The National Security Agency (NSA) defines a trusted computer system or component as one "whose failure can break the security policy", and a trustworthy system or component as one "that will not fail". A trusted system therefore is one where 'trust' is used to describe a role, irrespective of whether a system is able to perform adequately in that role, whereas 'trustworthy' is used to describe the adequacy of a system to perform as expected. In both cases 'trust' is effectively used as an acronym for security, although 'trustworthy Computing' according to Microsoft's Bill Gates is broader - 'What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information.'

To make matters less clear, Trusted Computing (TC) is a technology developed by the Trusted Computing Group (http://www.trustedcomputinggroup.org/), which is an alliance of several computer companies, whose aim is to develop a computing platform that enforces secure behaviour. Their approach is highly controversial as the hardware is secured for the owner by a third party, but is also effectively secured against the owner!

These definitions of 'trust' and 'trustworthy' computing are primarily concerned with securing the 'Computer Platform'; that is the hardware and operating software upon which business applications run.  We would like to introduce an expanded concept of trust that concerns itself with trustworthiness from a business rather than from a technology perspective.  If one examines the notion of trust from the perspective of the business system owner or perhaps user, it takes on additional meaning that we suggest encompasses not only security but also reliability and correctness.

For example most accounting systems are 'trusted' in the NSA sense, in that they are cast in a trusted role. They are also expected to be 'trustworthy', that is to adequately perform in the trusted role. They are certainly expected to be secure, but they are also expected to be reliable, in the sense that they do not drop transactions, and they are expected to be correct, for example by accurately adding together monetary amounts and avoiding rounding errors. Therefore it is our contention that 'trusted business systems', as opposed to 'computer platforms', are those that are secure, reliable, and correct and are therefore trustworthy in the commonly understood sense.

(In our view it is debatable whether trust in this sense includes availability, or whether this is a separate issue.)

So why bother to propose yet another definition of 'trusted systems'?  The current definitions of 'trusted computing' are quite specialist and do not support the broader business understanding and need for applications or services that operate correctly (or accurately) as well as being secure.  To put it another way, there are many different types of business systems that couldn't possibly be considered to be trusted unless they were perceived to be correct, including many financial, safety, health, and aerospace systems, to name a few.   To assure the trustworthiness of such systems requires that they are proven to be secure, reliable, and correct.

Although including 'correctness' (or accuracy), and to an extent 'reliability', in the definition of trust, overlaps information systems disciplines beyond security, we suggest that this is a side effect of the way in which the computer profession has traditionally structured itself rather than being an inherent feature of the problem space.  We suggest that 'trust' in this broader sense can be considered to be a fundamental property of effective business information systems, alongside 'functionality', incorporating appropriate business services; 'adaptability',easy to modify to track changed requirements; 'interoperability', exchanging information with other systems; 'efficiency',enabling the job to be done quickly (and I would include availability here); and 'affordability', all of this can be achieved at reasonable cost.