Abstract
Consumers struggle to distinguish between the quality of different enterprise security products. Evaluating performance is complicated by the stochastic nature of losses. It is recognised that this information asymmetry may lead to a “market for lemons” in which suppliers face no incentive to provide higher quality products. Some security vendors have begun to offer cyber-warranties—voluntary ex-ante obligations to indemnify the customer in the event of a cyber attack—to function as a quality signal. Much like how consumer protection laws are relatively more costly to firms offering low quality products, cyber-warranties are more costly for firms developing low quality enterprise security products. In this paper, we introduce a decision-theoretic model to explore how consumers might use cyber-warranties to increase information when purchasing security products. Our analysis derives four inferences that consumers can make about a security product. We discuss the difficulties customers might face in using these inferences to make real world decisions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Akerlof, G.A.: The market for “lemons”: quality uncertainty and the market mechanism. In: Diamond, P., Rothschild, A. (eds.) Uncertainty in Economics, pp. 235–251. Elsevier, New York (1978)
Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Hoboken (2010)
Arrow, K.J.: Uncertainty and the welfare economics of medical care (American economic review, 1963). J. Health Polit. Policy Law 26(5), 851–883 (2001)
Bandyopadhyay, T., Mookerjee, V.S., Rao, R.C.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)
Bertrand, J.: Theorie mathematique de la richesse sociale. J. des Savants 499–508 (1883)
Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: an empirical analysis. Geneva Pap. Risk Insur. Issues Pract. 40(1), 131–158 (2015)
Böhme, R.: Cyber-insurance revisited. In: Proceedings of The 4th Workshop on the Economics of Information Security (WEIS 2005) (2005)
Böhme, R., Moore, T.: The “iterated weakest link” model of adaptive security investment. J. Inf. Secur. 7(2), 81–102 (2016)
Böhme, R., Schwartz, G.: Modeling cyber-insurance: towards a unifying framework. In: Proceedings of The 9th Workshop on the Economics of Information Security (WEIS 2010) (2010)
Caulfield, T., Ioannidis, C., Pym, D.: The US vulnerabilities equities process: an economic perspective. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. LNCS, vol. 10575, pp. 131–150. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_8
Dodds, W.B., Monroe, K.B., Grewal, D.: Effects of price, brand, and store information on buyers’ product evaluations. J. Mark. Res. 28(3), 307–319 (1991)
Franke, U.: The cyber insurance market in Sweden. Comput. Secur. 68, 130–144 (2017)
Fultz, N., Grossklags, J.: Blue versus red: towards a model of distributed security attacks. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 167–183. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_10
Gemignani, M.C.: Product liability and software. Rutgers Comput. Technol. J. 8, 173 (1980)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)
Heitzenrater, C., Simpson, A.C.: A case for the economics of secure software development. In: Proceedings of the 2016 New Security Paradigms Workshop, pp. 92–105. ACM (2016)
Herley, C., Florêncio, D.: Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy. In: Moore, T. (ed.) Economics of Information Security and Privacy, pp. 33–53. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_3
Johnson, B., Böhme, R., Grossklags, J.: Security games with market insurance. In: Baras, J.S., Katz, J., Altman, E. (eds.) GameSec 2011. LNCS, vol. 7037, pp. 117–130. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25280-8_11
Kesan, J., Majuca, R., Yurcik, W.: Cyberinsurance as a market-based solution to the problem of cybersecurity: a case study. In: Proceedings of The 4th Workshop on the Economics of Information Security (WEI 2005) (2005)
Khalili, M.M., Liu, M., Romanosky, S.: Embracing and controlling risk dependency in cyber-insurance policy underwriting. In: Proceedings of The 17th Workshop on the Economics of Information Security (WEIS 2018) (2018)
Kotulic, A.G., Clark, J.G.: Why there aren’t more information security research studies. Inf. Manage. 41(5), 597–607 (2004)
Laszka, A., Farhang, S., Grossklags, J.: On the economics of ransomware. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. LNCS, vol. 10575, pp. 397–417. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_21
Laszka, A., Grossklags, J.: Should cyber-insurance providers invest in software security? In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 483–502. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_25
Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.P.: Game theory meets network security and privacy. ACM Comput. Surv. (CSUR) 45(3), 25 (2013)
Pal, R., Golubchik, L.: Analyzing self-defense investments in internet security under cyber-insurance coverage. In: Proceedings of the IEEE 30th International Conference on Distributed Computing Systems (ICDCS2010), pp. 339–347. IEEE (2010)
Polinsky, A.M., Shavell, S.: The uneasy case for product liability. Harvard Law Rev. 123, 1437–1491 (2009)
Rao, A.R., Qu, L., Ruekert, R.W.: Signaling unobservable product quality through a brand ally. J. Mark. Res. 36(2), 258–268 (1999)
Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content analysis of cyber insurance policies: how do carriers write policies and price cyber risk? In: Proceedings of The 16th Workshop on the Economics of Information Security (WEIS 2017) (2017)
Rustad, M.L., Koenig, T.H.: The tort of negligent enablement of cybercrime. Berkeley Tech. Law J. 20, 1553 (2005)
Ryan, D.J., Heckman, C.: Two views on security software liability. let the legal system decide. IEEE Secur. Priv. 99(1), 70–72 (2003)
Schneier, B.: Insurance and the computer industry. Commun. ACM 44(3), 114–114 (2001)
Scott, M.D.: Tort liability for vendors of insecure software: has the time finally come. Maryland Law Rev. 67, 425 (2007)
Shapiro, C., Varian, H.R.: Information Rules: A Strategic Guide to the Network Economy. Harvard Business Press, Boston (1998)
Tanaka, H., Matsuura, K., Sudoh, O.: Vulnerability and information security investment: an empirical analysis of e-local government in Japan. J. Acc. Public Policy 24(1), 37–59 (2005)
Woods, D., Agrafiotis, I., Nurse, J.R., Creese, S.: Mapping the coverage of security controls in cyber insurance proposal forms. J. Internet Serv. Appl. 8(1), 8 (2017)
Woods, D., Simpson, A.C.: Policy measures and cyber insurance: a framework. J. Cyber Policy 2(2), 209–226 (2017)
Zweifel, P., Eisen, R.: Insurance Economics. Springer Science, Heidelberg (2012). https://doi.org/10.1007/978-3-642-20548-4
Acknowledgements
The authors thank the anonymous reviewers for their helpful and constructive comments. Participants in the “Effect of Software Warranties on Cyber Security” workshop run by the University of Bristol’s Cyber Security Group provided useful feedback for the ideas developed in this paper. Daniel Woods’ research is funded by the EPSRC via the Centre for Doctoral Training in Cyber Security at the University of Oxford.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Woods, D.W., Simpson, A.C. (2018). Cyber-Warranties as a Quality Signal for Information Security Products. In: Bushnell, L., Poovendran, R., Başar, T. (eds) Decision and Game Theory for Security. GameSec 2018. Lecture Notes in Computer Science(), vol 11199. Springer, Cham. https://doi.org/10.1007/978-3-030-01554-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-01554-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01553-4
Online ISBN: 978-3-030-01554-1
eBook Packages: Computer ScienceComputer Science (R0)