In collaboration

with Accenture,
KPMG and PwC

Earning Digital Trust:

Decision-Making for
Trustworthy Technologies
INSIGHT REPORT
NOVEMBER 2022
Images: Getty Images

Contents
Foreword 3

Executive summary 4

Introduction 5

1 Digital trust framework: Goals and dimensions 7

1.1 Goals related to digital trust 9

1.2 Dimensions of digital trust 16

2 Digital trust roadmap 30

Conclusion 34

Contributors 35

Endnotes 37

Disclaimer
This document is published by the
World Economic Forum as a contribution
to a project, insight area or interaction.
The findings, interpretations and
conclusions expressed herein are a result
of a collaborative process facilitated and
endorsed by the World Economic Forum
but whose results do not necessarily
represent the views of the World Economic
Forum, nor the entirety of its Members,
Partners or other stakeholders.

© 2022 World Economic Forum. All rights

reserved. No part of this publication may
be reproduced or transmitted in any form
or by any means, including photocopying
and recording, or by any information
storage and retrieval system.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 2

November 2022 Earning Digital Trust:
Decision-Making for Trustworthy Technologies

Foreword
Building a global consensus for
trustworthy technology decision-making.

Sean Joyce
Paolo Dal Cin Global Cybersecurity and
Global Security Lead, Privacy Leader, US Cyber,
Accenture Risk and Regulatory
Leader, PwC

Jeremy Jurgens Akhilesh Tuteja

Managing Director and Global Cyber Security
Head, Centre for Cybersecurity, Practice Leader, KPMG
World Economic Forum

Trust is necessary if we are to work together towards Rapid innovation and implementation of digital
common goals in an increasingly fragmented world. technologies requires the same clarity for leaders.
This is especially true regarding new technologies,
given the rapid pace of innovation and its uneven Therefore, the Digital Trust initiative convened
spread. Following the World Economic Forum’s call a multistakeholder digital trust community,
to rebuild trust in 2021, the Digital Trust initiative was comprised of leaders and experts from across
launched to establish a global consensus among key industries (including leading technology innovators),
stakeholders regarding what digital trust means and governments, regulators and academic institutions
what measurable steps can be taken to improve the as well as citizen and consumer advocates. This
trustworthiness of digital technologies. community encourages all stakeholders involved
in the development of trustworthy technology to
Developing trustworthy technologies is a decision prioritize cybersecurity (including cyber resilience
– and responsibility – for that decision rests with and security-by-design) and responsibility in
leaders across sectors and industries. To make technology use (including privacy protection,
decisions regarding advanced technologies, leaders ethical and values-driven innovation, transparency
must coalesce on clear goals. In other areas of global and accountability). To begin this vital effort, the
importance, such as global peace and prosperity members of the digital trust community have
and environmental, social and governance (ESG) developed a digital trust framework that builds
practices, leaders have benefited from the clarity of on the Forum’s early advocacy for cybersecurity,
global principles and guidance, such as the United responsible technology governance and digital
Nations’ (UN) sustainable development goals, the trust. The Forum hopes that this framework guides
Guiding Principles on Business and Human Rights, leaders in making decisions that cultivate more
and the Forum’s Stakeholder Capitalism Metrics. trustworthy and responsible technology.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 3

Executive summary
Ensuring digital trust is a leadership
responsibility that crosses domains
and functions.

Digital trust is a necessity in a world where digital – Cybersecurity

technologies support and mediate virtually all – Safety
economic transactions, social connections and – Transparency
institutions. At the same, this trust is significantly – Interoperability
eroding on a global scale. In order to reverse this – Auditability
trend, leaders and organizations creating and – Redressability
implementing new technologies and digital services – Fairness
must make decisions that are worthy of trust. – Privacy

The World Economic Forum launched the Drawing on expertise in privacy, cybersecurity,
Digital Trust initiative to help solve the digital technology ethics, law and a variety of other fields,
trust challenge. The key question the initiative from over 60 experts and leaders in the digital trust
asked was: How can leaders make better, more community this report presents an interdisciplinary
trustworthy decisions regarding technology? view of what digital trust requires and how to make
trustworthy decisions regarding the development or
This insight report represents the first response to deployment of new technologies and digital services.
that question. It defines digital trust globally and
introduces a “digital trust framework”, developed In addition to the framework, this report also begins
by the initiative, as a tool to guide decision-making the work of effective implementation of the digital
for leaders. trust principles. It focuses on the important role
leaders have in preparing their organizations to
– Digital trust is individuals’ expectation that make the choice for digital trust through every step
digital technologies and services – and the of the technology life cycle and the important role
organizations providing them – will protect all that cooperation has to play in rebuilding digital
stakeholders’ interests and uphold societal trust globally.
expectations and values
– The digital trust roadmap guides decision-making
– Only by deciding and acting for digital trust can holistically, beyond recommendations for any
leaders and organizations meet their obligations dimension of digital trust, to operationalize the
to society and individuals.  framework according to a series of common
steps (e.g. commit and lead, plan and design,
– The digital trust framework defines shared build and integrate, and monitor and sustain). 
goals or values that inform the concept of digital
trust, including: – Earning digital trust is a responsibility shared by
companies, governments, civil society and all
– Security and reliability individuals. This digital trust framework begins
– Accountability and oversight the work of meeting that responsibility.
– Inclusive, ethical and responsible use.
Given the breadth of the digital trust topic, this
– The framework also defines dimensions against report confines itself to the stakeholders most
which the trustworthiness of digital technologies likely to impact the immediate development of new
can be operationalized and evaluated: technologies. Further work in this field will explore
the roles and responsibilities of other stakeholders
in digital trust.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 4

 Introduction
Leaders and organizations earn trust when
they commit to strategies, services and
technology development that meet individuals’
expectations and support their values.

In an era where new digital technologies are significant action to earn digital trust, the future is
fundamental to every aspect of business and one of fragmentation and stagnation. The only way
social interaction and growth, the most important to reverse this trend is for technology developers
decision a leader can take is to make those and owners – those whose innovations mediate
technologies trustworthy. so many social interactions and underpin so many
shared institutions – to commit to earning the trust
There is a widening trust gap between individual of consumers and citizens.
Digital trust citizens and consumers, their governments and
is individuals’ the businesses that create and deploy digital That decision – to earn trust – is at the heart of digital
expectation that technologies.1 From artificial intelligence to trust. Digital trust is individuals’ expectation that digital
digital technologies connected devices, from the security of personal technologies and services – and the organizations
and services – and information to algorithmic predictions, technology providing them – will protect all stakeholders’
the organizations developers’ and digital service providers’ failures interests and uphold societal expectations and
have eroded confidence at an unprecedented values. It is the key to unlocking greater cooperation,
providing them
scale and rate. Significant evidence now shows widespread adoption and equal benefits from new
– will protect all that increased digitalization leads to widespread technologies. Individuals and governments are
stakeholders’ improvements in well-being and quality of life.2 At increasingly demanding that the companies who
interests and the same time, all trust surveys have registered develop and deploy new technologies and digital
uphold societal an alarming decrease in trust in science and services respect the values and expectations of the
expectations technology as well as a host of other social society in which they operate – and withhold their
and values. institutions and links.3 Without concrete and trust and support for those who do not.4

BOX 1 Stakeholders in focus: technology purveyors and developers

Digital trust has the capacity to unify all These entities – mainly private, profit-making
stakeholders in high tech landscapes. From the corporations – have an important societal and
designers, developers and purveyors of technology economic responsibility to build digital technologies
to citizens and end users (and their civil society that adhere to the expectations and values of the
advocates) to the government actors who regulate societies in which they will be used. The leaders
new technologies, all stakeholders have a role to of these organizations will find the following
framework useful in guiding their decision-making
play in cultivating trustworthy technologies. As
in building such trustworthy digital technologies.
such, all stakeholders ought to make decisions
that favour responsible use of technology. This Further work by the Forum on digital trust will
report focuses on one sub-group of the wide- expand the focus and inform decision-making for
ranging stakeholder community: the designers, other stakeholders, including government actors,
developers and purveyors of digital technologies. civil society and individuals.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 5

 Trust is not Trust is not about the specific technologies developed The digital trust gap cannot be solved by one
about the specific or deployed, it’s about the decisions that leaders domain alone. Many factors support
technologies make. Across all technologies, when leaders trustworthiness in technology: good cybersecurity,
developed or determine which technologies are created or how effective privacy protection, transparency in
deployed, it’s about they are used, they can choose to do so in ways that deployment, auditability, interoperability between
the decisions that meet individuals’ expectations and sustain their values technologies, safety, redressability in the case of
leaders make. – and thereby build trust. Where organizations engage harm and fairness in application. When determining
stakeholders through technology and data, they how or whether to use new technologies, Chief
must respect the digital dignity of individuals. When Executive Officers (CEOs) and other senior leaders
making decisions about technology, leaders must must rely on all these domains throughout their
recognize that their organizations act as stewards of organization to ensure their ultimate decisions
the social licence stakeholders have bestowed upon will pass the test of trustworthiness.5 All these
them. This social licence is at risk when some actors factors, or dimensions of digital trust, and how
sow distrust by developing or deploying technologies they come together to achieve trustworthy
irresponsibly, without due consideration of the harms technology goals, are explored in depth below.
that might befall individuals and other stakeholders. The organizational shifts to move to a more
This is especially true where data processing and trustworthy operating model are further described
analysis – along with any related security failures, in this report. Only by deciding and acting for
ethical lapses, lack of transparency, in-coded biases digital trust can leaders and organizations meet
or associated issues – can undermine adoption by their obligations to society and individuals.
people who would otherwise benefit the most from
technology. This means that leaders must consider By adopting the digital trust framework introduced
trust throughout their organization and the technology in this report, leaders can declare their commitment
and data life cycle – from ideation through design, to trustworthy technology and begin earning
development, testing, deployment and product the trust required to sustain innovation in new
feedback about anticipated and actual use. technologies and capabilities.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 6

1 Digital trust framework:
Goals and dimensions
Making digital trust a reality by defining
trustworthy ends and the means to
achieve them.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 7

 In order to The digital trust framework defines shared goals or levels when considering the development, use or
make trustworthy values that inform the concept of digital trust, as well application of digital technologies and services. As
decisions about as dimensions against which the trustworthiness trust is a relational concept – a two-way street – this
technology, leaders of digital technologies can be operationalized and framework specifically addresses what organizations
must keep both the evaluated. The framework should be used as a can do to earn the trust of the people who ultimately
decision-making guide for leaders at the highest use or are affected by digital technologies.
ends in mind as
well as the means
to get there.
Goals and dimensions

Drawing from best practices across technologies decisions according to the framework, leaders
from IT infrastructure to smartphone applications, can demonstrably uphold the broader goals
connected devices to artificial intelligence and of the society in which technologies are used.
disciplines such as cybersecurity, privacy, law, Understanding and upholding these goals by
policy and applied ethics, the framework examines defining organizational strategy in terms of the
the goals and demands motivating digital trust as framework can lead to a virtuous circle of better
well as the capabilities needed to operationalize decisions leading to more trustworthy technologies
them. Starting as close as possible to a universal and data uses.
understanding of the goals implicated in the use
of new technologies – security and reliability, For the leaders of organizations or companies
accountability and oversight, and inclusive, developing and deploying digital technologies and
ethical and responsible use – while also services, the digital trust framework serves as a
recognizing the need to meet the norms of the method to structure and examine the potential
society in which the technology operates, the effects of their decisions. The dimensions of
framework provides a foundation from which to digital trust, including cybersecurity, safety,
explore how technology can be developed and transparency, interoperability, auditability,
implemented in ways that support the overall goal redressability, fairness and privacy represent
of earning trust. the means of achieving the goals of the digital trust
framework. The goals and dimensions described in
In order to make trustworthy decisions about the framework are highly interconnected. Decision-
technology, leaders must keep both the ends makers themselves must still exercise judgement
in mind as well as the means to get there. Both of how the interplay between the goals and their
the goals of the technology being developed relative prioritization fits both the values of their
or implemented and the dimensions of its use organization and the expectations of the society in
must be trustworthy. By organizing and making which they operate.

