It’s actually quite common to find people misunderstanding “Risk Scores” and “Trust Scores”. Let’s start be defining the two scoring concepts:
Risk Score: “a higher score reflects higher risk” according to the National Library of Medicine at NIH.
Trust Score: ”The Trust Score is an intelligent rating system designed to establish a renter’s reliability and credibility. The Trust Score gives landlords a more secure and accurate measure of a prospective tenant’s suitability” according to LIV, a Canadian service for landlords and tenants”.
So, a “risk score” is a measure of likelihood that an event may occur; the “Risk Score” for getting food poisoning at a restaurant is 17%. There is a 17% risk that you will get food poisoning when dining out at a restaurant.
A “trust score” is a measure of trustworthiness that is bestowed upon an entity, such as a restaurant or renter, based on a set of expected behavior or characteristics. New York City uses a measure of cleanliness to assign “trust scores” to restaurants based on specific criteria. A NYC restaurant with a cleanliness score (trust score) of “A” has exhibited stricter adherence to restaurant cleanliness criteria than a restaurant with a score of “D”, making the restaurant with the “A” score more trustworthy than the restaurant that earned the “D” score.
Clearly, there is a direct correlation between risk and trust in this restaurant use case. The higher the “risk” the lower the trust, as determined by a specific set of objective criteria.
These “risk score” and “trust score” concepts also apply to software products and vendors. A relatively recent understanding of software risk based on actual exploitation and vulnerabilities has led government entities to seek out, and use, software products that are considered “trustworthy”, based on a defined set of criteria specific to software products and software supply chain vendors. Similar to the restaurant analogy presented earlier, a software product carries risk of harm, just like food carries a risk of harm. Restaurants and software vendors are the accountable parties responsible for doing their best to protect customers from harm. Just like some restaurants are more trustworthy than others in protecting customers from harm, the same is true for software vendors.
Society has reached an inflection point in both our understanding of risks with software and the need to seek out secure, trustworthy software products and vendors that produce these products, in order to avoid harm. A recent FERC NOPR, Docket RM24-4-000, provides further evidence of this awareness and need for more attention and caution when buying and using software products for critical infrastructure operations.
There are two important thoughts to keep in mind when dining out, renting a house or buying software.
Risk always exists; trust does NOT always exist.
Risk always exists, but trust must be earned and awarded.
People interested in learning more about software supply chain practices intended to protect customers from harm and identify trustworthy software products and vendors may wish to attend. this CISA Webinar on November 14 titled “Enhancing Cyber Supply Chain Assurance: “How-To” Discussion on the Secure Software Acquisition Guide”