Trust in the context of networked communication typically comprises factors such as the ability for a user of a computer system to feel confident that they know who and what they are talking to, that the communication is confidential and that the information is transmitted accurately. In a world where software attacks are not uncommon, this trust cannot be taken for granted and is preferably based upon technological mechanisms. Many security-related mechanisms are or will shortly be available, and each can enable certain types of communication or information to be trusted to differing degrees.
For example, in order to build a trusted relationship between the computing apparatus and its users, one solution that has been proposed [EP patent application 99301100.6], involves platform integrity checking. With this solution, the computing apparatus has a physical located trusted device, which is used to make trusted measurement and trusted reporting for each functional component. This solution allows devices to challenge the trusted device in order to check integrity of one particular component. Then, the trusted device will respond to the challenge by sending a signed report of this functional component. The report tells the challenging device related information about the component, such as the model of the component, manufacturer of the component, version of the component, upgraded data and so on. After receiving the response, the challenger will make its own decision whether or not to trust this particular component, and furthermore after checking a number of selected functional components, the challenger will make a decision whether or nor to trust the computing apparatus.
However, these prior art solutions do not deal with how a user is able to appreciate or better understand these security mechanisms such as platform integrity checking, different types of platform identity that can be trusted to varying degrees, more and less protected forms of storage, hardware versus software-based security, cryptographic functionality, and so on, and further to be able to use such information to select the most appropriate solution in order to try to ensure that the communication or computer-based action in which the user engages can be trusted (that is to say that it always behaves in the expected manner for the intended purpose).
Computer-based training is a well known, and commonly used, technique for training users, typically using interactive techniques, on the operation of a number of software applications. Its success lies in the fact that the instructional method uses the actual end-user software to illustrate and demonstrate proposed tasks and procedures. Computer based training tends to be a one-off educational affair, designed to achieve an eventual level of expertise. Therefore, computer based training will typically cover all features relating to a software application, where or not this feature is likely to be used by a user. Additionally, the computer based training on a feature typically occurs sometime before the feature is likely to be used in practice, which can result in a user forgetting important aspects of the feature highlighted by the training.
Additionally, the psychological component of Human-Computer-Interaction (HCI) describes the way people ‘think’ about machines and their functions. People have ‘schemas’ or ‘mental models’, which are their own simplified framework models of a system that allows the user to store knowledge about the system (Schemas and mental models are general cognitive psychology concepts). Because computers are very complex systems, the process of a person developing an adequate ‘mental model’ of computer security from their very limited (and very high-level) experience of computer security, is very unlikely. Undeveloped models are fragmented and do not allow people to make trustworthy predictions from them, which is a possible reason people do not actively engage in using or seeking out computer security—the costs (due to the complexity) are perceived to be too high.