Relying Party over time. A brand new customer is "untrusted" whereas a customer with some transaction history may be "trusted" or "not trusted," depending on whether they have been good customers or not.
• The Risk that is accepted is very much a function of the trust that is placed by the Relying Party in the Subject. Quite simply, the Relying Party will take a larger risk if they trust the person they are transacting with. This is because the likelihood of a threat being realised is intuitively assessed as being lower when the Subject is trusted.
  

Acceptance of risk is a function of trust

Note that if you play the role of Relying Party, you can't decide whether or not you trust the Subject until you have authenticated them. However, once you have authenticated them, and, established that they are a trusted customer, you have the opportunity to adjust the delivery of services to them. This is exactly what we have been doing in face-to-face service delivery for centuries - let's start doing it in the online service delivery context.

Customer Relationship Management (CRM) systems have been designed to mine the data collected on customers, usually with the purpose of tailoring and targeting the products and services that are sold to them. I claim that by viewing Identity Management in the same context as CRM, we see the whole picture of authentication, better service delivery, better cross-selling of services resulting in improved customer satisfaction with online service delivery and better revenues! More on this in my next post.

First posted on Wednesday, July 12, 2006 at 08:58PM