20150427_dcu_trust in the cloud_dr. theo lynn
TRANSCRIPT
Trust and Cloud Computing
Dr. Theo Lynn
Irish Centre for Cloud Computing
and Commerce
Dublin City University
Dublin 9, Ireland
Agenda
1. What is trust? How is it developed?
2. Can trust be recovered once breached? How?
3. Bringing trust, technology and the cloud together
The conscious regulation of one’s dependence on another (Zand, 1972)
Positive Perception
& Expectation
Decision to accept
vulnerability
Trust Behaviour
What trust factors do we assess?
Benevolence
IntegrityAbility
Predictability?
Src: Mayer et al. 1995
Interpersonal Presumptive Trust Cues
Identity-based Trust Cues
Gender, race, accent, ttire
We expect them to be more benevolent and reciprocal
Role-based Trust Cues
Training, Title, Reputation, Code of Ethics
We feel safer and have higher competence and integrity expectations
Rule-based Trust Cues (Assurance)
Org norms, Traditions, Practices, Semiotics
Increases predictability and integrity “oughts” and “likely-to-dos” in given situations
Src: Kramer & Lewicki, 2010
MESO:Organisational Level Cues
Src: Gillespie and Dietz, 2009
Management
Practice
Culture/Climate
Strategy
Structural Assurances
Internal
Components
External Governance
Public Reputation
External
Components
Trustworthiness Perception
Trust Development
identification
collaboration psychological safety complete trust
knowledge based trust
relational interdependence knowledge sharing
calculus based trust
contracting bureaucracy transactional
Dis
trust
Elim
ina
tion
/
Ma
na
ge
me
nt
Tru
st B
uild
ing
Adapted from Lewicki & Bunker 1996; Dietz 2004
Trust in people and trust in technology is different
Object of Dependence People Technology
Contextual Condition Risk
Uncertainty
Lack of total control
Risk
Uncertainty
Lack of total user control
Nature of Trustor’s
Expectations
Ability (Competence)
Benevolence
Predictability
Integrity
Functionality
Performance
Helpfulness
Purpose
Reliability
Process
Adapted from McKnight et al. (2011); Solliner et al. 2012; Mayer et al. (1995)
Trust Breach
Who is to blame?
Which aspect of trustworthiness does it breach?
Trust Violation
Shock, Surprise
What was the reason?
a. Conscious?
b. Deliberate-Intended?
c. Beyond their Control?
a. Benevolence
b. Competence
What helps repair trust?
Apology (as against regret)
Sincere
Timing
Expressed as taking responsibility
Explanations
Credible
Willingness to take responsibility for rectifying situation
Endeavour to maintain goodwill
Reparations & Penance
Willingness to endure penance
Victim role in defining the terms/extent.
Structural Solutions
New Rules/Regulations
Monitoring Systems
New Monitoring/Regulating Roles
“Hostage Posting”
Significant punishments
Effective in competence based violation
Deter or punish future trust violation
Steps in Organisational Trust Repair
Immediate Response
• Vendor acknowledgement | Commitment to investigation | Regret
• Action against known causes
Diagnosis
• Accurate
• Timely
• Transparent
Performing Interventions
• Verbal apology and reparations as appropriate
• Action based on diagnosis
Evaluation
• Accurate
• Timely
• Transparent
Src: Gillespie and Dietz, 2009
Willingness to Repair
Relationship Deterioration
Trustworthiness Rebuilt
Trust Restoring Activity
No, No
Yes, No
No, Yes
Trust Violation
Yes, Yes
Process of Trust Repair and Role of Accountability
World Values Survey Average 1999-2008
Generally speaking would you say that most people can be trusted?
Historically, Irish people said yes.
Trust Development
identification
collaboration psychological safety complete trust
knowledge based trust
relational interdependence knowledge sharing
calculus based trust
contracting bureaucracy transactional
Dis
trust
Elim
ina
tion
/
Ma
na
ge
me
nt
Tru
st B
uild
ing
Adapted from Lewicki & Bunker 1996; Dietz 2004
Contractual issues complicate rather than ameliorate. Widespread use of standard form contracts.
1. Choice of law/jurisdiction
2. Data location and transfer to countries outside of the EEA
3. Data integrity and availability
4. Security of data
5. IP Issues Copyright (incl. ownership of
metadata)
Patents and trade secrets
6. Liability and indemnities
7. Acceptable use requirements
8. Service levels and performance
9. Variation of contract terms
14. Monitoring
15. Backup
16. Termination Data / application preservation
Data transfer
Data deletion
impact of the change of service provision is often ignored
Vendor Lock-in increases costs, limits competition and may hinder innovation
Customer dependency on a vendor for products and services such that they cannot switch to another provider without suffering substantial costs and thus are locked in to continuing the relationship with that provider
It may be a deliberate vendor strategy e.g. data and application lock-in
Designing software incompatible with other software
Using closed architectures or proprietary standards that lack interoperability with other software vendors
Licensing under exclusive conditions
It may be an opportunistic vendor strategy e.g.
On termination, threaten immediate deletion of data / applications
Lack of migration assistance e.g. lack of data export tools
Customer-drive customisation may also result in lock-in
Security Breaches - Segment
Non public-sector organisations are likely to be under reported due to public sector legislation and penalties
Responses to Data Breach – Public sector organisations have more robust policies, training and response plans
1. Purpose
2. Scope
3. Policy
4. Roles and Responsibilities
5. Incident Detection and Reporting Incident Record
Initial Assessment
Criminal Investigation
Incident Notification
6. Data Breach Incident Ratings Form
7. Internal Notification Requirement for Initial Notification
Contents of Notification
8. Risk Assessment Incident Analysis
Summary of facts and recommendations
9. Incident Handling and Response Course of Action Risk Mitigation
10. External Breach Notification Whether External Breach Notification is
Required Timeliness of Notification Source of Notification Contents of the Notification Means of providing notification Who receives notification: public outreach
in response to a breach
14. Documentation of Breach Notification
15. Evaluation of Breach Response
16. Disciplinary Action
17. Appendices Information Security Incident Report Sample Written Notification Data Breach Impact Severity Ratings Form Related Documents References Contacts
Who does improved knowledge of cloud quality metrics help?
General Public & Prospective
Customers
Cloud Customers
Management
Marketing
SLA Management
Quality Management
CloudPass Nutritional Label for Cloud Service Assurance and Accountability
• Dynamic real-time trust label for monitoring and communicating trust signals to the market
• Diagnostic process and toolset for assisting cloud service providers identify areas for improvement and competitive advantage
• Workflow and processes for SLA enforcement, risk management and quality assurance
trust as a source of competitive advantage/innovation