The context will obviously help to determine the scope of who and what are trusted, but the decision making process will generally take on the same route. We ultimately start off with a blank canvas of pre-decision making, slightly marked by some bias and framing, before ending up with a person, product or service that we then utilise to perform an action we can not perform ourselves. Once that 3rd party has been chosen, we often fail to perform the checks again, placing our trust in them implicitly and explicitly. This when issues can arise.
Trust with what? What's important to you? Asset identification
When using any 3rd party in your life, there is often a boundary as to what you're exposing. From a technology perspective, there should be pretty strict barriers and terms of reference, as to what exactly the 3rd party will be used for, their level of service and responsibility to you. For example, when you go to get a Ministry of Transport road worthiness certificate for your car in the UK, the check covers the basic safety aspects of the car. It wont guarantee the car's value, or that any of the components within the car wont break in the next 12 months. That is beyond the scope and purpose of the test. The same is true for any service provider.
It's important to therefore really understand what is being entrusted with the 3rd party. Good asset management here is key. Understand the value of the asset, who it belongs to, what it does, what's the impact if it's not working and so on. This is often done implicitly in the real world, without documentation or management, but from a technology perspective the opposite is key. If you know what the 3rd party will be looking after and it's implicit and explicit value, it's makes the trusting aspect easier to manage.
Who can you trust? Reputation Management
Once you identity what will essentially be outsourced - and that can be a decision, not just an object - it makes it a lot easier to understand who or what can be trusted. The scope is narrowed. There are several aspects to the 'who can' part of the trust question. The 'who do' (no hoodoo!) part can only be answered based on a pool of people or companies in the 'who can'. Those 'who can't' are obviously ignored.
But how do you separate those who you can trust from those who you can't? Reputation is obviously a massive part of this process. Reputation is again implicitly based on trust. A reputation of a celebrity for example, can be destroyed overnight by a newspaper expose, but only if you trust the journalist in the newspaper. Reputation is clearly the most sensible part of trust analysis, and the additional 3rd parties required to build those reputations is key. They could come in the form of certifications or standards adherence or perhaps from a review process. The reviews themselves individually are sometimes difficult to verify, but collectively become a powerful testament. This can be shown by the likes of Tripadvisor, which is based on the collective power of individual travellers and their comments and reports.
A major part of Facebook's social graph plan, is to utilise your collection of friends to provide implicit advice and guidance, in the form of likes and on line purchase history. If you see someone from your trusted pool of friends like a particular restaurant or band, you are more likely to trust their judgement - as you know them - and use their opinion in your buying process.
Default actions based on trust - check and check again
Once someone or something has been trusted, all is done right? You can be happy in the knowledge that the person or service you trust has been carefully selected, either implicitly or explicitly, based on a thorough analysis of the risks involved, the exposure of the asset and impact if anything goes wrong. This maybe true, but this if often when you are at greatest risk. 'Those you trust are the ones who let you down the most' is a well worn film and song lyric cliché.
The same can be said of on line safety in many respects. Would you open an email from some one unknown or click on a link from a random tweet. Probably not. But make those emails, URL's, pictures and attachments come from some one you trust - or more importantly, look like they're coming from someone you trust - and the entire ball game changes. The success of phishing attacks is simply based on trust. 'Well, it comes from my bank, so it must be trust worthy'. Phishing is successful, as the barriers normally applied to untrustworthy data and scenarios has been removed.
Whilst it's not effective, healthy or timely to be be paranoid even about the services and products you do trust, it's often worth keeping a look out for the unusual, if it does look legitimate.