Increasing Trust vs. Increasing Security

Bruce Schneier had a very interesting post about how the Department of Homeland Security (DHS) has two impacts on Americans: it makes us more secure and it makes us think we are more secure.  I totally agree with the hypothesis that sometimes making people think they are more secure is the appropriate thing to do.  I experienced this personally at a much smaller scale.

When I worked at eBay I was in a group called “Trust and Safety”.  That was a very fitting name for the group since we had two goals: 1) make people feel safe transacting on eBay and 2) actually make them safer when they were transacting on eBay.  Security projects often support one of these goals more than the other, but there are places for both.

Let’s look at an example.  Let’s say that a bad guy finds a way to send scam emails to the users of a website.  In this example, it’s very difficult to send these emails and the bad guy is only able to send out 100 emails even though the website has 10’s of millions of users.   What happens, though, is one of the users who received an email contacts a reporter and the “event” (despite having very little actual impact) gets a lot of coverage.  When things like this happen, users tend to lose trust in a system even though the probability of being impacted by the problem is extremely low.

Events like the one above definitely require a response.  From the security point of view, it doesn’t make sense to commit a lot of man hours and resources to fixing something that has so little security impact.  Instead, it is more valuable to deploy a response that helps increase trust.

An example of something that helps increase trust and does much to increase security (most of the time) is launching or updating a security center.  If a website is concerned that users are worried about their security on the website, one thing the website could do is create a security center and then communicate about the new security center to their customers.  Most customers will never visit the security center (in fact, the ones that do are likely the most security-conscious, but this is a topic for another post) but will be assured that the website cares about security.  This will make them feel better about transacting on the site and will, hopefully, increase their activity.

I saw this all of the time in my past job – balancing trust and actual security.  It could be highly effective to launch a security initiative merely to make people feel better.  But that’s a good thing for the website.  In fact, if people feel better about transacting online, that’s a good thing for the internet in general.

I’d be curious to hear about trust vs. security decisions others have had to make.  I’m sure there are a lots of examples.

January 30, 2009 Posted by Laura Mather | General, Trust | safety, security, Trust | No Comments Yet