Security researchers agree that security control is a difficult to observe credence quality of online services that Internet users cannot easily assess through research or experience. Yet there is evidence that users form perceptions of security control that strongly determine how much trust they put in online services. This study investigates whether users’ security control perceptions arise solely from their predispositions or whether online service providers can influence them. The study also examines whether these seemingly undependable perceptions of security control lead to trust or whether more traditional factors might offer a better explanation of trust under security risks. To address these issues, this study proposes a new theory of security assurance that integrates the frameworks of trust and quality signals. The results show that rather than being guided by predispositions, users appear to mainly assess security control based on indirect cues controlled by service providers. Importantly, Internet users do not treat the credence quality of security the same way they treat qualities that can be understood through search and experience. Although returning users develop security control perceptions and trust from the usual heuristics of ongoing relationships, they also continue to evaluate market information about service providers like they do in new relationships. The proposed model offers a new perspective of how users respond to the uncertain and technically challenging qualities prevalent in online services.