BOX 2 Definitions

Digital trust: Individuals’ expectation that digital Dimension: The aspect of digital trust over which
technologies and services – and the organizations organizational decision-makers, such as CEOs and
providing them – will protect all stakeholders’ interests senior executives, have control and, if applied to a
and uphold societal expectations and values. given technology with a human-centric approach,
will promote digital trustworthiness.
Goals: Considerations that motivate or can be
achieved by actions or decisions (i.e. dimensions).

Earning Digital Trust: Decision-Making for Trustworthy Technologies 8

FIGURE 1 Digital trust framework

Ac
co
lity
i u

nt
iab

ab
rel

Privacy Transparency

ility
and

and
rity

over
Secu

Cybersecurity Redressability

sight
Digital
trust
Safety Auditability

Interoperability Fairness

In c
lu s se
iv e , eu
ethic al n si bl
and respo

1.1 Goals related to digital trust

Digital trust demands that technologies adhere to Below, the framework defines each of these three
a set of goals that represent expectations across goals and explores how they relate to the concept
geographies and uses. Pursuit of these goals often of digital trust by supporting decision-making
also acknowledges the norms of the society in that earns trust from organizations’ stakeholders.
which the technologies are used.6 By understanding, This section also examines the benefits, both to
acknowledging and addressing the shared goals at organizations and society as a whole, that accrue
play in technology applications and services within a when digital trust goals are achieved. Finally,
given jurisdiction, technology developers, innovators each section provides notable resources that will
and owners can focus on satisfying society’s digital help leaders understand in more depth the issues
trust expectations. These stakeholders, through involved in digital trust.
values-driven decision-making, work towards
satisfying these shared goals by creating more
trustworthy technologies, systems and services.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 9

 Security and reliability
Fulfilling the goal of security and reliability means that an organization’s
technology and data are well-protected against internal and external
attacks, manipulations and interruptions while operating as designed
according to a clearly defined set of parameters.7

Relevance to digital trust

As the world has become more digital, reliable manipulations of the services and products.10
functionality, connectivity8 and protection against Unfortunately, both reliability and security are goals
harm (e.g. protection of personal or proprietary that are typically not recognized until they are
information) have become fundamentally important lacking. This means that ultimate users, or those
to the continued functioning of businesses, subject to the use of these technologies, often
entire economies and many social interactions. have limited means of assessing whether this goal
Technology users expect digital services and is being met short of absolute failure. However,
products to meet their expectations and to protect as users and citizens become more sophisticated
Decision- the data they entrust to the service or product regarding digital technologies they may demand
makers do not (and thus the provider of the service or product). assurance or information about just how reliable
only need to If a service or product does not function in a and secure a service or product is, and these more
think about how predictable, reliable and secure manner, users will sophisticated stakeholders may serve as opinion
reliability and withhold support and data or stop using it. The leaders for the wider society – thus creating either
security can be reliability of digital services and products is thus virtuous circles of increasing trust for secure and
deeply intertwined with the trust that individuals reliable systems or vicious cycles of decreasing
achieved, but
put in them and the provider of the services trust for unsecure or unreliable technologies.
they also must and products. This goal is closely related to Therefore, decision-makers do not only need to
be deliberate cybersecurity concepts of confidentiality, integrity think about how reliability and security can be
and transparent and availability in digital systems.9 achieved, but they also must be deliberate and
regarding how transparent regarding the baselines of security and
they plan to Equally important, digital security enables reliability reliability users should expect and how they plan to
achieve this goal. by decreasing the risk of interruptions and achieve this goal.11

Earning Digital Trust: Decision-Making for Trustworthy Technologies 10

 Benefit

Business Societal

– Protecting reputations: Reliable and secure – Protecting interconnectivity: Reliability and

products and services are strongly in the security have implications for the entire supply
economic and reputational interest of chain in which an organization operates. Critical
organizations for whom customer loyalty (as infrastructure providers (and increasingly cloud
well as wider reputational factors) are important. service providers in the cyber context), for
In today’s connected age, a major cybersecurity example, underpin the functioning of modern
incident or even downtime of a few minutes society and, as such, their reliability and
for a major digital service provider can lead to security have massive implications for all the
significant reputational and financial damages, organizations that they serve and who rely upon
particularly where security is also at issue. them to deliver their own products and services.

– Competitive advantage: Putting reliability and – Protecting health and lives: A technology
security at the forefront of an organization’s provider’s reliability and security can have a
decision-making about its services and significant impact on individuals’ safety, including
products means committing to high-quality on their physical or mental health (for example,
control standards, thereby avoiding retroactive in the case of the manufacturer of self-driving
investments to fix shortcomings in technology cars “beta testing” features on unsuspecting
and services later on.12 This can also provide pedestrians). Society is rapidly coming to rely on
a competitive advantage, especially in sectors security and reliability in a world of connected
that are heavily controlled or regulated. devices and online interactions, including critical
infrastructure such as utility providers.

BOX 3 Security and reliability resources

Across organizations, to ensure decision-making is (Cyber)security:

aligned to a common set of security and reliability
– National Institute of Standards and Technology
norms, various efforts have defined best practice
(NIST) Cybersecurity Framework
frameworks. The following are some notable
resources on the topic: – Information Security Forum (ISF) Standard of
Good Practice for Information Security
Reliability:
– International Organization for Standardization
– Google Cloud Architecture Framework (ISO) 27001/2
– Microsoft Azure Well-Architected Framework – Control Objectives for Information and Related
Technologies (COBIT)

Earning Digital Trust: Decision-Making for Trustworthy Technologies 11

 Accountability and oversight
Fulfilling the goal of accountability and oversight means that
responsibilities for trustworthiness are well-defined and clearly
assigned to specific stakeholders, teams or functions along with
provisions for addressing where those responsibilities fail to be
satisfied. Further, means are in place to ensure that rules, standards,
processes and practices are followed and performed as required.13

Relevance to digital trust

An organization’s Attention to the good governance of organizations are implemented and how data is used must
approach to digital has dramatically increased. Whether through the permeate throughout all levels and areas of an
trust is shaped increasing prominence of environmental, social and organization to ensure that its digital trust objectives
by its board, governance (ESG) reporting,14 or through increased and commitments are fulfilled. To do otherwise
leadership and regulatory scrutiny on a variety of digital risk would be to demand trust from users, partners
domains,15 organizations are increasingly required and other stakeholders without making a reciprocal
management
to demonstrate better oversight in how they commitment to act in a trustworthy way – an unfair
through their
maintain and contribute to both financial and social and unsustainable operating model.
application of stability. Likewise, regarding technology and data
organizational use, accountability and oversight help ensure that Good accountability and oversight also ensure
values, vision digital trust’s dimensions are properly incorporated that harms experienced by end users, citizens
and goals. and implemented into all requisite organizational and consumers can be effectively remediated.
operations while decreasing information Technology developers and the companies who
asymmetries between technology developers and implement new technologies are the most likely to
individual users or citizens. be able to remediate problems at the least cost,
especially as compared to less sophisticated
An organization’s approach to digital trust is individuals who may be subject to technology uses
shaped by its board, leadership and management beyond their control. As the “least cost avoider”16
through their application of organizational values, in economic terms, technology developers are best
vision and goals. Given the presence of data and placed to implement the kinds of accountability
technology in nearly all business products and and oversight mechanisms that can prevent
operations (e.g. communications, finances, record- and remediate digital harms. The existence of
keeping, engineering, design and analytics), strong these mechanisms significantly improves the
accountability and oversight over how technologies trustworthiness of new technologies.

Benefit

Business Societal

– Inspiring confidence: Defining and adhering – Cooperative regulation: Governments often

to standards of accountability and oversight implement societies’ digital trust expectations
encourages stakeholders to use the products through legal and regulatory requirements
and services businesses offer. Consumers’ and and conduct oversight of those requirements
citizens’ peace of mind can help a company through various mechanisms. Digital trust
ensure financial sustainability and grow its programmes that recognize the impact of
customer base. social expectations surrounding data and
technology, and account for them in oversight
– Workforce and culture: Digital technologies impact mechanisms, can either obviate the need for
employees as well as customers. With proper the most stringent regulations or operate in
accountability, organizations can take advantage conjunction with government oversight to fulfil
of the efficiency and other gains promised by the expectations of society.
new technologies while simultaneously forging
strong bonds with the personnel companies rely – Harm minimization: The impact on all of
upon to function (for example, human-centric society from poorly governed technologies
rules regarding algorithms applied to workers stems from both the actual harms experienced
can provide clarity and efficiency). by individuals and the opportunity costs

Earning Digital Trust: Decision-Making for Trustworthy Technologies 12

 where decreased trust prevents the use or technology use (making individuals whole)
implementation of beneficial technologies. and build up the trust necessary for more
Good accountability and oversight mechanisms widespread adoption of useful technologies.
can both remediate any harms that result from

BOX 4 Accountability and oversight resources

Across organizations, to ensure decision-making Independent oversight

is aligned to a common set of accountability and
– Financial Industry Regulatory Authority
oversight norms, various efforts have defined best
(FINRA): A financial industry self-regulatory
practice frameworks. The following are some
organization that acts under the authorization
notable resources on the topic:
of the US Congress and oversight of the
Written accountability requirements SEC to monitor and regulate securities
and standards trading, exchange platforms and licensing
requirements, as well as to arbitrate
– The US Securities and Exchange Commission’s claims arising in connection therewith.
(SEC) proposed rule on cybersecurity risk
management, strategy, governance and – Privacy and Civil Liberties Oversight Board
incident disclosure by public companies. (See (PCLOB): An independent US government
SEC Regulation S-K, item numbers 106(b)-(d) agency responsible for reviewing the
and 407(j), accessible via the Code of Federal government’s national security-related policies,
Regulations at 17 C.F.R. 229). procedures and practices to oversee and
ascertain their conformance with other privacy
– SOC 2 framework issued by the American and civil liberty statutes and regulations.
Institute of Certified Public Accountants (AICPA).
– Payment Card Industry Data Security Standard
(PCI DSS) issued by the Payment Card Industry
Security Standards Council.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 13

 Inclusive, ethical and responsible use
Fulfilling the goal of inclusive, ethical and responsible use means
that an organization designs, builds and operates its technology
and data as a steward for all people, society at large, the natural
environment and other stakeholders, with the overall intent to ensure
broad access and use resulting in ethically responsible outcomes.
This goal also means the organization works to prevent and mitigate
exclusionary practices or other harms.17

Relevance to digital trust

Standardization The more digital technologies and data uses outcomes result from a common approach, which
is critical when impact individuals’ lives and well-being, the more is key to building and maintaining digital trust. In
building digital consumers expect technologies to be developed, short, predictability breeds trust. For example,
trust through implemented and applied in ways that respect procurement policies can be a critical lever in
technology the dignity of ordinary users and citizens.18 increasing accessibility and inclusivity. Effective
Organizational decision-makers, therefore, cultivate policies set the expectations, standards and criteria
products –
digital trust by committing to the inclusive, ethical for how goods and services will be purchased.
without it, ethical
and responsible use of technology and data. Through this, the organization can ensure the
decisions can Decision-makers should also help individuals acquisition of universal designed products and
appear subjective understand how the organization is committed services to safeguard equitable development and
and ad-hoc. to human rights and other universal principles participation.19 It is important, therefore, to provide
(e.g. respect for human dignity, justice, non- a framework through which any organizational
discrimination, privacy, beneficence and agency). stakeholder, when faced with an ethical quandary,
When interacting with technology, individuals look can make decisions or produce outcomes that are
for signals that demonstrate how organizations will objectively consistent in process and result.
use data and technology to serve their interests.
By committing to inclusive, ethical and responsible Organizations that are inclusive, ethical and
technology uses, organizations build trust by responsible in designing and deploying their
meeting citizens’ and consumers’ expectations technology and data not only build trust with the
while abstaining from harmful uses. public but demonstrate a way forward to increase
trust in technology as a whole. This allows technology
Standardization is critical when building digital solutions to serve both individuals and companies,
trust through technology products – without it, easing friction and increasing efficiency. Thoughtful
ethical decisions can appear subjective and ad- design communicates respect for individuals and
hoc. Leaders who seek to implement value-driven signals an organization’s societal commitments in
technology design and product decision-making at its decision-making.20 For example, when making
scale recognize that organizations need standards digital decisions, organizations seeking to cultivate
to guide decision-making. Standardization builds digital trust may evaluate potential solutions with
trustworthiness by limiting arbitrary or capricious ethical frameworks and human-centric expectations,
uses and ensuring responsible use. When in addition to legal analysis – moving the discussion
promoting inclusion, consistent and objective from “can” to “should”.

Benefit

Business Organizations seeking to implement this

dynamic can be aided with tools for responsible
– Virtuous circles: Inclusive, ethical and innovation, such as games, workshops, team
responsible use commitments and decisions activities and technical tools.21
ultimately signal an organization’s digital
trustworthiness, allowing for deeper – Expanding workforce: By adopting a position
engagement by the user, better products of inclusive use of technology, organizations
from the organization, and an increase in the will see an increase in the proportion of
sharing of useful data between end users the population able to contribute to the
and technology developers and owners. organization’s mission effectively.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 14

 Societal – Justice and stability: Equalizing the benefits
of technologies and data uses while ensuring
– Increasing opportunity: Increased global a human-centric approach that minimizes
connectivity stemming from digital technologies the potential for harm helps to nurture stable
and access to digital services has the potential societies and strong institutions. Rather than
to significantly advance economic development further destabilizing social institutions by
and improve the lives of a vast proportion of the increasing inequality and raising the spectre
global population. A commitment to inclusivity of unanticipated harms, inclusive, ethical
will ensure the greatest good reaches the and responsible use of technology satisfies
greatest number of people, while dedication to demands for justice that help improve social
ethical and responsible use ensures that the structures’ overall cohesiveness.
benefits vastly outweigh potential harms.

BOX 5 Inclusive, ethical and responsible use resources

Across organizations, to ensure decision-making – NIST, AI Risk Management Framework

is aligned to a common set of inclusive, ethical
– Office of the United Nations High
and responsible use norms, various efforts have
Commissioner for Human Rights,
defined best practice frameworks. The following 49/60: Statistics and data collection under
are some notable resources on the topic: article 31 of the Convention on the Rights of
Persons with Disabilities
– Center for Democracy and Technology
and the American Association of People – Office of the United Nations High
with Disabilities, Centering Disability in Commissioner for Human Rights,
Technology Policy A/HRC/49/52: Artificial intelligence and
the rights of persons with disabilities
– European Committee for Standardization,
European Committee for Electrotechnical – Organisation for Economic Co-operation and
Standardization and European Development (OECD), AI Principles
Telecommunications Standards Institute, – United Nations Educational, Scientific and
EN 301 549 V3.2: Accessibility requirements Cultural Organization, Recommendation on
for ICT products and services the ethics of artificial intelligence
– G20 Global Smart Cities Alliance, Global – World Economic Forum, A Blueprint for Equity
Policy Roadmap and Inclusion in Artificial Intelligence
– Microsoft, Responsible Artificial Intelligence (AI) – World Economic Forum, Presidio Principles:
Standard V 2 and Inclusive Design Toolkit Foundational Values for a Decentralized Future

Earning Digital Trust: Decision-Making for Trustworthy Technologies 15

 1.2 Dimensions of digital trust

Trust is not a monolith. Even when aligned with role in ensuring that social values are upheld and
the three goals previously described, many factors enhance digital trust. These aspects of digital
figure into whether a decision and its results trust are so central to the functioning of the
should be trusted. For trustworthy decision-making trust relationship between an individual and an
regarding technology and data uses, the framework organization that if they are maximized – consistent
identifies eight crucial dimensions of decision- with the goal of a given technology or capability –
making: cybersecurity, safety, transparency, they will lead to the fulfilment of the goals of security
interoperability, auditability, redressability, fairness and reliability, accountability and oversight, and
and privacy. These dimensions play an important inclusive, ethical and responsible use.

BOX 6 Mechanical and relational trust22

Across any set of dimensions of digital trust, Beyond mechanical applications, another equally
decision-makers must consider what processes, important form of trust is required: relational
mechanisms and tools are at their disposal to ensure trust. Even if all the mechanical systems work,
that responsibilities related to each dimension are if individual trust givers don’t believe that
discharged in practice. It may be worthwhile for organizations and individuals are all playing by the
leaders to consider the variety of options available to same rules or believe that organizational decision-
do so, falling into two categories of trust assurance: makers don’t fully consider and seek to align with
mechanical and relational. their users’ interests, core trust often breaks down.
That is why relational trust – the social norms and
Mechanical trust is the means and mechanisms that agreements that address life’s complex realities –
deliver predefined outputs reliably and predictably. is also vital. In the context of digital trust, relational
Applications of technology, like blockchain or trust often represents a shared agreement on
non-discretionary disclosure practices, can be when, where, why and how technologies are used.
considered “mechanical”. Mechanical trust means
that, if a system performs predictably in and of itself, As decision-makers review the following dimensions
individuals will be more willing to use it. That is, they of digital trust, they should keep these two means
will be more willing to trust it. of achieving results across the dimensions in mind.

For each of the dimensions of digital trust, the ethical and responsible use). It also offers some
framework describes the dimension itself and considerations on the implementation of each
offers context on how each dimension relates to dimension and likely challenges leaders will face.
achieving digital trust goals (security and reliability, Taken together, it constitutes the means by which
accountability and oversight, and inclusive, digital trust can be achieved.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 16

 Cybersecurity
Cybersecurity is focused on the security of digital systems – including underlying data, technologies and
processes.23 Effective cybersecurity mitigates the risk of unauthorized access and damage to digital
processes and systems, ensuring resiliency. It also ensures the confidentiality, integrity and availability
of data and systems.24

Relation to digital trust goals

Decision- Inclusive, ethical and responsible use is only given to the “right” individuals. Oversight is
makers thus strengthened equally when organizations establish
need to think Good cybersecurity mitigates the risk of unintended cybersecurity programmes that allow for monitoring
not only of how uses (i.e. abusive) of technology. Especially with and tracking behaviour and processing of data in
cybersecurity regard to historically marginalized populations, good the digital space.
cybersecurity in digital technologies and systems
can be actually
limits the harm to which customers and citizens Security and reliability
achieved in
are exposed. Naturally, however, the cybersecurity
their offering measures in place only cultivate inclusive, ethical Cybersecurity is at the core of digital security
but also about and responsible use of the cybersecurity programme and reliability. Given the significant threats digital
signalling that it of an organization is driven by those goals itself.25 processes are exposed to, having strong and
is implemented at effective cybersecurity programmes and, as a
acceptable levels. Accountability and oversight result, being seen as strongly protective of the data
and information that users share, as well as being
Cybersecurity enables accountability by, for resilient to potential attacks, is paramount for secure
example, ensuring access to secured information and reliable digital technologies and systems.

Key considerations for decision-makers

Implementation Decision-makers thus need to think not only of

how cybersecurity can be actually achieved in
– Treat cybersecurity as an organizational their offering but also about signalling that it is
imperative.26 Stakeholders will demand that implemented at acceptable levels on par with
the technology they use (including systems and international cybersecurity best practices or
devices) is secure from intrusion, that any data standards and innovating over time to mitigate
they share is secure from unauthorized access, new risks.28 Focusing on both these aspects of
and, increasingly, that organizations can provide cybersecurity – the mechanical implementation,
assurance that they take cybersecurity seriously as well as the communication of the importance
(e.g. in the form of security labels, trust marks and value that an organization puts on
or effective cyber risk management practices).27 cybersecurity, will be key to building trust.29

Earning Digital Trust: Decision-Making for Trustworthy Technologies 17

Challenge cybersecurity as a strategic business enabler
and to coordinate with other areas such as
– Determining the appropriate cyber resources enterprise risk, product development and
necessary to protect trust. Cyber risk has data management. Yet, when cybersecurity
enormous ramifications for any entity that controls all aspects of an organization’s
gathers, stores or uses data. If a technological security-related strategy, issues can arise when
process touches data, digital trust demands that dimensional- and goal-related ownership is
the controller of that process makes decisions split between two or more teams. For instance,
aimed at securing that data. While cyber risk is under the dominant confidentiality, integrity
always present, strong cybersecurity helps to and availability (CIA) triad, it is assumed that
ensure the confidentiality, integrity and availability cybersecurity is primary for keeping data reliable
of data, including preventing unauthorized and accessible. Yet, digital trust requires a
changes or tampering with the data that could holistic approach, where cybersecurity is one
sow distrust in an organization’s processes and dimension of trust among many. Digital trust
the results they provide. Doing this effectively requires questions of security to be considered
can often come with significant financial and alongside questions of, for example, whether
other costs for a given organization. data is accurate and fit-for-purpose or whether
it is responsibly used. These and other similar
– Delineating responsibilities between considerations will require a tailored approach
cybersecurity and other trust dimensions in order to successfully integrate cybersecurity
may challenge existing foundational into an organization’s broader digital trust
assumptions regarding cybersecurity’s role programme and its goals.30 Ultimately, a risk-
and operating model. Recognizing the critical based approach that considers the context
and broad role that cybersecurity plays in the of use while balancing cybersecurity, privacy,
areas of business continuity, brand reputation, digital safety and responsibility, usability,
regulatory exposure and shareholder value, commercial viability and sustainability may
a concerted effort has begun to integrate prove to be essential.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 18

 Safety
Safety encompasses efforts to prevent harm (e.g. emotional, physical, psychological) to people or
society from technology uses and data processing.31

Relation to digital trust goals

Inclusive, ethical and responsible use ramifications of a given technology application or

data use. As they develop and are applied to new
Safety is a core aspect of the social norms and goals areas, many technologies represent differing safety
that digital trust is designed to uphold and protect.32 risks over their life cycle. For example, protocols
An organization’s decisions regarding safety can be and standards supporting data transfer created
addressed in an inclusive, ethical and responsible novel safety vulnerabilities when they were ported
manner by including in due diligence an examination over to the physical world in the form of the internet
of the impact of safety mechanisms. For example: of things. In order to avoid future safety issues,
the governance mechanisms established for
– Is the safeguard in the best interest of the user digital technologies and data uses must be flexible
and their human rights? enough to foresee future safety concerns, or the
governance mechanisms risk losing the trust of
– Can all users access the precaution? individuals over the long term.

– Does the safety mechanism indicate that the Security and reliability
organization is a steward for users?
Safety promotes security and reliability by ensuring
Being able to answer these questions in the affirmative that technologies do not cause harm and operate
can indicate that an organization is conscientious as intended. Considering safety at the development
of the consequences and is offsetting safety or initial implementation phase ensures that the
concerns in an inclusive, ethical and responsible variety of uses to which new technologies are
manner, all of which promote an organization’s digital put continue to meet standards and expectations
trustworthiness as they act in the interest of the users. regarding their security and reliability. Decision-
makers must consider how new environments
Accountability and oversight (e.g. moving from purely data-focused to cyber
physical systems) will increase the demand for
Accountability and oversight for safety requires safety assurances relating to increased security and
decision-makers to think broadly about the reliability guarantees.

Key considerations for decision-makers

Implementation Challenges

Safety is a core – Take a nuanced approach to harm mitigation – Foreseeing and offsetting a range of
aspect of the social and safety. Safety for technologies and data possibilities for harm. Appropriately
norms and goals uses is not one-size-fits-all. On the contrary, implementing the proper safety precautions is
organizational approaches to addressing difficult. The complexity includes factors for the
that digital trust is type of technology, characteristics of the user
safety in operations, products and services
designed to uphold and the context of technology used. Think of
are often contextual, as harm can manifest
and protect. the differences across social media settings
differently according to factors such as the
type of technology, characteristics of the user (e.g. harm to well-being, content moderation),
extended reality (XR) experiences (e.g. invasion
and the context of technology used. Safety
of personal space, personal space perimeter)
programmes are inherently responsive to the
and self-driving cars (e.g. reckless driving,
hazards that are endemic to an organization’s
safety driver). Within these scenarios, designing
product or service; therefore, a nuanced
with an inclusive mindset and considering not
approach is recommended. As outlined below, only the archetypal user but also those with a
these factors introduce considerations that range of abilities and resources is key. Plus,
organizational decision-makers should consider context-dependent norms in various settings
while addressing safety concerns.33 (e.g. consumer, employment, educational,
medical) can transform the possibilities for harm
and safeguards. To address this challenge,
organizations can coordinate their safety efforts,
whether by industry or according to the user.34

Earning Digital Trust: Decision-Making for Trustworthy Technologies 19

BOX 7 Singapore: Public-private collaboration in making online safety a priority

Safety has traditionally been a key expectation of such as the Cyber Security Agency of Singapore
governments, and the same can be true in digital (CSA) as well as the Smart Nation and Digital
spaces. In Singapore, as the nation progresses Government Office (SNDGO), to create a safer and
through its “Smart Nation” journey, the safety trusted digital environment.  
aspect of digital trust has been an important
concern. National leaders recognize that citizens MCI collaborates with stakeholders across
and businesses must feel safe when using digital the private and public sectors to implement
communications and technologies. A lack of safety regulations, codes of practices and programmes
due to threats such as cybercrime, phishing scams that will enhance the safety of the digital
and various online harms will erode public trust in
environment. Among these programmes is the
digital technologies and undermine the ability to
Sunlight Alliance for Action, which was launched
fully harness the opportunities offered by them.  
in 2021 to close the digital safety gap through
To cultivate digital trust, the Singapore Ministry of workstreams such as research, victim support
Communications (MCI) works with its agencies, and public education.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 20

 Transparency
Transparency requires honesty and clarity around digital operations and uses. Enabling visibility
into an organization’s digital processes reduces the information asymmetry between an organization
and its stakeholders while signalling to individuals that the organization intends not only to act in the
individual’s interest but also to make those actions known and understandable to those inside and
outside of the organization.35

Relation to digital trust goals

Inclusive, ethical and responsible use issues regarding the development or application of
new technologies are handled likewise increases
Transparency showcases how decisions are being trustworthiness for customers, citizens and other
made, and thus enables interventions in the interest affected parties.
of inclusive, ethical and responsible use.36 Where
organizations recognize the ethical responsibility to Security and reliability
share information about how technologies are used
and to what ends, ensuring transparency is a key For the goal of security and reliability to impact the
activity in building trustworthiness. trustworthiness of an organization or technology,
the particulars of these goals, and progress
Accountability and oversight in reaching them, must be transparent. Even
relatively straightforward mechanisms to publicly
Transparency provides information about how track security incidents or reliability failures
technologies are developed and implemented, and their remediation can significantly improve
how data is used and how it sets the standard for trustworthiness.37 These mechanisms help to set
governance. The mechanisms of accountability and stakeholder expectations of security and reliability
oversight are also rendered more trustworthy if they as well as the expectation that these goals are
are transparent. Giving stakeholders insight into taken seriously by the organizations with which they
how technology decisions are assessed and how are entrusting data or their physical or digital safety.

Key considerations for decision-makers

Implementation to give their trust or not. Transparency enables

agency of the trust giver; understanding and
– Design with user-friendly transparency in acting upon the information being provided is
mind. Leaders should encourage their teams to central to meeting agency expectations.
work backwards. First, identify the details that
may need to be disclosed in the future. Then, – Determining appropriate disclosure. Being
when building out an organization’s technology radically transparent and providing broad
stack, (both for internal development as well access to information about how users’ data
as in the products the organization provides is collected and used, particularly with a
externally) document design decisions can significant amount of detail, may often conflict
include capabilities to track the use of data with an organizations’ other interests. As such,
Transparency and flow of information in a manner that can the scope of the audience and level of data
provides be communicated, as needed, to a range of provided need to be evaluated. Audiences can
information stakeholders in a timely and useful way.38 – as a first step – be divided into internal (e.g.
about how employees, legal and compliance functions)
Challenges and external (e.g. customers, regulators and
technologies are
watchdogs). From there, considerations,
developed and – Meeting agency expectations. Beyond being including purpose and level of expertise, can
implemented, able to access relevant information about how further inform the content of the disclosure.
how data is used their data is being used, trust givers need to While this balance will undoubtedly be difficult to
and how it sets be able to understand, appreciate and act achieve, and an organization will rarely receive
the standard for upon the information provided in order to make plaudits from all audiences, it is a critical path to
governance. an informed decision as to whether they want follow to build and maintain digital trust.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 21

 Interoperability
Interoperability is the ability of information systems to connect and exchange information for mutual use
without undue burden or restriction.39

Relation to digital trust goals

Inclusive, ethical and responsible use will include inputs that should be considered within
individual collaborating organizations’ accountability
When considering interoperability, organizations functions. It is likewise the responsibility of each
must ensure that all connected technologies also organization developing interoperating technologies
satisfy their ethical and responsible use goals. to ensure that its accountability and oversight
This may require a balance between wide-scale mechanisms meet the standards of the whole
interoperability and adherence to the organization’s system and the expectations of all stakeholders
commitments to ethical and responsible use. affected by the technologies.42
Thus, the extent to which technologies are made
interoperable must be subject to senior leaders’ Security and reliability
judgement and should not be considered merely
a technical question. Likewise, interoperability Interoperability requirements and controls make
may promote inclusivity by allowing a larger set of significant contributions to technology security
stakeholders access to beneficial technologies (for and reliability. For technology to co-exist and
example, the portability of health data.40 Still, the connect with other technologies and data, a
benefits and risks of these interconnections must degree of openness – including open-source
be assessed concerning the organization’s goals code and common data standards – is necessary,
and the expectations of its stakeholders.41 even if not in itself sufficient, to enable sharing
and integration.43 Further, when source code is
Accountability and oversight public and accessible, users can help to verify
that the technology operates as intended and
Interoperability enables many individuals and identify the dependencies of their safeguards on
organizations to collaborate on and improve other technologies and organizations. Even if
technology. This large number of collaborators source code cannot be made public, adequate
offers the opportunity for additional oversight but assurances of security and reliability promote
also requires further accountability mechanisms interoperability between systems, which is both a
within individual organizations. Where collaboration result of digital trust and helps build greater trust
promotes and facilitates group problem-solving, this among stakeholders.44

Key considerations for decision-makers

Implementation decision by the southern United States to

convert, in just 36 hours, 13,000 miles of track
– Laying the groundwork for interoperability. to standard-gauge width led to substantial
Interoperability requires that different systems stock price increases for southern railroads and
can interpret and present data as it is received, the eventual demise of the steamship freight
while also preserving its original context. This industry.45 The 1970s introduction of UPCs (bar
requires consideration of the governance and codes) caused a worldwide revolution in supply
operating rules for the technology designed to chain efficiency that experts calculate saved the
establish how participants in the interoperability grocery industry 5.65% (or $17 billion) of total
arrangement will make decisions, jointly annual sales in 1999.46 More recently, Kenya’s
manage operations and consider risk. Business issuance of mobile phone remittance transfer
The extent to agreements must also balance the economic requirements sparked a “mobile money” revolution
which technologies interests of parties and incentivize the exchange that delivered financial inclusion to impoverished
are made of source code and data. Finally, designers rural communities, thereby reducing poverty and
must plan for technical infrastructure that increasing occupational change (particularly for
interoperable must
connects parties, systems and their data. women), agricultural modernization and private
be subject to senior sector development.47 In each of these instances,
leaders’ judgement – Uniform technology expectations and competing organizations’ adoption of common
and should not standards are key. Industry-specific technology standards enabled wider dissemination of critical
be considered standards can lead to broad economic growth goods, money and information due to users’ and
merely a technical and social good. History is replete with such companies’ independence from specific systems
question. examples. In the late 19th century, a collective and networks.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 22

Challenges privacy rights if users do not have adequate
notice and the ability to consent to sharing their
– Protecting security and privacy. While personal information before the system integration
interoperability is key to an open and pro- is consummated. Similarly, the system connectors
competitive internet, unrestrained system that enable interoperability also provide an
integration poses significant privacy and security additional attack surface for malicious actors
issues. For example, privacy principles stipulate who seek to access data without authorization.
that users should be able to control and limit With this in mind, trustworthy interoperability
third-party access to their personal information. should be promoted, with a clear recognition
Therefore, system integration can infringe upon and plan for any privacy and security risks.

Auditability
Auditability is the ability for both an organization and third parties to review and confirm the activities
and results of technology, data processing and governance processes. Auditability serves as a check
on an organization’s commitments and signals the intent of an organization to follow through on
those commitments.48

Relation to digital trust goals

Inclusive, ethical and responsible use expectations) as well as whether the technology
meets the organization’s ethical and responsibility
Comprehensive audits can allow organizations to goals and commitments.
measure their own progress against their ethical
goals. In addition, making the results available can Accountability and oversight
help prove to individuals and other stakeholders
that an organization is meeting its commitments Audits drive effective governance, accountability
to achieve this goal. When considering how to and oversight.49 It is impossible for an organization
audit its technology decision-making, organizations to adequately meet this goal without a robust audit
should pay attention to the ramifications of these mechanism in place. For the accountability and
decisions. Audits of digital trust must consider oversight of digital technologies (especially emerging
whether technologies developed, implemented or technologies like AI) to be effective, auditability
used are adequately inclusive of a wide array of must be addressed at the development stage. Ever
potential users and stakeholders (and meeting their more complex technologies, if developed without

Earning Digital Trust: Decision-Making for Trustworthy Technologies 23

auditability in mind, represent significant challenges to an opportunity that typically only presents itself
audits after the fact. Trustworthy organizations avoid when there is an actual, significant security or
developing or implementing technologies where reliability problem. External publication of such
operations exist in a “black box”, defying the ability to security audits and running related bug bounty
examine how they function and deliver results. programmes can signal to trust givers the
importance an organization places on security
Security and reliability and reliability. External reporting of factors such as
security breaches or uptime50 as well as measures
Auditability can help correct for the otherwise limited taken to improve those factors, aids in building trust
means of assessing security and reliability, with an organization’s stakeholders.

