Here is a suggestion for a visual chart that will help people to understand risk they are taking in electronic transaction between a customers and suppliers of goods or services. How much should a supplier trust a potential customer? – and vice versa?
Identity Trust Matrix
Suppliers look at the vertical axis and decide how much value is at risk if the customer avoids paying for what is delivered – whether by deliberate fraud or by accident. In other words, what level of trust can be placed in customers’ electronic credentials?
Customers look the horizontal axis to gauge whether the Trust Level of a credential is sufficient to meet the value of potential purchases.
Each transaction is given a Trust Index with a calculated value from 0 to 100. These are split into three ranges of high, medium and low risk – from a supplier’s perspective.
- RAG Risk Trust Index Proceed?
- Red High Risk 10-100 Unwise to proceed
- Amber Medium Risk 2.5-10 Proceed with caution
- Green Low Risk <2.5 Sufficient eID to proceed
The amber area of the matrix is where the reputation of each party should be considered in addition to the trust level. What is the trading history of both customer and supplier? Ebay traders understand this principle.
Clearly, the matrix depends on the agreement of Trust Levels of credentials. Quarkside has not developed a firm proposal, but here are some starting suggestions for four ranges (with maximum low risk value):
- 1 (£10) Username and password.
- 2,3 (£100) Additional personal secrets;
- 4-6 (£1000) Documentary evidence of identity, such as banks’ “Know Your Customer” requirements. Inclusion of credit agency data. Face to face interviews by the enrolment agency may be needed. Sufficient to obtain a passport;
- 7-10 (£10,000) Biometrics necessary to complete transactions. The highest levels would have government security vetting and very strong protection against counterfeit credentials.
If this sparks any interest, suggestions to help definition of trust levels will be considered. The background to the need for an Identity Trust Matrix will be the subject of future posts, following the 7DIG framework.