Cyber-Warranties as a Quality Signal for Information Security Products

Consumers struggle to distinguish between the quality of different enterprise security products. Evaluating performance is complicated by the stochastic nature of losses. It is recognised that this information asymmetry may lead to a “market for lemons” in which suppliers face no incentive to provide higher quality products. Some security vendors have begun to offer cyber-warranties—voluntary ex-ante obligations to indemnify the customer in the event of a cyber attack—to function as a quality signal. Much like how consumer protection laws are relatively more costly to firms offering low quality products, cyber-warranties are more costly for firms developing low quality enterprise security products. In this paper, we introduce a decision-theoretic model to explore how consumers might use cyber-warranties to increase information when purchasing security products. Our analysis derives four inferences that consumers can make about a security product. We discuss the difficulties customers might face in using these inferences to make real world decisions.

[1]  Andrew C. Simpson,et al.  A case for the economics of secure software development , 2016, NSPW.

[2]  Robert W. Ruekert,et al.  Signaling Unobservable Product Quality through a Brand Ally , 1999 .

[3]  Bruce Schneier,et al.  Insurance and the computer industry , 2001, CACM.

[4]  Sadie Creese,et al.  Mapping the coverage of security controls in cyber insurance proposal forms , 2017, Journal of Internet Services and Applications.

[5]  Jan Hendrik Wirfs,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[6]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[7]  Aron Laszka,et al.  Should Cyber-Insurance Providers Invest in Software Security? , 2015, ESORICS.

[8]  David J. Pym,et al.  The U.S. Vulnerabilities Equities Process: An Economic Perspective , 2017, GameSec.

[9]  Hideyuki Tanaka,et al.  Vulnerability and information security investment: An empirical analysis of e-local government in Japan , 2005 .

[10]  Michael L. Rustad,et al.  The Tort of Negligent Enablement of Cybercrime , 2005 .

[11]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[12]  Léon Walras Theorie Mathematique de La Richesse Sociale , 2013 .

[13]  George A. Akerlof 15 – THE MARKET FOR “LEMONS”: QUALITY UNCERTAINTY AND THE MARKET MECHANISM* , 1978 .

[14]  Steven Shavell,et al.  The Uneasy Case for Product Liability , 2009 .

[15]  Andreas Kuehn,et al.  Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk? , 2017 .

[16]  K. Arrow,et al.  Uncertainty and the welfare economics of medical care. 1963. , 2001, Journal of health politics, policy and law.

[17]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[18]  Jens Grossklags,et al.  Blue versus Red: Towards a Model of Distributed Security Attacks , 2009, Financial Cryptography.

[19]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[20]  Mingyan Liu,et al.  Embracing and controlling risk dependency in cyber-insurance policy underwriting , 2019, J. Cybersecur..

[21]  Daniel W. Woods,et al.  Policy Measures and Cyber Insurance: A Framework , 2017 .

[22]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[23]  Daniel J. Ryan Two Views on Security Software Liability: Let the Legal System Decide , 2003, IEEE Secur. Priv..

[24]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[25]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[26]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[27]  Leana Golubchik,et al.  Analyzing Self-Defense Investments in Internet Security under Cyber-Insurance Coverage , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[28]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[29]  Martin Eling,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[30]  Hal R. Varian,et al.  Information rules - a strategic guide to the network economy , 1999 .

[31]  Aron Laszka,et al.  On the Economics of Ransomware , 2017, GameSec.

[32]  Tridib Bandyopadhyay,et al.  Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.

[33]  Ulrik Franke,et al.  The cyber insurance market in Sweden , 2017, Comput. Secur..

[34]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[35]  William B. Dodds,et al.  Effects of Price, Brand, and Store Information on Buyers’ Product Evaluations , 1991 .

[36]  M. Scott Tort Liability for Vendors of Insecure Software: Has the Time Finally Come? , 2007 .