Key considerations for decision-makers

Implementation – Examining the role of internal or external

auditors: The audience of the audit’s findings
– Defining the scope of an organization’s audit will change depending on which trust givers
landscape. Organizations are likely well-versed in an organization seeks to cultivate trust with.
auditing their quantitative procedures, decisions For example, internal audits will satisfy internal
and associated data. However, documenting and stakeholders, however, may not bolster trust
applying auditability standards and processes to with external parties. As such, it is likely that an
qualitative procedures and decisions are all the organization will need both internal and external
more important when seeking to earn digital trust audits. Beyond legally required audits, however,
due to the potential for variability and claims that it may not be sustainable to have regular
an organization is not meeting its commitments. external audits given the cost and the impact on
Organizations must, therefore, make efforts to internal resources that need to be focused on
compensate for the potential documentation revenue-generating activities, so an organization
challenges that can arise in the context of such will need to think carefully about how to
procedures and decisions. structure such audits and how often they
are needed. In this context, it may be worth
Challenges considering how the building and maintenance
of digital trust impacts an organization’s bottom
– Understanding the implications of data line because for organizations for whom digital
retention: The ability to store the information trust is key (e.g. holders or processors of large
captured will determine the available time frame amounts of or highly sensitive trust giver data),
for a potential audit. As storage decisions are regular audits may well be worth conducting,
often a function of hardware, financial and even given the significant expense and impact
legal constraints, each of which may have on other operations.
implications for the relevant retention period, it
is important that these be accounted for in any
auditability plan and process.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 24

 Redressability
Redressability represents the possibility of obtaining recourse where individuals, groups or entities
have been negatively affected by technological processes, systems or data uses. With the understanding
that unintentional errors or unexpected factors can cause unanticipated harms, trustworthy organizations
have robust methods for redress when recourse is sought and mechanisms in place to make individuals
whole when they have been harmed.51

Relation to digital trust goals

Inclusive, ethical and responsible use developing or implementing new technologies.

While responsibility can be achieved by internal
Designing avenues for recourse and having measures of accountability, ethical and responsible
processes and culture to provide redress builds organizations create avenues for redress when the
trust by maximizing agency. This also demonstrates technology they develop or control causes harm
an organization’s respect for the individual to external stakeholders. These external avenues
and their interests, needs and expectations. also serve as checks where an organization falls
External opportunities to identify problems and short of meeting the goal of inclusive, ethical and
redress harms are vital to earning trust when responsible use.

A trustworthy Accountability and oversight Security and reliability

organization
uses its oversight Redress mechanisms are critical components Security and reliability failures impact the
function to of any accountability and oversight programme. organization and its network of partners, users
ensure that it Rather than focusing its oversight solely on how to and other stakeholders. Significant downtime,
improve internal delivery or maximize efficiency or or a data breach, has a negative impact on
is accountable
profit, a trustworthy organization uses its oversight trustworthiness. When these events are coupled
to itself and all
function to ensure that it is accountable to itself and with a lack of redress or an unwillingness to make
stakeholders for all stakeholders for technology-related decisions affected partners, customers or individuals whole
technology-related and the consequences of those decisions. in response to their losses, this loss of trust is
decisions and the Organizations should hold themselves accountable compounded. For these stakeholders, having a
consequences of for making human-centric decisions that consider clear, easy-to-use avenue for redress when security
those decisions. the impact of activities on individual citizens or or reliability cannot be adequately achieved enables
consumers and actively seek opportunities to an appropriate response to assess and correct the
remedy harms those decisions have caused. harm that may have occurred.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 25

Key considerations for decision-makers

Implementation dedicated time to seeking redress onto the

harmed individual. Reinvestment support for
– Enable effective redressability: Commitments customers – the opportunity to engage with a
to redressability may build upon existing knowledgeable, capable employee, easily and
procedures. Organizations are likely to have an directly, who is empowered to provide redress
existing support function for users, customers for harmed individuals – will help to bolster an
or clients. Such functionality may be tiered, organization’s trustworthiness.
starting with automated self-service for
frequently asked questions (FAQs), which can – Defining the scope of the redress process:
lead to support over email, phone call or chat Defining the scope of a complaint process
message with a bot and then, if necessary, an promotes individual autonomy and respect. As
agent. Redressability may take advantage of with any system, however, it is possible for users,
these functions and tiered processes to ensure customers, clients or third parties to abuse such
it can be achieved effectively and at a limited a process. As a result of offering guaranteed
cost to the organization. It is also important for compensation for victims of severe airline
organizations to take actions that engender trust delays, the EU also incentivized companies to
through transparency and other self-service arbitrage claims filing and processing for 30-40%
resolutions, such as using FAQs as a feedback of the guarantee. Organizations will need to
mechanism and designing products/services.52 set the boundaries of what types of decisions
are subject to redress and which are not and
Challenges be transparent regarding such decisions.
Ultimately, an organization must balance what is
– Minimizing customer burdens: Efforts in appropriate for an individual with what is feasible
recent years to automate and outsource at scale and in the case of redress, recognizing
support functionality have been a cost-saving that redress may be required across not just one
method for many organizations. However, many individual but a relatively large segment of users,
of these functions merely push the burden of customers or clients.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 26

 Fairness
Fairness requires that an organization’s technology and data processing be aware of the potential
for disparate impact and aim to achieve just and equitable outcomes for all stakeholders, given the
relevant circumstances and expectations.53

Relation to digital trust goals

Standardization Inclusive, ethical and responsible use accountable, consistent with their values and
enhances fairness those of the society in which they operate. This
by ensuring Fairness is deeply connected to meeting the goal might mean different standards for fairness in
that decisions of inclusive, ethical and responsible use. Defining different geographies for the same organization.
are objectively what is fair in a given scenario is ultimately a Integrating fairness into oversight processes in
subjective decision. It requires balancing questions pursuit of this goal means that organizations should
consistent in
of equity, equality, consistency and many others. not consider questions of “what is fair” or “what
processes and For example, in some scenarios, equality may not is just” to be exogenous to their decision-making
outcomes – and be just, and therefore equity considerations may processes. Creating opportunities for internal and
aligned to a motivate additional steps for certain individuals or external validation of whether a decision is fair (as
common set of groups to better level the playing field. Decisions like consistently defined within the organization) can
ethical, inclusive the determination of equality versus equity are prime help organizations act in a trustworthy manner.
and responsible example of the need for standardization referenced
use norms. in the inclusive, ethical and responsible use section Security and reliability
above. This standardization enhances fairness
by ensuring that such decisions are objectively Fairness commitments support security and
consistent in processes and outcomes – a key reliability goals, as one core conception of fairness
hallmark of fairness54 – and aligned to a common is achieving similar outcomes for different people
set of ethical, inclusive and responsible use norms across similar situations. Where fairness is
defined in best practices frameworks.55 considered “treating similarly situated individuals
similarly”, the mechanisms for protecting data
Accountability and oversight and ensuring its availability for use for beneficial
purposes must be equally applied. Good security
Being fair in both process and outcome is a key itself is an exercise in promoting fairness. As
goal of accountability and oversight activities, organizations are the controllers of individuals’ data
sending a signal of trustworthiness to customers and receive benefits from using such data, fairness
and individuals. Organizations should include demands that they reciprocate that value by making
fairness as an issue for which they hold themselves efforts to protect the data they have received.

Key considerations for decision-makers

Implementation the assessment of fairness and equity in those

processes, as what’s fair can mean different
– Documenting fairness judgement calls: things in different contexts to different people.
Beyond any jurisdiction-specific discrimination As part of this documented process, fairness
protections (e.g. fair lending or fair housing), may require impact assessment that includes
decisions regarding fairness generally result the identification of affected stakeholders,
in reasonably consistent treatment of all potential harms and benefits, and steps
individuals. Such decisions may be addressed necessary to mitigate those harms.
in an organization’s diversity, inclusion or
accessibility initiatives – or responsible AI Challenges
efforts when using artificial intelligence. When
defining and operationalizing fairness within an – Assessing the fairness of the system/product/
organization’s technology and data processing, process: Assessing existing infrastructure and
documenting the justification of associated new products for fairness considerations will
decisions ensures that both the process and aid in signalling trustworthiness to external
outcome are fair. For example, the trade-off trust givers. These could include evaluating
between standardization and personalization the proper scope of monitoring data use and
can have fairness connotations, as there is often assessing time frames and need for data
a fine line between appropriate personalization retention. Fairness can be relative to particular
and biased (i.e. discriminatory; exclusionary) individuals or groups, so organizations are
experience. As such, in making design encouraged to consider multiple personas
decisions, it will often be helpful to document when they assess fairness decisions.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 27

Privacy
Privacy, for individuals, is the expectation of control over or confidentiality of their personal or
personally identifiable information.56 For organizations, privacy is the meeting of this expectation
through the design and manifestation of data processing that facilitates individual autonomy through
notice and control over the collection, use and sharing of personal information.57

Relation to digital trust issues

Inclusive, ethical and responsible use validation or review to assure individuals of

adequate privacy protection. As an example in
Privacy serves as a requirement to respect practice, the appointment of, and substantial
individuals’ rights regarding their personal authority given to Chief Privacy Officers and Data
information and a check on organizational Protection Officers ensures an organization-wide,
momentum towards processing personal data fundamental commitment to a cohesive approach
autonomously and without restriction. A focus on to an organization’s data functions.59
this goal ensures that organizations can unlock
the benefits and value of data while protecting Security and reliability
individuals – especially historically marginalized
or at-risk populations – from the harms of privacy Privacy is intertwined with, and reliant upon, the
loss. It effectuates inclusive, ethical and responsible goals of security and reliability. Security ensures
data use – or digital dignity58 – by ensuring that that privacy expectations are vindicated by
personal data is collected and processed for preventing unauthorized access to individuals’ data.
legitimate purpose(s) (e.g. consent, contractual Reliability ensures that data uses are predictable
necessity, public interest, etc.). and expectations regarding consent and deletion
can be satisfied. For example, a significant
Accountability and oversight number of privacy regulations60 enumerate
specific categories of sensitive data that require
Privacy cannot be achieved without accountability greater data protection, such as de-identification,
and oversight. Given organizations’ exclusive obfuscation and encryption. Privacy similarly
access and control over their systems’ data implicates technological reliability through individual
processing, privacy requires internal corporate rights and consent management by requiring that
accountability and oversight to ensure that data organizations stop processing data when user
processing is limited to permitted uses. Achieving consent is revoked and delete, share or modify data
this goal also requires mechanisms for external in response to an individual data rights request.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 28

 Key considerations for decision-makers

A comprehensive Implementation – Data processor accountability: Privacy

and coordinated requirements are agreed to and documented
data governance – Privacy programmes require broad, cross- before granting third-party access to
programme is functional implementation to adequately personal data. Third-party access to and
necessary for manage and effectuate individual’s rights and processing of personal data is regularly
freedoms over their personal information: monitored, reviewed and audited.
organizations
Technical and process implementation of privacy
to effectively
requirements have a substantial impact on – Training and awareness: Privacy
operationalize many core business functions, such as data awareness and training requirements are
privacy security, product development, marketing, documented, provided to employees and
requirements. communications, human resources, legal and monitored for compliance.61
third-party risk. Indeed, privacy programmes
comprised of the following domains have been Challenges
observed to provide effective combination
compliance and business enablement: – Information governance is essential to
achieving meaningful privacy compliance:
– Strategy and governance: Designated Information governance is the organizational
resource(s) coordinate and maintain management of data storage, quality and
responsibility for the privacy programme and integrity. It ensures that data can be relied on
provide relevant capabilities to to be accurate and complete for all functions
the organization. in an organization. A comprehensive and
coordinated data governance programme,
– Policy management: Privacy policies, therefore, is necessary for organizations
procedures and guidelines are formally to effectively operationalize privacy data
documented, aligned and consistent with management requirements.
applicable laws and regulations.
– Threshold measurements of adequate
– Cross-border data strategy: Consent is privacy programme maturity are
obtained (where applicable), and appropriate underdeveloped and vague: Statutes,
safeguards are implemented when customer expectations and corporate policies
transferring data across jurisdictional borders. often describe data privacy principles, guidelines
and requirements but do not identify the specific
– Data life cycle management: A personal operational components of a successful privacy
data inventory exists and catalogues data programme. As a result, privacy programme
sources, locations and flow. Data is tagged maturity standards remain somewhat undefined,
and classified according to its sensitivity and compliance practices are often inconsistent
and risk levels. from one organization to the next.

