SecureId :: evaluation

How do you evaluate someone's knowledge? What are the costs of doing so? How can we maximize cost/benefit ratios based on our concern for deception?

In determining whether or not someone should gain access, we want to be able to evaluate their knowledge. Yet, the cost of evaluation is directly correlated to the accuracy of the test. Depending on the level of accuracy necessary, one must balance between cost of evaluation and acceptable level of potential deception. In evaluating real world traits, we use one of two types of signals: assessment or conventional signals. Assessment signals are challenging to maintain, but they are pretty accurate markers of the underlying trait (i.e. big muscles = strength). Alternatively, conventional signals are easy to maintain but also easy to falsify (i.e. wearing a powerlifting t-shirt). Likewise, the cost in evaluating signals can vary. For example, while someone may look like a skateboarder, asking them to prove themselves by showing tricks is costly.

In the digital realm, one can simply state an email address, but proving that it really is them is costly. This is even more tricky for evaluating identity information - how do you prove that one's skateboarding website truly marks them as a skateboarder? Besides, depending on the context, someone's interest in skateboarding may be more valuable than one's actual ability. For this reason, SecureId gives you multiple options for evaluating one's knowledge.


Question/answer. A question/answer system is the most obvious way to evaluate someone's knowledge. By asking someone a question, you are ignoring any potential signals and requiring them to prove themselves. Yet, such evaluation is expensive - it's timely and a hassle to manage and maintain. You must determine the proper question and type of potential response so that it's only answerable by the category of people that you want to include.

Open Q&A. An open Q&A system is a fairly guaranteed way to assess someone's knowledge. Without hints, the individual must know the information and guessing is tremendously difficult. Unfortunately, such a system is also the most problematic to build and maintain. For example, imagine that the question is "Who is my lover?" and the creator inputs "Bob" but the respondent inputs "Robert." Although we'd probably assume that this is accurate, the computer system might not.

Limited Q&A. By giving a user a list of potential answers, you eliminate the problem of improperly formatted responses, but you also make it much easier to guess the potential answer. Thus, the evaluation is no longer as strong and wording the question so that it can't easily be guessed is quite tricky.

Assessment signals. One way of evaluating people is based on the information that they have in their system that cannot be faked. For example, assuming that SecureId requires you to confirm your email address, you should be able to assess others based on their email address. As such, the system could determine that anyone with an can be assumed to be associated with MIT.

Conventional signals. In order to determine someone's knowledge, you could also use unconfirmed data within one's profile. For example, if someone lists skateboarding as an activity that interests them and you are allowing anyone interested in skateboarding to access a certain context, the system could evaluate this without requiring proof. Of course, this could mean that individuals who are not skateboarders have access simply because they state an interest.


Since different evaluations have different costs for evaluation and management, it's important to determine what level of deception is acceptable. The more secure you want certain information to be, the more you must spend on evaluating the individual's knowledge.

[site index]