Research Brief Trust in data processing
Authors: Annette Hillebrand, Pirmin Puhl, Jana Stuck, Saskja Schäfer
Seals and certificates reduce IT risks. They verify that audit criteria were met at a specific date.
With a seal or certificate, companies can strengthen customers‘ trust in their products and services. It confirms that the organization has achieved an appropriate level of IT security. This makes a company stand out in the market.
However, there are quality marks based on complex and cost-intensive certification processes next to quality marks that cannot be assessed at first sight. Without own research, it is often not possible to assess whether the seal or certificate meets the requirements of an SME.
As part of our study, 49 seals and certifications were identified that are potentially relevant for SMEs. All of them are from the field of information security. In addition, alternative quality infrastructures such as GAIA-X or seals for data centers as well as successful examples from other sectors such as the fair trade seal were examined.
Most seals and certifications relate to specific sub-areas of information security (applications or product categories). A simple division into "safe" or "unsafe" products, services or enterprises hardly makes sense.
There are direct and indirect costs involved in certification, which are transferred to the customers of the certified products and services. As a rule, the applying SME pays for the certification, so that conflicts of interest can arise (principal-agent theory).
As consumers, SMEs are often unwilling to bear the costs of more IT security. The short-term costs are seen rather than the long-term benefits for internal processes, marketing or customer acquisition. Seals and certificates are therefore rarely accepted in SMEs.