Building Trustworthiness and Acceptance of IT Security Solutions - Prof. Dr. Norbert Pohlmann
Building Trustworthiness and Acceptance of IT Security Solutions
Trustworthiness and Acceptance
In Part I of this set of articles by Prof. Norbert Pohlmann from the eco Association and Ulla Coester from xethix Empowerment, the authors argue that the model of trustworthiness provides a framework for developing strategies to engender trust for their company and their IT-solutions. In the following article, the authors continue by determining the factors and action points needed to engender trust for the given IT-solution and for the company.
For a manufacturer to be able to transfer this trust to its IT solution in a dedicated manner, other factors alongside cybersecurity also play a relevant role in terms of perceived trustworthiness: Transparency, performance, and having ‘conciseness of purpose’. Only through the presentation of all aspects will the user be able to develop trust in the IT solutions offered.
Factor: Transparency of an IT solution
The principal benefit of the decision to be transparent is that it shows how the company takes the needs of its users seriously and is prepared to communicate openly. By no means does this involve having to disclose every detail of the IT solution or all of the associated business activities. Rather, it means that all relevant information is provided that a user needs to make a valid decision about the trustworthiness of the IT solution in the given context. Overall, the quality of information thus plays a decisive role – it should be participatory and particularly balanced, meaning it should take the interests of all parties equally into account.
In the past, this form of communication was not necessary. However, due to the now high degree of complexity involved, it is essential to act in this way in order to increase the willingness to have this solution used. This demonstrates the interplay between trust and trustworthiness: A company depends on the acceptance of its users. On the other hand, due to increasingly intelligent attacks and more complex cybersecurity mechanisms, it is becoming more and more important for users to ensure that their cybersecurity needs are also adequately met by the IT solution.
Package insert on cybersecurity: For example, one way to ensure transparency is to provide a package insert describing how cybersecurity mechanisms in the IT solution will be used to ensure a reduced risk of the various attacks. It is also important to show what residual risks exist, how the user can deal with them, and how the company can provide support.
Presentation of certificates: Another important aspect of transparency is the availability of existing certificates and the associated reports that are available for the IT solution. This enables the user to determine which aspects have been analyzed by cyber security experts from the certification bodies.
Factor: Capabilities of an IT solution
The capabilities of an IT solution are what the user can immediately comprehend and also control. Therefore, the measurable criteria for the user’s evaluation of the solution result from the extent to which users feel supported in achieving their intended purpose, and how well suited the IT solution actually is in this regard. Reliability and predictability are among the evaluation criteria to be mentioned here. It is also highly relevant that the company’s competence is reflected when it comes to the capabilities of the IT solution. After all, a lack of capabilities ultimately results from errors in the areas of competence or strategy. This therefore shows both the connection and interplay between the trustworthiness of the IT solution and the company.
Among other things, the usability or the performance of the cybersecurity mechanisms can serve as a baseline for the user’s evaluation.
Usability: The extent to which cybersecurity mechanisms and management can be operated easily or even intuitively by the user.
Performance of cybersecurity mechanisms: The extent to which the performance of the IT solution decreases, for example through the encryption of the data. Or the length of time an attack detection system takes from detecting an attack to responding, for example, by sending an alert or an automatic response.
Factor: Conciseness of purpose of an IT solution
Whether or not a solution has a conciseness of purpose manifests itself in the intended use of the IT solution. For companies, this means that the function and intention of the IT solution are precisely defined during development. As a result, the intended use of the IT solution should be clearly evident to the user. For this reason, it is important to ensure that the purpose of the IT solution can be easily and immediately comprehended – including through the use of characteristic features. Conversely, however, this by no means suggests that a low level of functionality must go hand in hand with having a conciseness of purpose. Furthermore, it is necessary to openly present any relevant change or extension to the IT solution – especially if this means that the originally intended use is no longer clearly discernible.
If, in addition to the actual application, an IT solution offers further functions that are only in the interests of the company or third parties, these must also be clearly presented and described. Examples include:
Disclosure of the business model: If sensitive user data is collected with the help of the ‘pay with personal data’ business model and used for individualized advertising and/or sold at profit to third parties, this must be clearly communicated.
Provision of insight into new features: For example, Apple’s new detection system, which is designed to indiscriminately scan all data on iPhones for child pornography, has a high social value but poses a risk to users in terms of their privacy – simply given the fact that the search takes place on the end device. Since it is also possible in principle to arbitrarily search for other content, this can pose a real endangerment to certain groups (in some countries). Serious deviations from the solution’s conciseness of purpose must be made immediately transparent for the user. This is essential so that the user can come to an informed decision for or against future use.
For the full text see: