Skip to main content

Cyber-Warranties as a Quality Signal for Information Security Products

  • Conference paper
  • First Online:
Decision and Game Theory for Security (GameSec 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11199))

Included in the following conference series:

Abstract

Consumers struggle to distinguish between the quality of different enterprise security products. Evaluating performance is complicated by the stochastic nature of losses. It is recognised that this information asymmetry may lead to a “market for lemons” in which suppliers face no incentive to provide higher quality products. Some security vendors have begun to offer cyber-warranties—voluntary ex-ante obligations to indemnify the customer in the event of a cyber attack—to function as a quality signal. Much like how consumer protection laws are relatively more costly to firms offering low quality products, cyber-warranties are more costly for firms developing low quality enterprise security products. In this paper, we introduce a decision-theoretic model to explore how consumers might use cyber-warranties to increase information when purchasing security products. Our analysis derives four inferences that consumers can make about a security product. We discuss the difficulties customers might face in using these inferences to make real world decisions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.armor.com/cyber-warranty/.

  2. 2.

    https://www.sentinelone.com/press/sentinelone-establishes-1-million-cyber-threat-protection-guarantee/.

References

  1. Akerlof, G.A.: The market for “lemons”: quality uncertainty and the market mechanism. In: Diamond, P., Rothschild, A. (eds.) Uncertainty in Economics, pp. 235–251. Elsevier, New York (1978)

    Chapter  Google Scholar 

  2. Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)

    Article  Google Scholar 

  3. Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Hoboken (2010)

    Google Scholar 

  4. Arrow, K.J.: Uncertainty and the welfare economics of medical care (American economic review, 1963). J. Health Polit. Policy Law 26(5), 851–883 (2001)

    Article  Google Scholar 

  5. Bandyopadhyay, T., Mookerjee, V.S., Rao, R.C.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)

    Article  Google Scholar 

  6. Bertrand, J.: Theorie mathematique de la richesse sociale. J. des Savants 499–508 (1883)

    Google Scholar 

  7. Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: an empirical analysis. Geneva Pap. Risk Insur. Issues Pract. 40(1), 131–158 (2015)

    Article  Google Scholar 

  8. Böhme, R.: Cyber-insurance revisited. In: Proceedings of The 4th Workshop on the Economics of Information Security (WEIS 2005) (2005)

    Google Scholar 

  9. Böhme, R., Moore, T.: The “iterated weakest link” model of adaptive security investment. J. Inf. Secur. 7(2), 81–102 (2016)

    Google Scholar 

  10. Böhme, R., Schwartz, G.: Modeling cyber-insurance: towards a unifying framework. In: Proceedings of The 9th Workshop on the Economics of Information Security (WEIS 2010) (2010)

    Google Scholar 

  11. Caulfield, T., Ioannidis, C., Pym, D.: The US vulnerabilities equities process: an economic perspective. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. LNCS, vol. 10575, pp. 131–150. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_8

    Chapter  Google Scholar 

  12. Dodds, W.B., Monroe, K.B., Grewal, D.: Effects of price, brand, and store information on buyers’ product evaluations. J. Mark. Res. 28(3), 307–319 (1991)

    Article  Google Scholar 

  13. Franke, U.: The cyber insurance market in Sweden. Comput. Secur. 68, 130–144 (2017)

    Article  Google Scholar 

  14. Fultz, N., Grossklags, J.: Blue versus red: towards a model of distributed security attacks. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 167–183. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_10

    Chapter  Google Scholar 

  15. Gemignani, M.C.: Product liability and software. Rutgers Comput. Technol. J. 8, 173 (1980)

    Google Scholar 

  16. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)

    Article  Google Scholar 

  17. Heitzenrater, C., Simpson, A.C.: A case for the economics of secure software development. In: Proceedings of the 2016 New Security Paradigms Workshop, pp. 92–105. ACM (2016)

    Google Scholar 

  18. Herley, C., Florêncio, D.: Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy. In: Moore, T. (ed.) Economics of Information Security and Privacy, pp. 33–53. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_3

    Chapter  Google Scholar 

  19. Johnson, B., Böhme, R., Grossklags, J.: Security games with market insurance. In: Baras, J.S., Katz, J., Altman, E. (eds.) GameSec 2011. LNCS, vol. 7037, pp. 117–130. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25280-8_11

    Chapter  MATH  Google Scholar 

  20. Kesan, J., Majuca, R., Yurcik, W.: Cyberinsurance as a market-based solution to the problem of cybersecurity: a case study. In: Proceedings of The 4th Workshop on the Economics of Information Security (WEI 2005) (2005)

