Section 5.2. The Trust-Risk Relationship

5.2. The Trust-Risk Relationship

Trust is intimately associated with riskindeed, it is possible to argue that in the absence of risk, trust is meaningless.^[18] Let's take an everyday example: I could ask a stranger to look after my seat on a train (low risk) and not feel any need to engage in an evaluation of the trustworthiness of that stranger. However, if I leave an expensive video camera or even my baby behind on the seat (high risk), a more careful trust judgment would ensue. But this example raises other issues in relation to the trust-risk relationship . In particular, it seems that the characteristics of trust are dependent upon the types of underlying risk. To pursue the example, if I would trust someone to watch my video camera, does that imply that I would trust them to look after my infant? Not necessarily, as the two trust judgments are related but somehow distinct, with the latter relying more heavily on judgments of competence and kindness and the former on judgments of honesty. So, to add to the argument made earlier, we may need to be able to phrase trust not just in terms of "I trust you this much" but also in terms of "I trust you this much to do this thing."

^[18] Andrew Brien, "Professional Ethics and the Culture of Trust," Journal of Business Ethics 17 (1998), 391409.

The same complexities occur in e-commerce. An online consumer's decision to trust an e-vendor may reflect beliefs about honesty, but is also likely to tap into decisions about competence and expertise, and it is further informed by judgments about the extent to which any information provided will remain private. Thus, a seemingly simple act of trust invokes a complex set of judgments. Once again, the risk assessment involved is crucialthere is no doubt that people are more willing to trust a site if the perceived risk is low. This was shown very clearly in a study of more than 2,500 people who said they had sought advice online.^[19] Those that sought advice in relatively high-risk domains (e.g., finance) were less likely to trust and subsequently act on the advice than those who sought advice in low-risk domains (e.g., entertainment). Similar findings can be found in the well-known Cheskin/Sapient report on trust in e-commerce,^[20] where, for lower-risk purchases such as books or groceries, trust was strongly associated with familiarity, whereas for high-risk purchases, such as drugs or financial services, trust remained low, even when the companies themselves were well known.

^[19] Pamela Briggs, Bryan Burford, Antonella De Angeli, and Paula Lynch, "Trust in Online Advice," Social Science Computer Review 20:3 (2002), 321332.

^[20] Cheskin Research, "eCommerce Trust Study."

Even though some e-commerce transactions may seem to be low risk (say, involving small amounts of money), they usually involve high-risk elements such as the threat to privacy or credit card fraud. Furthermore, a typical exchange is complicated by uncertainties about whom or what is being trusted. Thus, in situations where perceived risk may be low, actual risks may be high, and the assessment of actual risk is complex. For example, when a person logs into a secure web site to do a transaction, who are they trusting and on what are they basing their trust decision? In terms of people, they are trusting the writer of the web browser, the owner of the computer system, the web host operator, the e-commerce vendor, all the network operators who handle their data, and the certificate authority that registered the web sitebut each to a different extent.

5.2.1. Technology Factors

Technology can alter the trust equation. When properly implemented, SSL encryption reduces the amount of trust that needs to be placed in network operators by limiting the opportunity for them to eavesdrop on TCP/IP connections, but operators must still be trusted to deliver packets to their intended destination. On the other hand, SSL does not help to protect against a keystroke logger that may be running on an Internet kioska risk even when the kiosk's browser displays a secure "lock" icon in the status bar.

Customers must be prepared to place their trust not only in the people, but also in the technology that underpins an interaction. Understanding the context for trust, therefore, involves understanding issues of encryption and data security as well as understanding the development of a psychological bond. Bollier argued that it is vital to distinguish between issues of "hard trust ," involving authenticity, encryption, and security in transactions, and issues of "soft trust ," involving human psychology, brand loyalty, and user friendliness.^[21] But as the earlier example demonstrates, hard and soft trust can easily overlap or be confused.

^[21] David Bollier, The Future of Electronic Commerce, A Report of the Fourth Annual Aspen Institute Roundtable on Information Technology (Aspen, CO: The Aspen Institute, 1996).

