Lemons and liability: How security warranties could tame the software market

Back in 1970, American economist and future Nobel Prize winner George Akerlof published an article in The Quarterly Journal of Economics titled “The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism.” In it, Akerlof explained the policy changes that occur in response to a lemons market, in which the producer of a good holds greater knowledge about the product they are selling than the buyer.

One result of this concept of “lemons markets” is warranties, which formalize expectations about the performance of a product and extend the producer’s responsibility for it beyond the point of sale. Daniel Woods, a lecturer in cybersecurity at the University of Edinburgh, noticed this could be applied to the modern-day software development industry.

Woods, who is also a researcher for Coalition, a cyber-insurance and security service provider, believes that the market for software applications is looking a lot like a lemons market, with software buyers struggling to differentiate between secure and insecure software. It’s no surprise, then, that warranties are increasingly common in the software industry, including in the marketplace for cybersecurity tools, where as much as a quarter of endpoint protection products now come with warranties.

But the mere existence of software warranties doesn’t necessarily change the reality for software buyers. In his talk at this year’s Black Hat USA conference, titled “Lemons and Liability: Cyber Warranties as an Experiment in Software Regulation,” Woods presented the findings of his research that showed that while software warranties may signal higher quality to buyers — which translates into higher customer satisfaction — it's not clear that they succeed in shifting liability for weak security from buyers to producers.

Woods told host Paul Roberts at Black Hat USA:

In terms of the question of ‘Do [warranties] transfer risk from the client?’ I don't think it's the case.

See ConversingLabs: Lemons & Liability: What it Means for Software Applications

Who's liable for software security?

Woods' research comes at an interesting time, with policymakers within the United States beginning to shift their attitude on who should bear the responsibility for software insecurity. The White House released the National Cybersecurity Strategy in March 2023, which calls for shifting liability for the security of software products from the end user to the producer.

Commenting on the strategy at Black Hat, Acting National Cyber Director Kemba Walden made the administration's position clear:

We’ve allowed cybersecurity to devolve to those that are the least capable. Those of us that are more capable should be responsible for cybersecurity risk.

Would you like a warranty with your software?

In this ConversingLabs episode, Woods talks about his research on software warranties and discusses how software producers and sellers must be held liable for the security of their products. He also touches on his role at Coalition and the growing role of cyber-insurance in tackling and aiding this challenge.

Their full conversation is now available to watch — or to listen to wherever you get your podcasts.