– Consent management: Consent for – Ever-shifting compliance requirements

personal data processing is obtained (where and deadlines inhibit the organized design
applicable), tracked and effectuated. and development of deliberate, structured
privacy programmes: Privacy operations have
– Individual rights processing: Data subject been in intensive, costly cycles of development
inquiries are executed across appropriate and implementation to comply with a group of
systems and third parties; responses are regulations that came in quick succession – the
timely and in accordance with applicable General Data Protection Regulation (GDPR),
laws and regulations. California Consumer Privacy Act (CCPA) and
more than 2,500 other global laws – and
– Privacy by design: Appropriate privacy show no signs of abating. Consumers are also
considerations are embedded in the design, increasing their privacy IQ, cementing their
acquisition or implementation of new personal data management expectations, and
products or services. are increasingly likely to exercise their data
rights. As a result, compliance programmes
– Information security: Personal information emerged in a piecemeal fashion to comply
is safeguarded and protected to ensure with new, separate regulations and market
ongoing confidentiality, integrity and expectations. Yet a continued piecemeal
data availability. approach is untenable. Forward-thinking
privacy leadership and programme design
– Privacy incident management: Policies – founded upon data management and
and procedures are established to manage compliance agility – is, therefore, necessary to
and remediate suspected personal sustainably grow and manage organizational
data breaches. privacy programmes.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 29

2 Digital trust roadmap
Effective digital trust programmes are aligned
with values and organizational structures.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 30

 The digital trust framework seeks to spur dimensions of digital trust. Therefore, this roadmap
organizations beyond compliance and take a guides decision-making holistically, beyond
comprehensive approach to digital trust, its recommendations for any dimension of digital trust,
associated goals and underlying dimensions. to operationalize the framework.
The following roadmap will support decision-makers
as they seek to align with individual and societal By following the recommended roadmap,
expectations and act to earn digital trust. It details organizations will be able to adopt, commit to
the steps necessary to build a collaborative – rather and maintain a viable digital trust programme. The
than isolated ­– approach to technology decisions by roadmap guides leaders in following these steps in
designing, developing, building and maintaining the implementing the digital trust framework:

FIGURE 2 The digital trust roadmap

Commit Plan and Build and Monitor and

and lead design integrate sustain

Commit and lead

Making digital Digital trust will require commitment from the strategy and reputation, including in relation to
trust an essential highest levels of leadership to succeed. Most the organization’s core values.62
organizational organizations will therefore need CEO and board
value and goal will endorsement to deliver long-term, sustained – Identifying how digital trust will align with other
require affirmative commitment to developing its digital trust organizational initiatives and business areas.
programme. Indeed, in recognition of digital trust’s
steps that broadly
multidisciplinary and cross-functional requirements, – Emphasizing digital trust’s strategic input into
integrate digital
CEOs, especially, have a crucial leadership role to other key business areas, such as product
trust dimensions play in bringing disparate stakeholders and teams development, marketing, risk management,
and goals together to plan and design accordingly. privacy and cybersecurity.
into business
operations. Of course, considerable preparation and – Include a cost/benefit analysis of the
groundwork are required before presenting and decision to build and maintain a robust
proposing a digital trust programme to a CEO. digital trust programme.
To gain leadership support and funding, any
such proposal must have a clear strategy and Making digital trust an essential organizational value
vision supported by a compelling, integrated and and goal will require affirmative steps that broadly
thorough business case. The business case integrate digital trust dimensions and goals into
should, in turn, identify both the qualitative and business operations by, for example, pledging
quantitative benefits of digital trust adoption and to exclusively develop, procure or affiliate with
transformation efforts, such as: trustworthy technologies that responsibly manage
and process data or establishing and aligning a new
– Articulating the role and value that digital trust digital trust programme with existing commitments
would provide to the broader organizational and plans for growth.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 31

Plan and design

Organizations must subsequently identify and – Risk(s) mitigated: An identification of risk areas
articulate their case (or need) for a digital trust that digital trust improvements will mitigate.
programme. Organizations will often begin this
task by performing a “digital trust gap assessment” – Timetable and dependencies: The estimated
that identifies current-state functional capabilities duration of the initiative and high-level descriptions
and deficits (or “gaps”) against the framework’s of potential interruptive dependencies.
requirements. Assessment reports should include
the following: – Initiative governance and staffing: The specific
teams and resource staffing needed to support
– Current-state observations: A summary of and implement the initiative (i.e. Cyber, Privacy,
the “grouped” gap analysis findings mapped Audit, ESG, Product, Marketing, Operations,
to the framework. Contractors, etc.).

– Recommendations: A high-level list of future – Organizational impact: A description of the

state recommendations. initiative’s impact from an operational and end-
user standpoint.
– Governance, risk management and
compliance (GRC) findings: A list of gaps In sum, the digital trust gap assessment will specify
that are specific to regulatory and/or other the tasks, resources and subject matter expertise
compliance requirements. required to construct and improve current-state
capabilities necessary to operationalize the
– Benefits derived: An overview of the main benefits framework and reach the organization’s desired
that digital trust improvements will provide. state of digital trust maturity.

Build and integrate

The development and implementation of an – Identify and develop workforce skills

organization’s digital trust capability requires action necessary to meet digital trust capability
in the areas of people, process and technology. requirements, allocate or obtain new resources
necessary to attain the desired target state, and
With regard to people, focus is required in three organize digital trust teams and stakeholders
key areas: to encourage development, collaboration and
innovation with the right balance of centralization
– Adopt leadership and behavioural changes and proximity across the business.
necessary to the success of digital change
management, assign ownership of the – Deploy a structured approach to change
organization’s digital trust programme, and management and communications to ensure
ensure that project progress is visible to the success of the digital trust programme or
executive sponsors. transformation, including a communications and
training strategy.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 32

 Identify, build As for processes, new policies, practices and or migrate existing data repositories into a
and connect tools procedures combined with robust information singular location that serves as the source of
that will enable management are necessary: truth and reduces the costs of data redundancy.
the adoption,
– Employ established change management Lastly, in connection with technology requirements,
management and
practices required to support the journey identify, build and connect tools that will enable
success of the
to digital trust operationalization. Develop the adoption, management and success of the
organization’s project timelines, budgets and implementation organization’s digital trust programme. While
digital trust priority areas. individual technologies cannot, in themselves,
programme. create digital trust, the application of technologies
– Define and operationalize the organization’s consistent with an organization’s values and goals
digital trust decision-making structure can effectively support the development of a digital
and processes, modifying the roles and trust programme. Consider the use of the following:
responsibilities of existing digital trust-related
functions (e.g. cybersecurity, audit, privacy, etc.) – AI-based data monitoring helps to validate
and stakeholders accordingly. Align existing data accuracy, authenticity and reliability
teams and practices following the organization’s by uncovering missing data, anomalies or
digital trust framework, strategy and operating unexpected data, including fake or manipulated
model. Integrate digital trust requirements and documents, images and videos that are not
controls into areas such as product design otherwise identifiable via manual examination.
and development, data governance and risk
management. Identify and consider additional – Cloud-enabled data trusts govern, control and
strategic, tactical and operational process secure data processing and access rights for
improvements where appropriate and required. authorized systems and stakeholders.

– Identify and understand existing data assets, – Blockchain, a type of distributed ledger
enabling the organization to derive the full technology, preserves immutable records
benefit of digital trust implementation. Consider of transactions. Such documentation
the use of master data management and data illustrates provenance and protects against
quality-related business requirements. Integrate record-keeping tampering.63

Monitor and sustain

Upon the successful implementation of a digital – Ensure continuous improvement in light

trust programme, concerted efforts will still be of evolving expectations and business
required to ensure its continued effectiveness and requirements for digital trust.
longevity as digital trust transitions into a business-
as-usual organizational component. To do so: This roadmap, used in conjunction with guidance
in the digital trust framework, offers the opportunity
– Establish performance and risk measurement for leaders to give effect to their decisions in favour
tied to incentive structures to ensure of trustworthy technologies. By coupling better
comprehensive and robust adoption. decision-making with clear and motivated action,
leaders and their organizations can begin earning
– Conduct board as well as public reporting digital trust.
regularly, which could include maturity metrics
to further support broad adoption.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 33

Conclusion: Public-
private cooperation
for digital trust
The goal of building and implementing more investments – an area where questions of digital
trustworthy technologies is within reach. By focusing trust arise ever more frequently. Likewise, the role
on earning digital trust, leaders of organizations of civil society, both as an advocate for digital
that develop and deploy new technologies can dignity and protection of individuals and as a user
both make decisions and take action on one of the of digital technologies is a vital aspect of the digital
most crucial technology issues of this decade. The trust landscape. Individual citizens and consumers,
digital trust framework and roadmap offer a way themselves, should be empowered to advocate
forward that ensures technology serves the goals of for and enforce their rights and expectations with
individuals and society. regard to new technologies. Future work under
the Digital Trust initiative will develop guidance for
By cultivating digital trust, leaders will ensure that the these stakeholders as well. The Forum welcomes all
benefits of digital technologies are more widespread stakeholders to engage in and support these efforts
and available to a wider segment of the globe than as part of the global digital trust community.
ever before. At the same time, decision-making that
focuses on the trustworthiness of these technologies While this report represents an important step
will help to ensure that any harms arising from new on the journey towards rebuilding digital trust,
technologies are no longer treated as externalities to it must be followed by further action. Here, it is
be borne by unconnected individuals. recognized that leaders must take the downsides
of technology use seriously, make technology
There are, of course, many stakeholders in decisions that focus on individuals and plan to do
digital trust. While this publication focuses on better. The next steps will be to encourage others
those who ultimately decide which technologies to adopt these same goals and work with this
are developed, governments, civil society, and community to plan to become more trustworthy
individuals themselves all have a role to play. actors in digital environments.
Between states (and private enterprises), questions
of digital sovereignty, data trade and other issues In the end, earning digital trust is a responsibility
will significantly impact digital trust in the coming shared by companies, governments, civil society
years. Governments also influence the development and all individuals. This digital trust framework
of technology through their own acquisitions and begins the work of meeting that responsibility.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 34

Contributors
Lead author Akhilesh Tuteja
Global Cyber Security Practice Leader, KPMG

Daniel Dobrygowski Annemarie Zielstra

Head, Governance and Trust, Centre for Platform Fellow, Centre for Cybersecurity, World
Cybersecurity, World Economic Forum Economic Forum; Partner, Cybersecurity, KPMG

Digital Trust initiative Project Digital trust community

Fellows Digital Trust initiative steering committee

Assaf Ben-Atar Ajay Bhalla

Manager, Cyber Risk and Regulatory: Data Risk President, Cyber and Intelligence Solutions,
and Privacy, PwC Mastercard

Augustinus Mohn Nozha Boujemaa

Manager, Cyber Strategy and Risk, KPMG Global Vice-President, Digital Ethics and
Responsible AI, Ingka Group (IKEA)
Amanda Stanhaus
Manager, Metaverse Continuum Business Group, Julie Brill
Accenture Chief Privacy Officer, Corporate Vice-President,
Microsoft