Riegelsberger and Sasse have broken down the risks inherent in an e-commerce transaction in two parts. First, in terms of risks that stem from the Internet, including (a) whether credit card data gets intercepted, (b) whether the data is transmitted correctly, and (c) whether the consumer uses the system correctly. Second, in terms of risks that are related to the physical absence of the online retailer, including (a) whether personal details will be kept confidential or transmitted to other parties, and (b) whether the online vendor will actually deliver the products or services.^[22]

^[22] Jens Riegelsberger and M. Angela Sasse, "Trustbuilders and Trustbusters: The Role of Trust Cues in Interfaces to E-Commerce Applications," Proceedings of the 1st IFIP Conference On E-Commerce, E-Business, and E-Government (Zurich, 2001); http://www.cs.ucl.ac.uk/staff/jriegels/trustbuilders_and_trustbusters.htm.

People are faced with highly complex assessments of the risks they take when engaging in e-commerce transactions. One would assume that they would be influenced by the agencies charged with communicating information about the risk^[23] and also the individuals or organizations charged with regulating the risk.^[24] In e-commerce scenarios, the regulation of security risk is usually the responsibility of the vendor, although trust is often gained by recourse to third-party endorsers offering seals of approval. However, consumers are surprisingly willing to accept risks when other trust indicators are present. Many Internet users will be familiar with a scenario in which they are asked to input detailed personal information about themselves in order to access the facilities available on a site. Users who input this information typically do so with the assumption that (a) the company honestly communicates its privacy policy, and (b) the company is capable of honoring those privacy claims. But few users actually spend the time checking this out, or even read the policies. In practice, consumers seem to be more heavily influenced by the extent to which the facilities match their needs, whether the site has a professional look and feel, and the extent to which the exchange seems predictable or familiar.^[25] Indeed, a very recent e-commerce study suggests that users are prepared to cast care to the wind and commit sensitive details to any site provided that the object of desire is compelling enough.^[26] Human fallibility is often the weakest link in the security chain.

^[23] O. Renn and D. Levine, "Credibility and Trust in Risk Communication," in R. Kasperson and P. J. Stallen (eds.), Communicating Risk to the Public (Dordrecht: Kluwer Academic Publishers, 1991), 175218.

^[24] W. Poortinga and N. F. Pidgeon, "Exploring the Dimensionality of Trust in Risk Regulation," Risk Analysis 23:5 (2003), 961972.

^[25] Briggs et al., "Trust in Online Advice.".

^[26] Kathy Dudek, Pamela Briggs, and Gitte Lindegaard, "Small Objects of Desire and Their Impact on Trust in E-Commerce" (in preparation).

Consumers are not always as cautious as they might be, and it is possible to distinguish relatively "hasty" and "considered" processing strategies for the evaluation of trust in high- and low-risk environments. Chaiken identified two processing strategies by which an evaluation of trustworthiness may be made:

• A heuristic strategy that follows a "cognitive miser" principlewhere people base decisions on only the most obvious or apparent information

• A systematic strategy that involves the detailed processing of message content^[27]

  ^[27] Shelley Chaiken, "Heuristic Versus Systematic Information Processing and the Use of Source Versus Message Cues in Persuasion," Journal of Personality and Social Psychology 39 (1980), 752766.

Chaiken described two experiments that show that the degree of involvement in the issue affects the processing strategy. Those participants with low involvement adopted a heuristic approach to evaluating a message and were primarily influenced by the attractiveness, whereas those with high involvement adopted a systematic approach, presenting more arguments to support their judgment. A number of other studies in the persuasion literature support the two-process modelnamely, that people use cognitively intense analytical processing when the task is an important or particularly engaging one, whereas they use affect or other simple heuristics to guide their decisions when they lack the motivation or capacity to think properly about the issues involved.^[28]

^[28] See, for example, G. L. Clore, N. Schwarz, and M. Conway, "Affective Causes and Consequences of Social Information Processing,"in Robert. S. Wyer and Thomas. K. Srull (eds.),Handbook of Social Cognition (Hillsdale, NJ: Erlbaum, 1994), 323417; D. J. McCallister, "Affect-Based and Cognition-Based Trust as Foundations for Interpersonal Co-Operation in Organisations," Academy of Management Journal 38 (1995), 2459; R. E. Petty and D. T. Wegener, "The Elaboration Likelihood Model: Current Status and Controversies," in S. Chaiken and Y. Trope (eds.), Dual-Process Theories in Social Psychology (New York: Guilford Press, 1999), 4172; D. Albarracin and G. T. Kumkale, "Affect as Information in Persuasion: A Model of Affect Identification and Discounting," Journal of Personality and Social Psychology 84:3 (2003), 453469.

