On Bayesian Trust and Risk Forecasting for Compound Systems

We present a probabilistic (frequentistic) model of trust with efficient Bayesian updating procedures and support of hierarchically structured systems. Trust is highly influenced on information gathered from different sources, like newspaper or scientific reports on the security or vulnerability of computer systems. Assuming text-mining and incident documentation facilities available that provide us with news relevant to a given system, we show how to compile this experience into a stochastic model of trust. In particular, our models admits efficient analysis towards forecasting of possible future issues and the determination of worst-case scenarios for a given security system. We empirically evaluate the sensitivity of the our trust measure based on simulations using a prototype implementation, which closely matches the natural way in which trust is established: it takes a considerably larger lot of positive incidents to outweigh a negative experience. Our model indeed confirms such imbalance. Moreover, as more and more information is going into the trust model, a change of trust in either direction requires an amount of positive or negative experience that almost equals the so-far recorded history. We believe that these effects make the trust model a reasonable choice to resemble the human valuation of trust, while being funded on statistical grounds to be compatible with quantitative or qualitative enterprise risk management.