Back in 1970, American economist and future Nobel Prize winner George Akerlof published an article in The Quarterly Journal of Economics titled “The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism.” In it, Akerlof explained the policy changes that occur in response to a lemons market, in which the producer of a good holds greater knowledge about the product they are selling than the buyer.
One result of this concept of “lemons markets” is warranties, which formalize expectations about the performance of a product and extend the producer’s responsibility for it beyond the point of sale. Daniel Woods, a lecturer in cybersecurity at the University of Edinburgh, noticed this could be applied to the modern-day software development industry.
Woods, who is also a researcher for Coalition, a cyber-insurance and security service provider, believes that the market for software applications is looking a lot like a lemons market, with software buyers struggling to differentiate between secure and insecure software. It’s no surprise, then, that warranties are increasingly common in the software industry, including in the marketplace for cybersecurity tools, where as much as a quarter of endpoint protection products now come with warranties.
But the mere existence of software warranties doesn’t necessarily change the reality for software buyers. In his talk at this year’s Black Hat USA conference, titled “Lemons and Liability: Cyber Warranties as an Experiment in Software Regulation,” Woods presented the findings of his research that showed that while software warranties may signal higher quality to buyers — which translates into higher customer satisfaction — it's not clear that they succeed in shifting liability for weak security from buyers to producers.
Woods told host Paul Roberts at Black Hat USA:
“In terms of the question of ‘Do [warranties] transfer risk from the client?’ I don't think it's the case.”
[ See ConversingLabs: Lemons & Liability: What it Means for Software Applications ]
Who's liable for software security?
Woods' research comes at an interesting time, with policymakers within the United States beginning to shift their attitude on who should bear the responsibility for software insecurity. The White House released the National Cybersecurity Strategy in March 2023, which calls for shifting liability for the security of software products from the end user to the producer.
Commenting on the strategy at Black Hat, Acting National Cyber Director Kemba Walden made the administration's position clear:
“We’ve allowed cybersecurity to devolve to those that are the least capable. Those of us that are more capable should be responsible for cybersecurity risk.”
Would you like a warranty with your software?
In this ConversingLabs episode, Woods talks about his research on software warranties and discusses how software producers and sellers must be held liable for the security of their products. He also touches on his role at Coalition and the growing role of cyber-insurance in tackling and aiding this challenge.
Their full conversation is now available to watch — or to listen to wherever you get your podcasts.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.