In Pursuit of Digital Trust – An Executive’s Guide to Information Security
This report is designed to provide an overview of what an executive – rather than an IT person – might need to know about information security in the IT-driven world of today. Between 2006 and 2008, CSC published eight reports on ‘digital trust’ developed by security expert Ron Knode. This paper draws upon Ron’s work, the primary theme of which is that enterprises that pursue a strategy for increasing digital trust will both create business value and reduce their exposure to risk. Protecting the firm should not be the only objective of an IT security programme. We recommend that information security professionals check out the complete eight-volume report1.
Figure 1 – The digital trust research project
IT security is increasingly becoming a priority for corporations and organizations all around the world. Executives recognize that the very viability of an enterprise can be put at risk by the lawsuits or negative publicity that can come from malicious and accidental security breaches alike. However, few firms focus on the upside, and the many market advantages that a reputation for digital trust can create.
To both minimize risk and maximize opportunity, business leaders must have a clear understanding of the information security issues that may affect their firm’s top and bottom lines. This report attempts to explain these issues from a business executive’s point of view, and we encourage our more technology-savvy clients to share this work with their business colleagues.
The report begins with a broad discussion of the importance of business trust in general, and the key components of digital trust. We then assess the pursuit of digital trust across six strategic information security domains: identity management, intellectual property protection, compliance management, mobile/ wireless technology, eThreats and countermeasures, and finally the transparency and assurance of the integrity of the Internet itself.
While Enterprise IT will be responsible for managing most of the implementation issues, tomorrow’s business leaders need to understand the growing intersection of business and information security strategies, encompassed by the concept of digital trust. This report is intended as a means toward that end.
Figure 2 – Broad sources of trust
Trust can be defined as the assured reliance by one party on the future behaviour of another party. It has been the basis of all commerce through history. When one farmer delivers a cartload of straw to another, he expects to get paid for it. If he feels that there is a likelihood that he might not get paid, he will not deliver the goods.
There are a variety of ways in which we build trust in our customers and suppliers so that we can rely on them to pay or to deliver the promised goods. The customer can have a reputation for paying on time. Our perception of the customer can be that he is reliable – because he wears a suit and tie, perhaps, or because of the size of his home or car. We could put a process in place whereby payment is lodged in advance with a third party to be handed over only when we have delivered the goods. Or a technology could enforce such a process – for example, the bar of chocolate is released only after the appropriate coins have been deposited into a machine.
All in all, there are many ways that a supplier can earn our trust. Words like confidence, assurance, security, faith, belief, reliance and reliability are all used to help explain what trust is. Measures of trust have generally included both sociological and psychological components dealing with degrees of ‘expectancy’ concerning the reliability of ‘promises’ of many types.
Figure 3 – Digital trust and the enterprise
In the information-rich world in which we live today, trust takes a different shape, though it is no less essential to the functioning of online commerce than it has been to farmers through the ages. Figure 3 hints at the extent of the challenge.
Digital trust is technology’s contribution to the full fabric of trust: the hardware and software that prevents unauthorized access to a system; the passwords and biometric features that permit access only for those who are authorized; the rights management functionality that allows some, but not others, to listen to music or watch movies online. Digital trust results from the sum of a system’s security technologies and processes, which provide us with the evidence – the transparency – that gives us confidence that the system operates as advertised, and that no unadvertised activities are occurring.
This trust is dependent not only on security features, but also on the ability to deliver perceivable evidence that the security actually works. Our perception might cause us not to use a system, or to use it only for a certain subset of its capabilities – we may be prepared to use a system for a $50 transaction but not for one of $1,000. ultimately, it is how that digital trust is perceived by the people within today’s networked enterprises that determines the extent to which a transaction or relationship will continue.