When buying a second-hand car you are at the mercy of the dealer. The dealer knows which cars were treated well by past owners and which are likely to break down within a few months. When buying an information security product, the vendor has a better idea of how effective the product truly is. In both cases, the seller has information the buyer lacks.
Economists refer to this phenomenon as a market with asymmetric information. Akerlof1 suggested this leads to a "market for lemons" dominated by lower quality goods (aka lemons in the case of used cars). Consumers cannot differentiate between lemons and quality used cars. Akerlof's model suggests only lemons would be sold in such a market.
Car dealers offer warranties to overcome this problem. If the used car breaks down within, say, six months, the dealer must pay for its repair. This discourages dealers from selling lemons with lengthy warranties. Consequently, the length of the warranty provides information about how likely the vehicle is to break down.
Returning to information security, vendors have started attaching cyber warranties to information security products with no additional fee. Will cyber warranties better align incentives in the market for information security products? Or are they marketing tricks riddled with coverage exclusions hidden in the fine print of the terms and conditions?
A natural first question to ask is why warranties might succeed in addressing the market for lemons where other mechanisms have failed. Akerlof1 identified possible solutions including brand reputation, certification, liability laws, and warranties.
Linking brand reputation to the effectiveness of products is difficult because they appear to be working until an attack succeeds, which happens infrequently. Reputation systems are further limited by commercial sensitivity preventing information from being pooled across organizations. Vendors instead signal quality by speaking at conferences, publishing security research, and through marketing activities. The latter can lead to (arguably deceptive) claims about product functionality that may not reflect reality.
External experts could certify the effectiveness of the product. Past history shows certification firms face incentives to skimp on assessment. A framework for certifying computer systems as secure "motivated the vendor to shop around for the evaluation contractor who would give his product the easiest ride."2 Even if such incentives were overcome, there are difficulties in using laboratory experiments to establish real world security.
Liability laws could shift the costs of an ineffective product back onto the vendor. This might incentivize vendors to create more effective products and even force firms selling ineffective products out of the market. However, the resistance to software liability is well documented.3,4 To prove vendors liable for creating a defective product, the product in question must be shown to have caused the injury. Establishing such proximate cause is fiendishly difficult, given the constellation of security controls employed by firms.
So why might cyber warranties succeed where other approaches have failed? Certification incurs large up-front costs regardless of effectiveness, whereas warranties only incur a cost when the product fails to mitigate an attack. Consequently, vendors with more effective products incur less cost in offering warranties. The barriers to adoption can be overcome by individual firms unilaterally offering warranties—courts need not assign liability nor governments pass legislation.
This article evaluates three viewpoints on the role of warranties. The theoretical view argues cyber warranties can align incentives and fix a dysfunctional market, as put forward in Woods and Simpson.5 A skeptical view characterizes cyber warranties as marketing tricks offering little meaningful coverage to the buyer. The conciliatory view holds that while warranties do not significantly change the incentive to invest, they do prevent vendors from overexaggerating the functionality of products. Which viewpoint best describes reality can be answered empirically by inspecting the terms of the warranties, which we undertake next.
We searched for combinations of the terms "warranty," "indemnity," "information," "security," and "cyber" using a popular search engine. We stopped when further results revealed no new warranties attached to information security products. Some vendors provide a description of the warranty without the actual contract, we included these descriptions in our corpus if they were detailed enough for our purposes. This resulted in a corpus of 15 warranties attached to information security products.
Inductive analysis identified coverage, obligations, and exclusions as the main components of the warranties. Coverage describes which costs the vendor will indemnify and the total indemnification limit. Obligations describe what the buyer must do for the warranty to be valid. Exclusions describe which circumstances invalidate coverage.
Consumers should first ask whether the product comes with a product or incident warranty. Of the 15 warranties, two-thirds were only triggered by defective hardware or software. We will call these cyber-product warranties from now on, denoted by P in the table. Cyber-product warranties offer to repair or replace the product, denying coverage for first- or third-party costs resulting from an attack.
Cyber-incident warranties (denoted by I in the accompanying table) cover the consequences of an attack. The firms offering cyber-incident warranties sell intangible products and services like source code review, network monitoring, or back-up services. Four of the five cyber-incident warranties in our sample covered first-party costs like notifying customers and hiring consultants for forensic investigation, public relations or legal review. One vendor explicitly covered ransomware payments and nothing else (denoted IRWP). None of the warranties (I or P) cover regulatory fines or third-party liability. The amount of coverage ranged from $10,000 to $5,000,000 depending on the size of the buyer.
The conciliatory view holds that while warranties do not significantly change the incentive to invest, they do prevent vendors from overexaggerating the functionality of products.
Obligations on the buyer can be classified into install-time, ongoing and post-incident. Ongoing and install-time obligations are most common. The majority (denoted V in the table) use vague terms like proper maintenance and operation without a concrete definition for what this entails. However, some warranties are exceptions in providing prescriptive obligations (denoted P). These vendors tend to offer higher limits. For example, one vendor requires a "differential security analysis" whenever the buyer modifies software covered by the warranty. Another vendor requires the client to relinquish write access to the product and allow the vendor to configure security functions like the whitelist. Post-incident obligations concern when and how the client must notify the vendor after discovering the incident.
There is significant diversity in terms of what cyber-incident warranties exclude. For example, a back-up provider excludes "any breach due to weak or stolen credentials" or denial of service. A monitoring product excludes breaches that are not a result of Advanced Persistent Threat (APT) activity. A firm offering source code review excludes coverage if the attack results from unknown vulnerabilities, defined elaborately using the Common Vulnerabilities and Exposures (CVE) database and a list of 122 known vulnerabilities.
Consumers might worry about the vendor's ability to fund the indemnity payment. Some cyber-incident warranties were backed by insurance. For example, one vendor claimed to be "underwritten by an A-rated, internationally known insurance carrier." A different vendor suggested their relationship with insurers meant purchasing the product "could result in better terms on cyber insurance."
Our corpus represents close to the population of cyber-incident warranties while only comprising a sample of cyber-product warranties. The latter are predominantly offered by firms selling physical devices to be deployed in the buyer's network. The corresponding warranties are less diverse and less likely to be announced publicly. This can be contrasted with cyber-incident warranties, which are announced publicly to generate coverage from security reporters.
Warranties must transfer non-negligible amounts of liability to vendors in order to meaningfully overcome the market for lemons. Our preliminary analysis suggests the majority of cyber warranties cover the cost of repairing the device alone. Only cyber-incident warranties cover first-party costs from cyber-attacks—why all such warranties were offered by firms selling intangible products is an open question. Consumers should question whether warranties can function as a costly signal when narrow coverage means vendors accept little risk.
Worse still, buyers cannot compare across cyber-incident warranty contracts due to the diversity of obligations and exclusions. Ambiguous definitions of the buyer's obligations and excluded events create uncertainty over what is covered. Moving toward standardized terms and conditions may help consumers, as has been pursued in cyber insurance, but this is in tension with innovation and product diversity.
The scope of the product drives warranty terms and conditions. The source code review firms are reasonable in only indemnifying losses resulting from known vulnerabilities with a corresponding CVE number, which protects the vendor from incurring costs from zero-day attacks. Exclusions like the monitoring firm only indemnifying losses resulting from AdvaPT activity are less reasonable given non-APT attacks are presumably easier to detect and much more common.
Warranties with many obligations and exclusions at least communicate the attached product's limitations. Prescriptive ongoing obligations from end-point protection firms demonstrate how security is about more than just buying the right product. In fact, the expertise of security professionals is so important that one firm invalidates coverage unless the buyer relinquishes write access to the platform.
Theoretical work5 suggests both the breadth of the warranty and the price of a product determine whether the warranty functions as a quality signal. Our analysis has not touched upon the price of these products. It could be that firms with ineffective products pass the cost of the warranty on to buyers via higher prices. Future studies could analyze warranties and price together to probe this issue.
In conclusion, cyber warranties—particularly cyber-product warranties—do not transfer enough risk to be a market fix as imagined in Woods.5 But this does not mean they are pure marketing tricks either. The most valuable feature of warranties is in preventing vendors from exaggerating what their products can do. Consumers who read the fine print can place greater trust in marketing claims so long as the functionality is covered by a cyber-incident warranty.
Figure. Watch the authors discuss this work in the exclusive Communications video. https://cacm.acm.org/videos/cyber-warranties
Copyright held by authors/owners. Publication rights licensed to ACM.
Request permission to publish from email@example.com
The Digital Library is published by the Association for Computing Machinery. Copyright © 2020 ACM, Inc.
No entries found