Does a security seal on a website influence your perception of how secure a site really is?
Designed to convey low or no risk, the seals are intended to assure a potential customer that their information is safe. While many in security simply ignore them, some folks view these seals as nothing more than gimmicks that ultimately harm our efforts.
Because security has a lot of variables, and the process to obtain the “security seal” may be focused on a narrow set of actions that may or may not provide the protection a consumer wants or needs.
The concept was brought into discussion again last week when Rafal Los presented a different perspective on the value of security seals (read it here). Two phrases caught my attention:
“... around the idea of why we really do security things. We need to earn someone’s business, through his or her trust.”
“The problem isn’t that compliance and “security seals” exist but that I think we’re mis-understanding their utility. The answer isn’t to throw these tools away and create something else, because that something else will likely be just as complicated (or useless) and needlessly waste resources on solving a problem that already is somewhat on its way.”
The opportunity of security seals and attestations
As security matures, the opportunity of a seal or other attestation is to provide a (variable) level of assurance to a discerning buyer. Informed customers tend to make better decisions. With the right transparency and clarity of purpose, that’s precisely what seals and badges are able to do.
In a perfect world, the consumer has the freedom to choose who to do business with (or not) based on their understanding of security choices and personal risk models. While they are not personally involved in making the security decisions for individual companies, collectively it allows informed consumers to vote with their wallets on the importance of security.
Therein lies the rub.
Success in this scenario is dependent on our ability to translate the complexity of security into understanding. It requires us to do a better job communicating so people understand the implications of the different seals.
The risk of relying on security seals
The practical reality is that the current crop of seals may not represent what we think they do. Or what we’d like them to. Which means the consumer may not make the informed choice they think they are.
As Kevin Pope explains in a thoughtful continuation of the discussion (read it here):
“If I go to a website and it has a nifty little seal on it that says something about security, I'm thinking, "yeah OK, whatever". That's because, in all honesty, anyone can make a seal and slap it on a website. A seal alone is nothing but an image and it tells us nothing about what is being done for security behind the scenes. If anything, a company could outright lie about having security in place and the client wouldn't be privy to know otherwise.”
More broadly, the value of a seal is a combination of:
- What the seal assesses: clear criteria mapped to the appropriate elements; this means one-size-fits-all seals are likely to hold lower value
- How the assessment is conducted: direct observation is both more expensive and more valuable; highly complex or distributed environments may complicate the assessment process
- Who conducted the assessment: to provide a cue to the confidence in the seal
What do you think?
Does a security seal on a website matter to you? What about your friends and family? I’m curious what responses you get when you ask the question (equally interesting how you ask). Share your experiences in the comments below.
What do you think the solution is? Should we focus on improving existing seals or scrap them altogether?