Build in trust, experts advise cyber innovators

Trust will be increasingly important in the digital era, and is therefore a key component of new products and services, experts have told cyber security innovators

Trust is critical to innovation because it enables people to take risks or make necessary leaps of faith, according to Rachel Botsman, expert on trust and technology.

When steam engines were introduced for passenger trains, engineers expected that people would be afraid of derailments, but they were wrong, she told attendees of the Lorca Live event at London’s government-backed Lorca cyber security innovation hub.

“The trust barrier that got in the way is people thought human bodies were not designed to move at high speeds and would melt if they travelled at more than 60mph. This illustrates that people were not ready to take a trust leap, which is critical for innovation because any new product, service, system or idea requires a trust leap.”

The easiest way to think of trust leaps, said Botsman, is as taking a risk to do something new or in a fundamentally different way, such as switching from paper statements to online banking.

As a result, she said innovations like digital pills that will communicate with our doctor, self-driving cars and home assistants, will take hold only if people are willing to make the necessary leap of faith or risk to move from the known to the unknown.

Risk can be defined as the exposure to uncertainty with a potential loss that matters, said Botsman. “Now I find it fascinating that organisations are so obsessed with risk, but we should be equally obsessed with trust because risk is not what enables human beings to act; risk is not what enabled us to move from the known to the unknown.

“The remarkable bridge and social glue between the two is trust,” she said. “Trust is simply defined as a confident relationship with the unknown.” But as such, it is essentially a human feeling and belief that something or someone is reliable, and is therefore not a “hard asset” with parameters that can be tracked.

Trust needs to be earned

Trust, said Botsman, is therefore not something that can be “built” or “rebuilt”, but it is something that is given and has to be “earned continuously and consistently over time”. However, she warned against focusing too much on “trust” because what people really care about is “distrust” because people tend to care about things only when the break down.

“Trust is rational, but distrust is irrational and when distrust takes hold, it is like a virus that becomes contagious and spreads very quickly. So organisations really need to prevent people distrusting their systems, but the way to do this is not through greater transparency,” said Bosman.

Being more transparent, she said, does not lead to more trust, it merely reduces uncertainty and risk. “When we need things to be more transparent, we have given up on trust. Transparency is not a bad thing, but doesn’t equal more trust. It simply reduces the need for trust.

“Therefore this idea that transparency is going to fix all our trust problems is wrong and it’s dangerous because it has really taken hold in the technology industry,” she said, adding that “deception, not secrecy, is the real enemy of trust.

“So when we are talking about fixing trust issues, we should not be focusing on secrecy and privacy but on deceit – human intention.” Fixing that problem, she said, is often not through transparency, but through demonstrating competence, reliability, empathy and integrity.

“Integrity is the most important because it is all about intentions. It is all about whether your intentions align with mine. If you look at many of the trust problems in the world from Brexit to Facebook, they are often issues of integrity.

“We hear Facebook is planning to become more privacy focused, but we don’t believe them because we don’t believe in their intentions. We don’t believe that until they change their business model their intentions can be aligned with ours.”

Read more about UK cyber security innovation

  • Getting cyber security innovation to market is key, says NCSC.
  • An exciting time to be in cyber security innovation.
  • Second GCHQ Cyber Accelerator kicks off.
  • Cyber security should not be seen as a necessary evil, but an economic opportunity, says UK government.
  • The NCSC aims to ensure the UK has the ability to take offensive action if necessary, while also growing an innovative cyber security industry.

This is very difficult to get right at scale, said Botsman. “And it’s going to get more complicated because we won’t just have to assess this in humans and companies, we are going to have to assess this in machines.”

For decades, she said the relationship between trust and technology has been around technology doing things, technology having competence and reliability. “But very quickly we have moved into this new phase where technology is also deciding things for us, so now trust is also about empathy and integrity. We keep having to come back to the intentions of the machine and the [tech] company behind it.

“We have to start thinking about trust as a currency that is actually more valuable than money, which is the currency of transactions. Trust is another kind of currency. It is the currency of interactions. If we want people to interact, you have to have trust.

“And every time we go through this process of thinking of trust being as valuable as money, we are taking care of what I think is any company’s most fragile and precious asset.”

On the theme of trust, Paul Taylor, director of the Centre for Evidence and Research on Security Threats (Crest) urged technology innovators to think about trust from the very start of the design and development process.

Forward planning

Thinking about trust and human interactions with the technology under development early on, he said, will mean the product or service will not require any form of modification or reengineering in the final stages of preparing to go to market.

“Five years ago, trust was around things like high grade encryption and two-factor authentication, said Taylor, also professor of psychology at Lancaster University. “The trust messages were focused on competence and ability. Today’s trust messages are around integrity and benevolence that personal data will not be used for any undisclosed purposes.

“There has been a shift in the trust landscape, so thinking about how trust engages your product allows you to be more sophisticated and robust.”

According to former GCHQ director Robert Hannigan, governments are actively encouraging technology suppliers to build in security and trust early.

“Building in security and trust when you design something is absolutely critical, and every government is looking at regulation on this,” he said. “It is crucial to ensure integrity and trust are built in so that all new products and services can be used with confidence.” 

Read more on Hackers and cybercrime prevention