    Google Scholar 

  21. Khalili, M.M., Liu, M., Romanosky, S.: Embracing and controlling risk dependency in cyber-insurance policy underwriting. In: Proceedings of The 17th Workshop on the Economics of Information Security (WEIS 2018) (2018)

    Google Scholar 

  22. Kotulic, A.G., Clark, J.G.: Why there aren’t more information security research studies. Inf. Manage. 41(5), 597–607 (2004)

    Article  Google Scholar 

  23. Laszka, A., Farhang, S., Grossklags, J.: On the economics of ransomware. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. LNCS, vol. 10575, pp. 397–417. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_21

    Chapter  Google Scholar 

  24. Laszka, A., Grossklags, J.: Should cyber-insurance providers invest in software security? In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 483–502. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_25

    Chapter  Google Scholar 

  25. Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.P.: Game theory meets network security and privacy. ACM Comput. Surv. (CSUR) 45(3), 25 (2013)

    Article  Google Scholar 

  26. Pal, R., Golubchik, L.: Analyzing self-defense investments in internet security under cyber-insurance coverage. In: Proceedings of the IEEE 30th International Conference on Distributed Computing Systems (ICDCS2010), pp. 339–347. IEEE (2010)

    Google Scholar 

  27. Polinsky, A.M., Shavell, S.: The uneasy case for product liability. Harvard Law Rev. 123, 1437–1491 (2009)

    Google Scholar 

  28. Rao, A.R., Qu, L., Ruekert, R.W.: Signaling unobservable product quality through a brand ally. J. Mark. Res. 36(2), 258–268 (1999)

    Article  Google Scholar 

  29. Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content analysis of cyber insurance policies: how do carriers write policies and price cyber risk? In: Proceedings of The 16th Workshop on the Economics of Information Security (WEIS 2017) (2017)

    Google Scholar 

  30. Rustad, M.L., Koenig, T.H.: The tort of negligent enablement of cybercrime. Berkeley Tech. Law J. 20, 1553 (2005)

    Google Scholar 

  31. Ryan, D.J., Heckman, C.: Two views on security software liability. let the legal system decide. IEEE Secur. Priv. 99(1), 70–72 (2003)

    Article  Google Scholar 

  32. Schneier, B.: Insurance and the computer industry. Commun. ACM 44(3), 114–114 (2001)

    Article  Google Scholar 

  33. Scott, M.D.: Tort liability for vendors of insecure software: has the time finally come. Maryland Law Rev. 67, 425 (2007)

    Google Scholar 

  34. Shapiro, C., Varian, H.R.: Information Rules: A Strategic Guide to the Network Economy. Harvard Business Press, Boston (1998)

    Google Scholar 

  35. Tanaka, H., Matsuura, K., Sudoh, O.: Vulnerability and information security investment: an empirical analysis of e-local government in Japan. J. Acc. Public Policy 24(1), 37–59 (2005)

    Article  Google Scholar 

  36. Woods, D., Agrafiotis, I., Nurse, J.R., Creese, S.: Mapping the coverage of security controls in cyber insurance proposal forms. J. Internet Serv. Appl. 8(1), 8 (2017)

    Article  Google Scholar 

  37. Woods, D., Simpson, A.C.: Policy measures and cyber insurance: a framework. J. Cyber Policy 2(2), 209–226 (2017)

    Article  Google Scholar 

  38. Zweifel, P., Eisen, R.: Insurance Economics. Springer Science, Heidelberg (2012). https://doi.org/10.1007/978-3-642-20548-4

    Book  Google Scholar 

Download references

Acknowledgements

The authors thank the anonymous reviewers for their helpful and constructive comments. Participants in the “Effect of Software Warranties on Cyber Security” workshop run by the University of Bristol’s Cyber Security Group provided useful feedback for the ideas developed in this paper. Daniel Woods’ research is funded by the EPSRC via the Centre for Doctoral Training in Cyber Security at the University of Oxford.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Daniel W. Woods .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Woods, D.W., Simpson, A.C. (2018). Cyber-Warranties as a Quality Signal for Information Security Products. In: Bushnell, L., Poovendran, R., Başar, T. (eds) Decision and Game Theory for Security. GameSec 2018. Lecture Notes in Computer Science(), vol 11199. Springer, Cham. https://doi.org/10.1007/978-3-030-01554-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01554-1_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01553-4

  • Online ISBN: 978-3-030-01554-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics