Introduction

When the first e-commerce services emerged in the late 1990s, consumer trust in online transactions was identified as a potential major hurdle. Researchers of human-computer interaction (HCI) started to investigate how interface and interaction medium design might make these services appear more trustworthy to users. Jens Riegelsberger (then a doctoral student) and the first author were part of that first cohort (Riegelsberger and Sasse 2001). We soon realized that much of the HCI research was very much focused on increasing user trust in Web sites through design elements, but did not consider (1) existing substantive knowledge from other disciplines on the role and mechanics of trust, and (2) existing methodological knowledge on how to conduct valid studies on trust formation and its impact on behavior. To address this, we reviewed and integrated existing knowledge to prepare a foundation for HCI research, which was published in two research papers: to address point 2, a prescription for valid HCI methods for studying trust, The Researcher's Dilemma (Riegelsberger et al. 2003a); and to address point 1, a framework for HCI research and The Mechanics of Trust (Riegelsberger et al. 2005).

The key message from the latter paper was the need for HCI researchers to engage with technology developers to create trustworthy systems, rather than focus on influencing trust perceptions at the user interface level. In the worst case, the latter could lead to manipulating user trust perceptions to place trust in systems that are not trustworthy, which would be socially and ethically irresponsible. The way forward, we argued, was to design systems that encouraged trustworthy behavior from all participants, by creating the right economic incentives and creating reliable trust signaling. In the current chapter, the authors summarize this prescription and reiterate the argument for it, because it is still valid today. We then review progress over the past eight years to consider to what extent the prescription has been implemented. Although our conclusion may seem sobering, it really is not: the security signals offered by service providers are not accurate enough and require too much user effort.