World Economic Forum Keith Enright

Vice-President and Chief Privacy Officer, Google

Sean Doyle Nancy Flores

Lead, Centre for Cybersecurity Executive Vice-President, Chief Information Officer
and Chief Technology Officer, McKesson
Akshay Joshi
Head, Industry and Partnerships, Centre for Aaron Karczmer
Cybersecurity Executive Vice-President and Head, Risk, Legal
and Customer Operations, PayPal
Jeremy Jurgens
Managing Director and Head, Centre for Cybersecurity Thibaut Kleiner
Director, Policy, Strategy and Outreach, DG
Connect, European Commission
Project advisers
David Koh
Chief Executive and Chief, Cyber Security Agency
Sean Joyce of Singapore, Digital Security & Technology, Ministry
Global Cybersecurity and Privacy Leader, US Cyber, of Communications and Information of Singapore
Risk and Regulatory Leader, PwC
Helena Leurent
Toby Spry Director-General, Consumers International
Platform Fellow, Centre for Cybersecurity,
World Economic Forum; Principal, Data Risk and Nuala O’Connor
Privacy, PwC Senior Vice-President, Chief Counsel, Digital
Citizenship, Walmart
Steven Tiell
Platform Fellow, Centre for Cybersecurity, Vikram Rao
World Economic Forum; Senior Principal, Chief Trust Officer, Salesforce
Technology Innovation Strategy, Accenture
John Scimone
David Treat Senior Vice-President and Chief Security Officer,
Senior Managing Director, Lead Metaverse Dell Technologies
Continuum Business Group, Accenture

Earning Digital Trust: Decision-Making for Trustworthy Technologies 35

Digital Trust initiative working group Jorge Pardo
International Trade Specialist, Office of Digital
Justiin Ang Services Industries
Director, Security and Resilience Division, Ministry
of Communications and Information of Singapore Jules Polonetsky
Chief Executive Officer, Future of Privacy Forum
David Bartram-Shaw
Senior Vice-President, Global Head of Data Dan Rice
Science, Edelman Vice-President, Digital Governance, Walmart

Jenny Brinkley Trevor Rudolph

Director, AWS Security, Amazon Vice-President, Global Digital Public Policy,
Schneider Electric
Ravi Shankar Chaturvedi
Director and Founding Member, Digital Planet, Karen Silverman
The Fletcher School of Law and Diplomacy, Founder and Chief Executive Officer,
Tufts University The Cantellus Group

Natasha Crampton Mark Silverman

Chief Responsible AI Officer, Microsoft Adviser, International Committee of the Red Cross

Lecio DePaula Jacob Springer

Vice-President, Data Protection, KnowBe4 Chief Privacy Officer, Abbott

Stuart Dobbie Alissa Starzak

Senior Vice-President, Innovation, Callsign Head, Public Policy, Cloudflare

Shannon Donahue Courtney Stout

Senior Vice-President, Content & Publishing, ISACA Chief Privacy Officer, Coca-Cola

Heather Evans Michael Thornberry

Senior Advisor, Office of Policy and Strategic Senior Director, Apple
Planning, US Department of Commerce
Jennifer Trotsko
Nicolas Fischbach Chief Data Privacy Officer, Business Risk and
Senior Director, Security & Privacy SRE, Google Compliance, International Finance Corporation

Francisco Fraga Paul Trueman

Senior Vice-President, Chief Information Officer, Senior Vice-President, Cyber and Intelligence
US Pharmaceuticals, McKesson Solutions, Mastercard

Vera Heitmann Charles Walton

Leader, Digital and Growth, Public Affairs, Ingka Senior Vice-President, General Manager, Identity,
Group (IKEA) Avast Software

Randy Herold Shahar Ziv

Chief Information Security Officer, ManpowerGroup Vice-President, Global Resolutions, Identity,
and Trust, PayPal
Joshua Jaffe
Vice-President, Cyber Security, Dell Technologies The Digital Trust initiative project team and wider digital
trust community would also like to thank the following
Jamil Jaffer individuals for their contributions of time and insights
Founder and Executive Director, National Security to this effort: Mansur Abilkasimov (Schneider Electric),
Institute, George Mason University Deanna Draper (Dell Technologies), Paolo Dal Cin
(Accenture), David Ferbrache (KPMG), Kai Hermsen,
Jutta Juliane Meier William Hoffman, Lydia Kostopoulos (KnowBe4), Chris
Founder and Chief Executive Officer, Identity Valley McClean (Avanade), Jake Meek (PwC), Sridhar Sriram
(Microsoft), Nicholas Zahn (Swiss Digital Initiative) and
Niniane Paeffgen Denise Zheng (Accenture).
Managing Director, Swiss Digital Initiative

Earning Digital Trust: Decision-Making for Trustworthy Technologies 36

 Endnotes
1. Hayat, Zia, “Digital trust: How to unleash the trillion-dollar opportunity for our global economy”, World Economic Forum,
17 August 2022, https://www.weforum.org/agenda/2022/08/digital-trust-how-to-unleash-the-trillion-dollar-opportunity-
for-our-global-economy/.
2. Parviainen, Päivi, Maarit Tihinen, Jukka Kääriäinen and Susanna Teppola, “Tackling the digitalization challenge: How to
benefit from digitalization in practice”, International Journal of Information Systems and Project Management, vol. 5, no. 1,
2017, pp. 63-77, https://revistas.uminho.pt/index.php/ijispm/article/view/3856.
3. Richard Edelman, “2021 Trust Barometer: Trust in Technology”, Edelman, 30 March 2021, https://www.edelman.com/
trust/2021-trust-barometer/trust-technology; Public Affairs Council, 2021 Public Affairs, Pulse Survey Report, 2021,
https://pac.org/wp-content/uploads/Pulse_2021_Report.pdf; KPMG, KPMG Cyber trust insights 2022: Building trust
through cybersecurity and privacy, 2022, https://home.kpmg/xx/en/home/insights/2022/09/cyber-trust-insights-2022.html.
4. “Why Digital Trust Truly Matters”, McKinsey, 12 September 2022, https://www.mckinsey.com/capabilities/quantumblack/
our-insights/why-digital-trust-truly-matters.
5. ISACA, State of Digital Trust 2022, 2022.
6. “Our 2030 Goals”, Dell, n.d., https://www.dell.com/en-us/dt/corporate/social-impact/reporting/2030-goals.htm.
7. Burtescu, Emil, “Reliability and Security – Convergence or Divergence”, Informatica Economica, vol. 14, no. 4, 2010,
pp. 68; Jouini, Mouna, “Classification of Security Threats in Information Systems”, Procedia Computer Science, vol. 32,
2014, 489-496, https://www.sciencedirect.com/science/article/pii/S1877050914006528.
8. “Edison Alliance”, Edison Alliance, https://www.edisonalliance.org/home; “The first alliance to accelerate digital inclusion”,
World Economic Forum, 17 January 2022, https://www.weforum.org/impact/digital-inclusion/.
9. “Computer Security Resource Center”, National Institute of Standards and Technology (NIST), n.d., https://csrc.nist.gov/
glossary/term/confidentiality_integrity_availability.
10. McKinsey & Company, Cybersecurity in a Digital Era, 2020, pp. 66, 109 and 132-138.
11. Regulatory expectations are well advanced around both security and reliability of services in many sectors, and thus
require organizations to adopt relevant measures.
12. An example of this is the concept of security-by-design, which aims to include security considerations early on in the
software development life cycle to minimize post-development costs for implementing security measures later on, at a
time when the core components of the software have already been developed and additional changes mean higher costs.
13. Farson, Stuart and Reg Whitaker, “Accounting for the Future or the Past?: Developing Accountability and Oversight
Systems to Meet Future Intelligence Needs”, in The Oxford Handbook of National Security Intelligence, edited by Loch K.
Johnson, pp. 673-689, Oxford Handbooks, 2010, https://doi.org/10.1093/oxfordhb/9780195375886.003.0041.
14. World Economic Forum, Measuring Stakeholder Capitalism, 2020, https://www3.weforum.org/docs/WEF_IBC_
Measuring_Stakeholder_Capitalism_Report_2020.pdf.
15. US Securities and Exchange Commission (SEC), Cybersecurity Risk Management, Strategy, Governance, and
Incident Disclosure, US Security and Exchange Commission Proposed Rulemaking, 2022, https://www.sec.gov/rules/
proposed/2022/33-11038.pdf.
16. Rosenzweig, Paul, “Cybersecurity and the Least Cost Avoider”, Lawfare, 5 November 2013, https://www.lawfareblog.com/
cybersecurity-and-least-cost-avoider.
17. Chang, Felix, “To Build More-Inclusive Technology, Change Your Design Process”, Harvard Business Review, 19 October
2020, https://hbr.org/2020/10/to-build-more-inclusive-technology-change-your-design-process; Veritas Consortium,
Veritas Document 3B: FEAT Ethics and Accountability Principles Assessment Methodology, 2022, https://www.mas.gov.sg/-/
media/MAS-Media-Library/news/media-releases/2022/Veritas-Document-3B---FEAT-Ethics-and-Accountability-Principles-
Assessment-Methodology.pdf; Hao, Karen, “Stop talking about AI ethics. It’s time to talk about power”, MIT Technology
Review, 23 April 2021, https://www.technologyreview.com/2021/04/23/1023549/kate-crawford-atlas-of-ai-review/.
18. Chakravorti, Bhaskar, Ravi Shankar Chaturvedi, Christina Filipovic and Griffin Brewer, Digital in the Time of COVID: Trust
in the Digital Economy and Its Evolution Across 90 Economies as the Planet Paused for a Pandemic, Digital Planet, 2020;
Wiles, Jackie, “What’s New in Artificial Intelligence from the 2022 Gartner Hype Cycle”, Gartner, 15 September 2022,
https://www.gartner.com/en/articles/what-s-new-in-artificial-intelligence-from-the-2022-gartner-hype-cycle.
19. G20 Global Smart Cities Alliance, ICT Accessibility, n.d., https://globalsmartcitiesalliance.org/?p=244.
20. Rigot, Afsaneh, Design From the Margins, Harvard Kennedy School Belfer Center for Science and International Affairs, 2022.
21. World Economic Forum, Responsible Use of Technology: The Microsoft Case Study, 2021.
22. Dobrygowski, Daniel and William Hoffman, “We Need to Build Up ‘Digital Trust’ in Tech”, Wired, 28 May 2019,
https://www.wired.com/story/we-need-to-build-up-digital-trust-in-tech/.
23. The World Economic Forum’s Centre for Cybersecurity leads the global response to address systemic cybersecurity
challenges and improve digital trust through a leadership emphasis on cyber resilience, promoting global cooperation
and assessing cyber risks from new technologies. For more information, see: “Centre for Cybersecurity”, World Economic
Forum, n.d., https://www.weforum.org/platforms/the-centre-for-cybersecurity.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 37

