EU cyber agency: Websites must improve user trust

News by Steve Gold

EU Cyber Security Agency says websites must do more to promote trust

ENISA says that websites and services need to do a lot more in terms of raising trust levels on the Internet, most notably when it comes to using online seals and other mechanisms to reinforce online trust amongst users.

In a research paper on the subject, the EU's cyber security agency points out that websites need to use seals to base their trust in a service, since most Internet users suffer from information overload.

Against this backdrop, ENISA argues that websites - and their designers - need to develop clearer privacy icons and which are based on research, including cultural and legal differences.

Because users are not sufficiently aware of what trust seals actually mean, the agency says that educational material should also be provided to spread knowledge of the existence and meaning of the seals.

The paper concedes, however, that since trust seals are not checked by users, service providers and web developers need to provide and implement seals that can be automatically checked.

Professor Udo Helmbrecht, the Executive Director of ENISA, said that the overall effectiveness of trust seals must be improved.

"Regulatory bodies at the EU and national level should set incentives for service providers to obtain better online security and privacy protection," he explained.

ENISA's recommendations were met with caution by Amar Singh, the President of ISACA London's Security Advisory Group, who pointed out that there needs to be an agency to validate the use of trust seals on the web, as otherwise there is a very real risk of the seals being misused.

Singh suggests that a better strategy would be for the Government to stage a series of education campaigns to raise awareness of the need for care when using e-commerce and similar websites plus services.

"This would, I believe, have more of a long term effect than the strategy outlined by ENISA,” he told

“On top of this, any trust verification scheme also needs to be universal in nature if it is going to succeed. The question then becomes 'where do you stop?'. I can see a website or service having multiple seals from different trust organisations. This can result in confusion."

Singh went on to say that whilst the intentions of ENISA and its recommendations are good, the key question he would ask is who will actually police a logo scheme, regardless of which organisation operates it.

"There is a very real risk of some websites misusing the logo," he said.

ENISA's report, meanwhile, concludes that pan-European or international standards for evaluation are required to address the challenges.

"Due to different types of services and due to different budget limitations for such an evaluation, different levels or categories are required and should be considered by such a standard," says the paper, adding that additional information also needs to be adequately represented by the online security and privacy seal.

The report also suggests a simple traffic light system to allow a comparison relating to the strength of protection granted by a given product or service.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews