Back in 1970, American economist and Nobel Prize winner George Akerlof published an article in The Quarterly Journal of Economics titled “The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism.” In it, Akerlof explains the policy changes that occur in response to a lemons market, in which the producer of a good holds greater knowledge about the product they are selling than the buyer.
One product of this concept of “lemons markets” is warranties, which formalize expectations about the performance of a product and extend the producer’s responsibility for it beyond the point of sale. Daniel Woods, a Lecturer in Cybersecurity at the University of Edinburgh, noticed this could be applied to the modern-day software development industry
Woods, who is also a researcher for Coalition, a cyber insurance and security service provider, believes that the market for software applications is looking a lot like a lemons market, in which software buyers are struggling to differentiate between secure and insecure software. It’s no surprise, then, that warranties are increasingly common in the software industry, including in the marketplace for cybersecurity tools, where as much as a quarter of endpoint protection products now come with warranties.
But the mere existence of software warranties doesn’t necessarily change the reality for software buyers. In his talk at this year’s Black Hat USA conference, titled “Lemons and Liability: Cyber Warranties as an Experiment in Software Regulation,” Woods presented the findings of his research which showed that while software warranties may signal higher quality to buyers — which translates into higher customer satisfaction — it's not clear that they succeed in shifting liability for weak security from buyers to producers.
Woods told host Paul Roberts at Black Hat USA:
“In terms of the question of ‘do [warranties] transfer risk from the client?’ I don't think it's the case.”
Woods' research comes at an interesting time, with policy makers within the U.S. beginning to shift their attitude on who should bear the responsibility for software insecurity. The White House released the National Cybersecurity Strategy in March 2023, which calls for shifting liability for the security of software products from the end user to the producer.
When commenting on the Strategy at Black Hat, Acting National Cyber Director Kemba Walden made the administration's position clear:
“We’ve allowed cybersecurity to devolve to those that are the least capable.Those of us that are more capable should be responsible for cybersecurity risk.”
In this ConversingLabs episode, Woods talks about his research on software warranties and how software producers and sellers must be held liable for the security of their products. He also touches on his role at Coalition and the growing role of cyber insurance in tackling and aiding this challenge.
Their full conversation is now available to watch — or listen to it wherever you get your podcasts.
Article Link: https://www.reversinglabs.com/blog/understanding-the-software-industry-as-a-lemon-market