Computer systems fill many roles in today’s companies, providing services at scale, growing, and managing capability and fulfilling customer needs. If computers and processors were people, they would certainly win ‘Employee if the Month’ awards and rise through the company ranks. Like other holders of positions of privilege, it seems only natural to examine their trustworthiness. After all, one day they may gain a seat on the board. 
The problem with any assessment of trustworthiness, online or offline is how can we ‘know’ that the person or entity is acting in a fashion that can be trusted. This process of knowing is one of the most difficult things to assess with any certainty. I dealt with some of the benefits and drawbacks of trust in an earlier article here [Trust, Trustworthiness and Data Sharing]. The thing about trust is that it ‘runs ahead’ of proof, so the best we can do is to assess the evidence we have and build a case that we can have a degree of expectant confidence in the abilities of the other party.
Building a Trustworthiness Case
Building an information system to perform tasks where trust is involved (think medical diagnosis, product selection, supply chain, banking) or any number of other tasks will require an assessment of the trustworthy characteristics of a system as a loss of trust will call into question the actions and dependability of user interaction with it. Comparing to an employee we can start to build our case using some of the following characteristics, the same as we would with an employee:
- Past Performance and Future Ambitions
The past performance of a prospective employee or computer system will be one factor that might be considered when deciding whether to build from new or replace existing capabilities. A system can be thought of as trustworthy based on being dependable, reliable, realistic, and uniform in its’ interaction with others. This provides evidence to the values helped to build the product and how well the resulting product can stick to contract. Alternatively, when a new, potential, or re-purposed system development is being considered the history of where it originated, from where, and from whom still influence the perceptions of trustworthiness to a potential new client. As you might when considering a new hire, make sure that your due diligence is carried out to ensure that you can have confidence in the background suitability and ‘cultural fit’ of the system in your portfolio.
Future ambition and ‘room to grow’ are essential attributes of any potential employee or system and is much more subjective and difficult to assess with certainty. The supplier, or open source software examination will allow the codebase and revision history to be examined, in a similar fashion to an employee being able to demonstrate improved capability on the path to their chosen career.
If we apply to a job, there is always a section about our certification. It’s the same with computers – certification goes a long way to demonstrating that the correct processes, controls, checks, and balances were made during construction to ensure it was built with security in mind.
Although certification is sometimes merely a tick box way of showing compliance, it often requires a certification authority to verify the controls are in place. Similar to school level exams, some certifications demonstrate entry level compliance, others show more advanced preparation and commitment. Look for the commitment of the company that developed the system to ensuring that certification is sought for the process with which it was built, and for the end product.
Another section of a computer resumé might involve the providing of references. In the offline world we might provide the opinion of a former employer, mentor or teacher that has a greater knowledge of the field to accredit the skills we hold.
This can be replicated in the software production process by accrediting the system, using an external auditor, security expert or other party that has not been involved in the day to day of system development to give an opinion on how well the system matches the specification. As well as matching specification, assurance levels that these measures are implemented to a certain level can also be sought. This is the process that is followed by using the Common Criteria for information systems assurance. Independent testing, benchmarking, or utilising equivalent tests to evaluate the strength of security functions, reliability and resilience can assist in triangulating our view of how robust the system is.
Alternatively, if the product is a commercial one, it may be possible to understand the reliability of the building blocks from which the product was built, or to ask other customers to give accreditation references based on their experiences of the product.
4. Product Assurance
Another aspect of the recruitment and employment process is that of performance review once in post. As employers know, some employees never quite live up to the hype that they place around themselves. This is because trustworthiness is not a self-assessment, but an assessment of the opinions of peers and other parties. If you ask a person if they can be trusted they will always answer ‘yes’.
To remedy this, it is important to review at intervals how well the person or system is performing. This can be measurement against the performance of KPI’s or SLA’s but might also include an assessment of the adaptability and potential to take on more responsibility or activities. For people we provide or signpost training. For computer systems, it could be time to upgrade, redesign or re-align the purpose of the system. Measurement of achievement is only part of a measure of trustworthiness, the ability to work with peers, grow and adapt to changes in the environment marks other dimensions of growth.
Trustworthiness is not something it is easy to ‘know’ and can only be inferred to the best degree that we can by looking at evidence from the environment to give us the confidence that a person or information system can be trusted. Assessing the evidence to build a case for trustworthiness is one way to build a decision on whether to trust, taking care that the premises and assumptions that we base our evidence on are well founded.