• United States

Trust or risk assessment?

Apr 26, 20044 mins
Access ControlEnterprise Applications

* What is the difference between 'trust' and 'risk assessment'?

I trust you remember the topic of the last issue. The topic was “trust” for those who didn’t get the hint, or had entirely too much recreation over the weekend. I did hear from a number of you (and the e-mails are still coming in), some agreeing that “trust” was not quite the right term while others sought to explain the use of the word.

First in my inbox was OctetString’s Phil Hunt (as he so often is – I think his title is Director of Writing to Dave Kearns ) who pointed out that the “trust” under discussion might not be a trust in the integrity of the other party, but trust in the reliability of the data. That’s a valid point, and one addressed by a number of other correspondents who suggested “reliability” was a better choice of term than “trust.”

“Reliability” was the second most used term in the e-mail I received. Holding the No. 1 position, though, was “risk” usually as a modifier of another term – risk assessment, risk reduction, etc. That heartened me, because I’d originally planned to make “risk assessment” the topic of this issue.

If every Tuesday morning for 10 years (unless he’d previously indicated he couldn’t make it) your friend Osvaldo showed up at the tennis court at 9:30 a.m. for a match with you – except for the two times he was hospitalized unexpectedly – then you could probably rely on him being there next Tuesday at 9:30. The risk of not playing a match that morning is very low. You have a high degree of confidence that Osvaldo will be there. In short, you trust him to be there. As reader Martin Smith pointed out, “you never have ‘trust’ in the abstract.”  Generally, you trust someone to do some thing, something specific, such as show up for the tennis match. That doesn’t mean you’d trust Osvaldo to invest your life savings, though.

Frequent correspondent John Barrett called this “risk mitigation,” and I’ve come to like that term. You do what you need to do to mitigate (i.e., reduce or reduce the impact of) the risk involved in accepting what someone else says or does.

This “risk” is not only the odds of the other party fulfilling the deal, whether that “deal” is showing up for tennis or vouching for the identity of someone who’ll get access to millions of dollars of information. The potential for loss must also be factored into the equation.

Oswaldo missed two dates in 10 years, that’s .4%. If he doesn’t show up, I lose an hour’s time, worth $150. The risk, then, is 60 cents ($150 times .004) – not something that would require a legal agreement, I’d think. But giving him my life’s savings (all $3,000) to invest (Osvaldo really likes to “invest” in horses at the local track, his track record, though, is abysmal) would be more like .99 times $3,000 or a risk of $2,970 would be a different story. I’d want some form of written agreement.

Further, as Philippe Persijn pointed out, you wouldn’t even enter into a legal agreement with some people (he used the Mafia as an example) because not only is the risk very high, but the odds of enforcing the agreement are very low which in turn leads to another risk assessment.

For the last words on this subject (at least for this week) I turn to two men both known for their communications skills. Ronald Reagan quotes an old Russian proverb as “trust, but verify.” While the philosopher, Cicero recounted a phrase summing up what he considered high praise: “You can trust him in the dark.” I trust you will remember that it isn’t about trust, but about minimizing – mitigating – risk.