24. “Cybersecurity”, Computer Security Resource Center, NIST, n.d., https://csrc.nist.gov/glossary/term/cybersecurity.
25. Organizations have recognized this important link and have taken action to solidify their commitment to the relation of
cybersecurity and digital trust; see for example: “Charter of Trust”, Charter of Trust, n.d., https://www.charteroftrust.com/.
26. World Economic Forum, National Association of Corporate Directors, and Internet Security Alliance, Principles for Board
Governance of Cyber Risk, 2021, https://www.weforum.org/reports/principles-for-board-governance-of-cyber-risk.
27. Thompson, Frauke Mattison, Sven Tuzovic and Corina Braun, “Trustmarks: Strategies for exploiting their full potential in
e-commerce”, Business Horizons, vol. 62, issue 2, 2019, pp. 237-247, https://doi.org/10.1016/j.bushor.2018.09.004. See also
SSL/TLS Certificates (certificate provided by a certificate authority (e.g. Cloudflare) used to verify the transfer of encrypted data
from an authentic website) and EU trust mark (assuring that the online transactions provided by a servicer are safe and secure
insofar as they meet the requirements set forth by the EU in: The Eurpopean Parliament and the Council fo the European
Union, Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market, 2014).
28. Regulatory requirements also need to be considered in this process, for example obligations to timely report breaches; in
the US, e.g. “Health Breach Notification Rule”, Federal Trade Commission, n.d., https://www.ftc.gov/legal-library/browse/
rules/health-breach-notification-rule.
29. The Forum’s Partnership against Cybercrime initiative provides a platform for organizations to exchange views on and
collectively tackle pressing cybersecurity issues such as the increase of cybercrime: “Partnership against Cybercrime”,
World Economic Forum, n.d., https://www.weforum.org/projects/partnership-against-cybercime.
30. Relevant cybersecurity standards include non-IT/cyber functions of organizations in their control frameworks, such
as: NIST, Clean Skies for Tomorrow (CSF), Information Security Forum (ISF) Standard of Good Practice, International
Organization for Standardization (ISO), Control Objectives for Information and Related Technologies (COBIT), etc.
31. World Economic Forum, Advancing Digital Safety: A Framework to Align Global Action, 2021, https://www3.weforum.org/
docs/WEF_Advancing_Digital_Safety_A_Framework_to_Align_Global_Action_2021.pdf.
32. The World Economic Forum’s Coalition on Digital Safety represents an important global effort to improve digital safety
(and build trust) through public-private cooperation to tackle harmful content online and drive forward collaboration on
programmes to enhance digital media literacy. For more information, see: “A Global Coalition for Digital Safety”, World
Economic Forum, n.d., https://initiatives.weforum.org/global-coalition-for-digital-safety/home. Where the digital world
meets the physical, the Forum’s Future of the Connected World platform works to strengthen global governance of
internet of things and related technologies to maximize positive benefits and minimize harm. For more information, see”
“Future of the Connected World, World Economic Forum, n.d., https://www.weforum.org/connectedworld/about.
33. “SG Cyber Safe Seniors Programme”, Cyber Security Agency of Singapore, n.d., https://www.csa.gov.sg/Programmes/
sg-cyber-safe-seniors/about.
34. Consumers International, Consumers International Guidelines for Online Product Safety, 2021; World Economic Forum,
State of the Connected World: 2020 Edition, 2020; West, Tony, “Sharing to Build a Safer Industry”, Uber Newsroom,
11 March 2021, https://www.uber.com/newsroom/industry-sharing-safety/; Information Commissioner’s Office, Age
appropriate design: a code of practice for online services, 2020.
35. Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, U.S.
Department of Health, Education & Welfare, 1973; Zittrain, Jonathan, “The Hidden Costs of Automated Thinking,” The New
Yorker, 23 July 2019, https://www.newyorker.com/tech/annals-of-technology/the-hidden-costs-of-automated-thinking;
Basl, John, Ronald Sandler and Steven Tiell, Getting from Commitment to Content in AI and Data Ethics: Justice and
Explainability, Atlantic Council, 2021.
36. Pasquale, Frank, The Black Box Society, Harvard University Press, 2016; “Recommendations for the U.S. National
Action Plan on Responsible Business Conduct in the Technology Sector”, Berkman Klein Center, 24 August 2022,
https://cyber.harvard.edu/story/2022-08/recommendations-us-national-action-plan-responsible-business-conduct-technology.
37. “Success is built on trust. Trust starts with transparency”, Salesforce, https://trust.salesforce.com/en/.
38. “The Digital Trust Label”, The Swiss Digital Initiative, n.d., https://www.swiss-digital-initiative.org/digital-trust-label/;
“Cybersecurity Labelling Scheme”, Cyber Security Agency of Singapore, https://www.csa.gov.sg/Programmes/
certification-and-labelling-schemes/cybersecurity-labelling-scheme/about-cls.
39. Soares, Delfina and Luis Amaral, “Reflections on the Concept of Interoperability in Information Systems”, in Proceedings
of the 16th International Conference on Enterprise Information Systems (ICEIS-2014), vol. 3, SCITEPRESS, 2014, pp.
331-339; “ISO/IEC 17788: Information technology — Cloud computing — Overview and vocabulary”, International
Organization for Standardization, 2014, https://www.iso.org/standard/60544.html.
40. Federal Register, Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient
Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies
and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, and Health
Care Providers, 2020, https://www.federalregister.gov/documents/2020/05/01/2020-05050/medicare-and-medicaid-
programs-patient-protection-and-affordable-care-act-interoperability-and.
41. NIST, Privacy Framework, 2020, https://www.nist.gov/privacy-framework/privacy-framework; CSA, Cloud Controls
Matrix and CAIQ v4, 2021, https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/; World Economic Forum,
Measuring Stakeholder Capitalism: Towards Common Metrics and Consistent Reporting of Sustainable Value Creation,
2020, https://www.weforum.org/reports/measuring-stakeholder-capitalism-towards-common-metrics-and-consistent-
reporting-of-sustainable-value-creation; European Data Protection Board (EDPB), Guidelines 4/2019 on Article 25: Data
Protection by Design and by Default, 2020, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_
dataprotection_by_design_and_by_default_v2.0_en.pdf.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 38

42. CSA, Cloud Controls Matrix and CAIQ v4, 2021, https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/;
World Economic Forum, Measuring Stakeholder Capitalism: Towards Common Metrics and Consistent Reporting of
Sustainable Value Creation, 2020, https://www.weforum.org/reports/measuring-stakeholder-capitalism-towards-common-
metrics-and-consistent-reporting-of-sustainable-value-creation; European Data Protection Board (EDPB), Guidelines
4/2019 on Article 25: Data Protection by Design and by Default, 2020, https://edpb.europa.eu/sites/default/files/files/file1/
edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf.
43. Almeida, Fernando, José Oliveira and José Cruz, “Open Standards and Open Source: Enabling Interoperability”,
International Journal of Software Engineering & Applications (IJSEA), vol. 2, no. 1, January 2011.
44. NIST, Security and Privacy Controls for Information Systems and Organizations, 2020, https://csrc.nist.gov/publications/
detail/sp/800-53/rev-5/final; CSA, Cloud Controls Matrix and CAIQ v4, 2021, https://cloudsecurityalliance.org/artifacts/
cloud-controls-matrix-v4/; “Secure Controls Framework”, Secure Controls Framework (SCF), 2021,
https://www.securecontrolsframework.com/secure-controls-framework.
45. Gross, Daniel P., “Collusive Investments in Technological Compatibility: Lessons from U.S. Railroads in the Late
19th Century”, Harvard Business School Working Paper, no. 17-044, December 2016; Puffert, Douglas J., “The
Standardization of Track Gauge on North American Railways, 1830-1890”, The Journal of Economic History, vol. 60,
no. 4, December 2000, pp. 933-960, https://www.jstor.org/stable/2698082.
46. Nelson, John E., “Scanning Silver’s Celebration,” in Twenty-Five Years Behind Bars, edited by Alan L. Haberman, 29,
Cambridge: Harvard University Press, 2001.
47. Batista, Catia and Pedro C. Vicente, “Improving Access to Savings through Mobile Money: Experimental Evidence from
African Smallholder Farmers”, World Development, vol. 129, 2020; Suri, Tavneet and William Jack, “The long-run poverty
and gender impacts of mobile money”, Science, vol. 354, issue 6,317, 2016, pp. 1,288-1,292.
48. Johnson, Khari, “The Movement to Hold AI Accountable Gains Steam”, Wired, 2 December 2021, https://www.wired.com/
story/movement-hold-ai-accountable-gains-steam/.
49. “Sandvig v. Barr - First Amendment Challenge to Federal Computer Fraud and Abuse Act”, ACLU, n.d.,
https://www.acludc.org/en/cases/sandvig-v-barr-first-amendment-challenge-federal-computer-fraud-and-abuse-act.
50. “Success is built on trust. Trust starts with transparency”, Salesforce, n.d., https://trust.salesforce.com/en/.
51. Shell, Michelle A. and Ryan W. Buell, “Why Anxious Customers Prefer Human Customer Service”, Harvard Business
Review, 15 April 2019, https://hbr.org/2019/04/why-anxious-customers-prefer-human-customer-service; “How
Salesforce is Helping Companies Break Through in Connected Customer Service”, Wired, n.d., https://www.wired.com/
sponsored/story/how-salesforce-is-helping-companies-break-through-in-connected-customer-service/.
52. The Forum provides relevant guidance for decision-makers: World Economic Forum , Pathways to Digital Justice, 2021,
https://www3.weforum.org/docs/WEF_Pathways_to_Digital_Justice_2021.pdf.
53. World Economic Forum, Pathways to Digital Justice, 2021; Veritas Consortium, Veritas Document 3A: FEAT Fairness
Principles Assessment Methodology, 2022; Basl, John, Ronald Sandler and Steven Tiell, Getting from Commitment to
Content in AI and Data Ethics: Justice and Explainability, Atlantic Council, 2021, https://www.atlanticcouncil.org/in-depth-
research-reports/report/specifying-normative-content/.
54. Veritas Consortium, Veritas Document 3A: FEAT Fairness Principles Assessment Methodology, 2022.
55. Microsoft, Responsible AI Standard, v2, 2022.
56. The World Economic Forum’s Platform on Data Policy supports privacy and other data-related aspects of digital trust
through forward-looking, interoperable and trustworthy data policies. For more information, see: “Shaping the Future of
Technology Governance: Data Policy”, World Economic Forum, n.d., https://www.weforum.org/platforms/shaping-the-
future-of-data-policy.
57. European Union, General Data Protection Regulation (GDPR), 2016.
58. Solove, Daniel J., “A taxonomy of privacy”, University of Pennsylvania Law Review, vol. 154, issue 3, 2006, pp. 447-560;
Khanna, Ro and Amartya Sen, Dignity in a Digital Age: Making Tech Work for All of Us, Simon & Schuster, 2022;
“Digital Citizenship: Ethical Use of Data & Responsible Use of Technology”, Walmart, 28 February, 2022,
https://corporate.walmart.com/esgreport/governance/digital-citizenship-ethical-use-of-data-responsible-use-of-technology.
59. Shaw, Thomas, DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition, International Association of
Privacy Professionals, 2018.
60. European Union, General Data Protection Regulation (GDPR), 2016.
61. PwC, “Is Yor Privacy Governance Ready for AI”, Harvard Business Review, 18 March 2021, https://hbr.org/sponsored/
2021/03/is-your-privacy-governance-ready-for-ai.
62. Hayward, Simon, “How modern leaders create winning cultures”, Accenture, 24 August 2022,
https://www.accenture.com/us-en/blogs/business-functions-blog/how-modern-leaders-create-winning-cultures.
63. The World Economic Forum’s Platform on Blockchain and Digital Assets promotes digital trust in blockchain and
distributed ledger technologies through equity, interoperability and transparency. For more information, see: “Shaping the
Future of Technology Governance: Blockchain and Digital Assets, n.d., https://www.weforum.org/platforms/shaping-the-
future-of-blockchain-and-digital-assets.

Earning Digital Trust: Decision-Making for Trustworthy Technologies 39

The World Economic Forum,
committed to improving
the state of the world, is the
International Organization for
Public-Private Cooperation.

The Forum engages the

foremost political, business
and other leaders of society
to shape global, regional
and industry agendas.

World Economic Forum

91–93 route de la Capite
CH-1223 Cologny/Geneva
Switzerland
Tel.: +41 (0) 22 869 1212
Fax: +41 (0) 22 786 2744
[email protected]
www.weforum.org