“Cyber Warranties: Market Fix or Marketing Trick?”
Communications of the ACM, April 2020, Vol. 63 No. 4, Pages 104-107
By Daniel W. Woods, Tyler Moore
The conciliatory view holds that while warranties do not significantly change the incentive to invest, they do prevent vendors from overexaggerating the functionality of products.
When buying a second-hand car you are at the mercy of the dealer. The dealer knows which cars were treated well by past owners and which are likely to break down within a few months. When buying an information security product, the vendor has a better idea of how effective the product truly is. In both cases, the seller has information the buyer lacks.
Economists refer to this phenomenon as a market with asymmetric information. Akerlof suggested this leads to a “market for lemons” dominated by lower quality goods (aka lemons in the case of used cars). Consumers cannot differentiate between lemons and quality used cars. Akerlof’s model suggests only lemons would be sold in such a market.
Car dealers offer warranties to overcome this problem. If the used car breaks down within, say, six months, the dealer must pay for its repair. This discourages dealers from selling lemons with lengthy warranties. Consequently, the length of the warranty provides information about how likely the vehicle is to break down.
Returning to information security, vendors have started attaching cyber warranties to information security products with no additional fee. Will cyber warranties better align incentives in the market for information security products? Or are they marketing tricks riddled with coverage exclusions hidden in the fine print of the terms and conditions?
Might Cyber Warranties Remedy the Market for Lemons?
A natural first question to ask is why warranties might succeed in addressing the market for lemons where other mechanisms have failed. Akerlof identified possible solutions including brand reputation, certification, liability laws, and warranties.
Linking brand reputation to the effectiveness of products is difficult because they appear to be working until an attack succeeds, which happens infrequently. Reputation systems are further limited by commercial sensitivity preventing information from being pooled across organizations. Vendors instead signal quality by speaking at conferences, publishing security research, and through marketing activities. The latter can lead to (arguably deceptive) claims about product functionality that may not reflect reality.
External experts could certify the effectiveness of the product. Past history shows certification firms face incentives to skimp on assessment. A framework for certifying computer systems as secure “motivated the vendor to shop around for the evaluation contractor who would give his product the easiest ride.” Even if such incentives were overcome, there are difficulties in using laboratory experiments to establish real world security.
Liability laws could shift the costs of an ineffective product back onto the vendor. This might incentivize vendors to create more effective products and even force firms selling ineffective products out of the market. However, the resistance to software liability is well documented. To prove vendors liable for creating a defective product, the product in question must be shown to have caused the injury. Establishing such proximate cause is fiendishly difficult, given the constellation of security controls employed by firms.
So why might cyber warranties succeed where other approaches have failed? Certification incurs large up-front costs regardless of effectiveness, whereas warranties only incur a cost when the product fails to mitigate an attack. Consequently, vendors with more effective products incur less cost in offering warranties. The barriers to adoption can be overcome by individual firms unilaterally offering warranties—courts need not assign liability nor governments pass legislation.
This article evaluates three viewpoints on the role of warranties. The theoretical view argues cyber warranties can align incentives and fix a dysfunctional market, as put forward in Woods and Simpson. A skeptical view characterizes cyber warranties as marketing tricks offering little meaningful coverage to the buyer. The conciliatory view holds that while warranties do not significantly change the incentive to invest, they do prevent vendors from overexaggerating the functionality of products. Which viewpoint best describes reality can be answered empirically by inspecting the terms of the warranties, which we undertake next.
About the Authors:
Daniel W. Woods is a post-doctorial researcher in the Department of Computer Science at the University of Innsbruck, Austria. He completed this work as a Fulbright Cyber Security Scholar.
Tyler Moore is the Tandy Associate Professor of Cyber Security and Information Assurance in the Tandy School of Computer Science at the University of Tulsa, OK, USA.