It’s actually quite common to find people referring to “Risk Scores” and “Trust Scores” as "the same thing". Let’s start by defining the two scoring concepts:
Risk Score: “a higher score reflects higher risk” according to the National Library of Medicine at NIH.
Trust Score: ”The Trust Score is an intelligent rating system designed to establish a renter’s reliability and credibility. The Trust Score gives landlords a more secure and accurate measure of a prospective tenant’s suitability” according to LIV, a Canadian service for landlords and tenants”.
So, a “risk score” is a measure of likelihood that an event may occur; the “Risk Score” for getting food poisoning at a restaurant is 17%. There is a 17% risk that you will get food poisoning when dining out at a restaurant. Environmental factors must be considered; the risk score of getting pregnant while dining at a restaurant is significantly less. Risk scores can also be expressed in the negative, for example there is an 83% likelihood you will not get food poisoning when dining at a restaurant, but this is much less common. The majority of risk scores I've seen express the likelihood of an event occurring, related to a specific threat and vulnerability, as described in this article.
A “trust score” is an "intelligent rating system" that represents a measure of trustworthiness that is bestowed upon an entity, such as a restaurant or renter, based on a set of expected behavior or characteristics. New York City uses a measure of cleanliness to assign “trust scores” to restaurants based on specific criteria. A NYC restaurant with a cleanliness score (trust score) of “A” has exhibited stricter adherence to restaurant cleanliness criteria than a restaurant with a trust score of “D”, making the restaurant with the “A” score more trustworthy than the restaurant that earned the “D” score. It is imperative to provide consumers with visibility into the trustworthiness of these establishments in order for people to make a risk based buying decision. Each restaurant must post their last "cleanliness score" (trust score) at the entrance. New York City also provides consumers with a search site to look for restaurants with their associated scores. A FICO score is another example of a "trust score" that is used to evaluate a debtors trustworthiness; the higher the FICO score the more trustworthy a party is, compared to others with lower FICO scores. Vehicle crash ratings are also a trust score, the higher the "crash rating" the safer the vehicle is to drive in. The Department of Defense also uses trust scores as part of the CMMC process.
Clearly, there is a direct correlation between risk and trust. The higher the “risk” the lower the "trust", as determined by a specific set of objective criteria. Are you more likely to become part of the 17% with food poisoning by eating at a restaurant with a "D" trust score, or one with an "A" trust score? Why take chances, go with the "A" score; the risk doesn't change but the environmental factors certainly do change. Go with the restaurant with the higher "trust score" for best chances of not getting food poisoning.
These “risk score” and “trust score” concepts also apply to software products and vendors. A relatively recent understanding of software risk based on actual exploitation and vulnerabilities has led government entities to seek out, and use, software products that are considered “trustworthy”, based on a defined set of criteria specific to software products and software supply chain vendors. The US Space Agency, NASA, provides software vendors with a resources page containing clear guidance to help them pass NASA's software product risk assessment process and have their products approved for purchase and use by NASA (I wish all agencies provided this level of help to software vendors to pass a risk assessment).
Similar to the restaurant analogy presented earlier, a software product carries risk of harm, just like food carries a risk of harm. Restaurants and software vendors are the accountable parties responsible for doing their best to protect customers from harm. Just like some restaurants are more trustworthy than others in protecting customers from harm, the same is true for software vendors. A "trust registry" search site capability will also be needed for software products and vendors in order to provide prospective customers with visibility into trustworthiness needed before buying or installing a software product. Australia is taking steps to address the need to provide consumers with greater visibility into the trustworthiness of digital products. "Introducing the Bill to the Parliament of Australia on October 9, Tony Burke, Minister for Home Affairs of Australia, said the legislation provides a clear framework that addresses whole-of-economy cybersecurity issues, positioning the country to respond to new and emerging threats. “We need a framework that enables individuals to trust the products they use every day. We need a framework that enhances our ability to counter ransomware and cyberextortion. We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward,” stated Burke."
These wise words from Australia echo what President Biden said when he introduced the National Cybersecurity Strategy "When we pick up our smart phones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Joe Biden
CISA has produced a video to help software consumers understand how the CISA Secure by Design Secure Software Acquisition Guide practices help consumers identify trustworthy, secure software products and vendors.
But what about the US Cyber Trust Mark, isn't that a "Trust Score"? NO it is not. A trust score is dynamic, it can change from one day to another, just like the restaurant cleanliness score. The US Cyber trust mark was modeled on the Energy Star label concept where a "test" is "passed", like getting a drivers license. Having a drivers license does not indicate how good or bad a driver you may be, you're just showing that you passed the drivers test by holding a license. Having a US Cyber Trust Mark simply means an entity passed a one time test and is authorized to display the US Cyber Trust Mark label. The US Cyber Trust Mark does not require device manufacturers or software producers to implement "Secure by Design" or "Secure by Default" practices described, in detail, in the CISA Secure by Design Software Acquisition Guide. Software is like food, it can go bad over night, i.e. a new vulnerability is reported, and trust scores need to indicate the current level of trustworthiness to protect consumers from installing harmful software, at any point in time, in a dynamic, changing digital world, just like the restaurant trust scores can change over time and food recalls can prevent people from sickness or even death. Software is like food, it can go bad over night, and frequently does, when a new vulnerability is reported. Software trust scores need to be updated and monitored continuously to prevent harm.
I've made it a point to ask Microsoft Copilot it's "understanding" of certain topics. Here is how Microsoft Copilot "views" the difference between a "Risk Score" and a "Trust Score". Spot on!
"what is the difference between a "risk score" and a "trust score"
Copilot
Great question! While both risk scores and trust scores are used to assess security, they focus on different aspects:
-
Risk Score: This is a numerical representation of the potential impact and likelihood of a risk occurring. It helps organizations prioritize risks by quantifying how severe and probable a threat is. For example, a higher risk score indicates a greater need for immediate attention and mitigation efforts.
-
Trust Score: This measures the level of trust in a particular entity, such as a user session or software component. It's based on historical data and current behavior to determine how trustworthy something is. For instance, a high trust score means the entity is considered reliable, while a low trust score suggests potential issues.
In essence, risk scores focus on identifying and managing potential threats, while trust scores evaluate the reliability and integrity of entities within a system.
Does this help clarify the difference for you?"
Society has reached an inflection point in both our understanding of risks with software and the need to seek out secure, trustworthy software products and vendors that produce these products, in order to avoid harm. A recent FERC NOPR, Docket RM24-4-000, provides further evidence of this awareness and need for more attention and caution when buying and using software products for critical infrastructure operations. Several US Government agencies have already announced that they will only buy and use secure, trustworthy software products, which will need to pass a risk assessment step in order to be acquired and used, including: GSA, NASA and the State Department and many more.
There are two important thoughts to keep in mind when dining out,renting a house or buying software.
Risk always exists; trust does NOT always exist.
Risk always exists, but trust must be earned and awarded.
Some people have asked me, what does a Software Product "Trust Registry look like" and what does a "Trust Registry provide". It's very simple for consumers to find trusted products, using two search fields (drop down boxes), Product Category and Label Type (i.e. EU CE Mark), listing known trusted products and then get more info about a product's cybersecurity label and trust score by clicking on the "Get Label Data" link
People interested in learning more about software supply chain practices intended to protect customers from harm and identify trustworthy software products and vendors may wish to attend this CISA Webinar on November 14 titled “Enhancing Cyber Supply Chain Assurance: “How-To” Discussion on the Secure Software Acquisition Guide”