Such studies anticipate some recent findings with regard to online credibility. Stanford et al. invited experts and ordinary consumers to view health and finance information sites and found that experts (those having a high involvement with a site) were highly influenced by factors such as reputation, information quality and source, and perceived motive, in contrast to ordinary consumers (those having a low involvement with the site) who were much more influenced by the attractiveness of site design.^[29] The same is likely to be true of risk. In high-risk situations, or at least those situations that the user perceives as high risk, we would expect to see more evidence of careful analysis of trust indicators, as opposed to low-risk situations in which some rapid heuristic assumption of trust may be made. This high-risk/low-risk dichotomy is also played out in the trust literature where those experimental studies of initial trust where risk is imagined (would you buy from this web site?) tend to place more emphasis on the attractiveness and the professional look-and-feel of sites, whereas those (few) studies that have actually involved substantive risk have emphasized careful consideration of integrity, credibility, and competence.^[30]

^[29] Julianne Stanford, Ellen R. Tauber, B. J. Fogg, and Leslie Marable, "Experts vs. Online Consumers: A Comparative Credibility Study of Health and Finance Web Sites," Consumer Web Watch [Accessed November 19, 2002]; http://www.consumerwebwatch.org/news/report3_credibilityresearch/slicedbread abstract.htm.

^[30] B. Chong, Z. Yang, and M. Wong, "Asymmetrical Impact of Trustworthiness Attributes on Trust, Perceived Value and Purchase Intention: A Conceptual Framework for Cross-Cultural Study on Consumer Perception of Online Auction," Proceedings of ICEC 2003 (2003).

5.2.2. Trust and Credibility

It is worth saying something here about the relationship between trust and credibility. While a number of trust models incorporate judgments of source credibility in terms of expertise and reputation factors, and therefore see credibility as a component of trust, some researchers view trust as a component of credibility. Most notable is B. J. Fogg's work on the credibility of online information. Fogg is particularly concerned with the idea of the Internet as a persuasive technology. In a series of studies, he and his colleagues at Stanford University have identified a number of factors that affect judgments of credibility. Positive factors included a real-world feel to the site, ease of use, expertise, trustworthiness, and a site tailored to the individual. Negative factors included an overly commercial orientation and amateurism.^[31] Fogg has interpreted this research in terms of a theory capable of explaining how web-credibility judgments are made. His prominence-interpretation theory posits two processes in the formation of a credibility judgment: prominence (the extent to which something is noticed) and interpretation (a considered judgment about the element under consideration).

^[31] B. J. Fogg et al., "What Makes a Web Site Credible? A Report on a Large Quantitative Study," Proceedings of ACM CHI 2001 Conference on Human Factors in Computing Systems (2001), 6168.

Fogg argues that five factors affect prominence, and three factors affect interpretation,^[32] as follows:

^[32] B. J. Fogg, "Prominence-Interpretation Theory: Explaining How People Assess Credibility Online," Proceedings of ACM CHI 2003 Conference on Human Factors in Computing Systems (2003), 722723.

Prominence:

1. The involvement of the user in terms of his motivation and ability to scrutinize web content

2. The topic of the web site

3. The nature of the user's task

4. The user's experience

5. Individual differencesfor example, in learning style or literacy level

Interpretation:

1. The assumptions in a user's mind (derived from examples, cultural influences, or past experiences)

2. The skills and knowledge a user brings to bear

3. The context for the user (in terms of environment, expectations, etc.)

There are interesting areas of overlap with the two-process model discussed earlier. Heuristic judgments clearly reflect the more "prominent" aspects of an interaction, and analytic judgments reflect the interpretative processes outlined earlier. Perhaps the important issue for trust research is that the predictions made by prominence-interpretation theory (in terms of patterns of user involvement, skills, and experience) are consistent with those derived from the two-process theory, and the guidelines that result are also in accord.