/* ---- Google Analytics Code Below */

Thursday, April 16, 2020

Cyber Warranties

Warranties for data?

Cyber Warranties: Market Fix or Marketing Trick?
By Daniel W. Woods, Tyler Moore

Communications of the ACM, April 2020, Vol. 63 No. 4, Pages 104-107  10.1145/3360310

When buying a second-hand car you are at the mercy of the dealer. The dealer knows which cars were treated well by past owners and which are likely to break down within a few months. When buying an information security product, the vendor has a better idea of how effective the product truly is. In both cases, the seller has information the buyer lacks.


Economists refer to this phenomenon as a market with asymmetric information. Akerlof1 suggested this leads to a "market for lemons" dominated by lower quality goods (aka lemons in the case of used cars). Consumers cannot differentiate between lemons and quality used cars. Akerlof's model suggests only lemons would be sold in such a market.

Car dealers offer warranties to overcome this problem. If the used car breaks down within, say, six months, the dealer must pay for its repair. This discourages dealers from selling lemons with lengthy warranties. Consequently, the length of the warranty provides information about how likely the vehicle is to break down.

Returning to information security, vendors have started attaching cyber warranties to information security products with no additional fee. Will cyber warranties better align incentives in the market for information security products? Or are they marketing tricks riddled with coverage exclusions hidden in the fine print of the terms and conditions?

Might Cyber Warranties Remedy the Market for Lemons?
A natural first question to ask is why warranties might succeed in addressing the market for lemons where other mechanisms have failed. Akerlof identified possible solutions including brand reputation, certification, liability laws, and warranties.

Linking brand reputation to the effectiveness of products is difficult because they appear to be working until an attack succeeds, which happens infrequently. Reputation systems are further limited by commercial sensitivity preventing information from being pooled across organizations. Vendors instead signal quality by speaking at conferences, publishing security research, and through marketing activities. The latter can lead to (arguably deceptive) claims about product functionality that may not reflect reality.

External experts could certify the effectiveness of the product. Past history shows certification firms face incentives to skimp on assessment. A framework for certifying computer systems as secure "motivated the vendor to shop around for the evaluation contractor who would give his product the easiest ride."2 Even if such incentives were overcome, there are difficulties in using laboratory experiments to establish real world security. .... " 

No comments: