Professional

Risk and trust. Trust and risk. It is not often that you can see one next to each other. But that's what I am intersted in.

I can see that security solutions (including risk management) essentially work by deflecting the question of trust and pretending to replace it with the question of risk. Usually unsucesfully. You can choose whom you want to trust but you cannot dispose of trust altogether. In fact, you can only transfer trust from one place into another - and loose a bit of trust in this process.

So, instead of trusting a person we decide to trust a policeman. Then we have to decide who should police the policeman. Instead of trusting someone's words, we prefer to trust a public notary who witnessed the statement. Then we have to trust the official who appointed the notary. It sounds only natural, but it has far-reaching consequences.

I do not think companies will ever give up their addiction to risk and risk management. Risk is handy. Risk is well known (as a method, not as risks themselves). But risk is not sufficient in describing the reality of a modern decision-making. Thus those who work on the basis of risk alone become blinded to their dependency on trust.

What I seek is a re-balance of this picture. Something that has a provisional name of TERM - Trust-Enhanced Risk Management. The unifying solution that allows companies (as well as us, individual people) to run their risk management solution knowing that they do not misss on trust.

As the Web became the inseparable part of our everyday reality, the question of what and how asess the risk of the internet became very important. Risk seems to be everywhere. Computers need continuous updates, spam clutters our inboxes, viruses can damage our precious (even though potentially illegally copied) music collection and a friendly trader can clear our bank account.

Here's where TERM shines. As we should not consider only risks, we should consider whom and why we trust. The internet, cloud computing, managed services: they all benefit from the joint analysis of risk an trust.

There is a lot of application areas where such a joint approach can be beneficial. Here are some examples: Compliance, assurance and audit. Business process outsourcing. Cloud computing. Identity governance. Privacy protection. Collaborative risk anaysis. Software development. Knowledge management.

We are engaged in a complex interplay between trust and risk, between ourselves, other people, computers that behave like people and people that behave like computers. We interact directly or through technology that we do not fully understand. On top of this we try to do what we always do: make friends, trade goods, do work, have fun.

My recommendation: read some of my research papers and publications or even better some of my books listed on this site and things may clarify a bit.