TABLE OF CONTENTS Having found the traditional methods used to build trusted systems somewhat lacking, we need to determine an alternative that is more suited to the task. The goal is to determine the most suitable means of creating a trustworthy system, one whose design is capable of earning the user's trust, rather than a trusted system, in which the user is required to trust that the designers and evaluation agency got it right, since the users have no real way to determine this for themselves. The previous chapter discussed the conventional approach to this problem, which is to apply an analytical advocacy method (propose a formal theory or set of axioms, develop a theory, and advocate its use). In place of this, we take the highly unconventional approach of applying a mixture of scientific methods (observe the world, propose a model or theory of behaviour, and analyse the results) and engineering methods (observe existing solutions, propose better ones, build or develop, and analyse the results) to the problem.
To meet this goal, we need to go to two very different fields: the field of cognitive psychology, to determine how programmers understand programs, and the field of software engineering, to locate the tools and techniques used to verify the software. By combining knowledge from both of these fields, we can (hopefully) come up with a technique that can be employed by end users to evaluate the system for themselves, making it something that they can trust,...
