Asymmetry of security related information

The above mentioned possible market failures, i.e., inadequacies in the distribution of security-related information, may occur in the production and sale of information in relation to quality of software and its security features. However, informational imperfections may also prevent the underlying product markets from working properly.

One such situation is when sellers know more about a product than do buyers, or vice versa (asymmetric distribution of information)²⁹⁹.

Understanding secure software development 125

300 This means that potential buyers do not have reliable information about whether the software they intend to buy meets their specific needs and is of appropriate quality and security. They first have to buy the product and can rate its quality and security only after having deployed it. At this time, the software producer already has made his profit.

301 Akerlof, The Market for “Lemons”, p. 488-500.

302 These conditions are presented in a general form, e.g., by Paul H. Rubin in his article in the Encyclopedia of Law and Economics, Information Regulation (incl. Regulation of Advertising), p. 278.

The underlying condition that alternatives exist in the market is assumed and extensively experienced in the software component market even in relation to operating systems. Variety in products and vendors is increasing.

In information security markets and in markets for secure software producers sometimes know which products are secure, but consumers cannot tell. A relevant information asymmetry arises because information concerning quality or security is more costly to supply and process than information concerning price or quantity. Prices are calculated by reference to objective criteria (currency) and, in general, are easily communicated. Qualities, such as security, are to some degree subjective and, particularly in the case of professional services and technologically more complex commodities like software, may not be discoverable by pre-purchase inspection³⁰⁰.

In a famous paper, The Market for “Lemons”, mentioned in the Nobel Price in Economic Sciences won in 2001, George A. Akerlof demonstrates how asymmetry in the search costs of price and quality information can lead to seriously detrimental consequences³⁰¹. Failure arises in a lemons market because only low quality items are sold, even though consumers would be willing to pay high prices for high quality items. This theory predicts that this asymmetry in information will force more secure products out of the market if secure products will sell for no higher price of than vulnerable ones, secure products will be more expensive to produce, and consumers will not be able to know the difference. This process is called adverse selection.

The three conditions necessary to generate a lemons market (adverse selection type of market failure) are present to certain degree in information security and secure software markets³⁰².

Regulating Secure Software Development 126

303 Shapiro and Varian, Information Rules, p. 5.

304 Economic theory distinguishes three types of goods: search, experience and credence goods. While the quality of some products (‘search goods’) can be determined prior to purchase and asymmetric information on a good’s characteristics can be eliminated before consumption takes place by paying a search cost, others (‘experience goods’), including almost all types of services and technologically more complex products, can be evaluated only in the process of receipt, use, or consumption. In some cases (‘credence goods’), the quality is known only years later or cannot even be established after consumption at all. See, e.g. Ogus, Regulation, p. 132-133; den Hertog, General Theories of Regulation, p. 228-9); Noll, Comparing Quality Signals as Tools of Consumer Protection, p. 228); Rubin, Information Regulation (incl. Regulation of Advertising), p. 277.

305 It is often difficult to observe the quality of a software product before purchase. As Juergen Noll notes in Comparing Quality Signals as Tools of Consumer Protection, p. 228, that identifies product quality as experience property.

306 Whereas some dimensions of quality, such as reliability and durability, can be objectively determined, others involve a high degree of subjectivity and some are visible only after some time. Some of the quality aspects of security cannot be determined even after consumption or can be assessed only with highly sophisticated technical help, since security related vulnerabilities typically are not visible in the functionality of the program and testing cannot show the absence of vulnerabilities (it can only show that there are defects). Thus, parts of the quality and security characteristics of products belong to the credence category.

First, consumers are unable to determine quality and security before purchase because software as an information product is essentially an experience good, as pointed out by Carl Shapiro and Hal Varian³⁰³, similar to the complex information systems that are possibly networked³⁰⁴. Its quality is an experience characteristic³⁰⁵, and the quality aspects of security even a credence characteristic³⁰⁶. Second, more secure and higher quality products cost more to produce than lower quality, as has been noted several times above. The third, and last, condition according to which there cannot be a credible way for a firm to guarantee quality requires a wider analysis.

The importance of this analysis stems from the notion that to the degree the last of the three conditions is met, i.e., whether or not there are credible ways for firms to guarantee quality aspect of security in

Understanding secure software development 127

307 The underlying condition that alternatives exist in the market is assumed and extensively experienced in the software component market even in relation to operating systems. Variety in products and vendors is increasing.

308 Note that this is the sharp distinction between the above notion of sellers having strong incentives to provide adequate information. This incentive exists only if there is some way for consumers to check on the claims of the sellers. If the lemons problem can be solved, sellers of higher than average quality products will have incentives to reveal information about their products quality. Consumers may then assume that any product which does not disclose quality is of below average quality, and the informational problem is solved.

(Rubin, Information Regulation (incl. Regulation of Advertising), p. 281).

309 Collins, Regulating Contracts, p. 288.

their software products, then the market mechanism may break down.

This will happen because no firm will be able to convincingly promise high quality items. As a result consumers cannot be sure of obtaining the higher quality and so will not pay the higher price for quality items.

Thus, even though consumers would be willing to pay a higher price in order to obtain quality, there will not be an effective way in which this desire can be satisfied.³⁰⁷

Convincing communication of quality and lemons market. The lemons problem identified by Akerlof exists only if firms cannot convincingly communicate to consumers the level of quality in their products³⁰⁸. If firms can produce high quality products and convince consumers that they are doing so, then the market failure disappears. In most cases informational asymmetries can be corrected by the mechanism of voluntary exchange and, as Hugh Collins notes, “[t]he absence of any regulation of quality would therefore not lead to the widespread supply of defective products and shoddy services”³⁰⁹. However, whether this happens in relation to the security of software requires a more detailed analysis.

There are several means by which vendors can convincingly communicate the level of quality in their products and thus correct the market failure by themselves. Typical examples are reputation, advertising and other voluntary information provision by the vendor

Regulating Secure Software Development 128

310 Guarantees, reputation and licensing were identified already in 1970 by Akerlof in The Market for “Lemons”, p. 499-450, as institutions counteracting the effect of quality uncertainty. Anthony Ogus in Regulation, p. 133, explain these mechanisms in general terms in his extensive analysis of governmental regulation from the economic perspective.

311 Noll, Comparing Quality Signals as Tools of Consumer Protection, p. 228.

312 The general argument about the false claims as a form of information failure is made, e.g., by Beales et al. in The Efficient Regulation of Consumer Information, p. 505-6.

(e.g. in terms of test results), and warranties to guarantee the quality of the product³¹⁰.

It has to be stressed that the means of vendors to communicate the level of quality in their products (such as reputation, advertising, warranties etc.), and thus to correct the informational market failure voluntarily do not apply to credence characteristics of products and are unnecessary for search goods³¹¹. This means that these measures are necessary and effective only in relation to the experience characteristics of software security. This already limits the applicability of these remedies in relation to most security related vulnerabilities that are at the core of this study, due to them being credence characteristics of software.

Advertisements constitute the most obvious method of communicating quality information but, as already discussed, under the situation where customers lack the means to verify the correctness of the claims as is the case in relation to software vulnerabilities to a large degree especially due to credence characteristics of the vulnerability information, the opportunity to disseminate false or misleading information or withholding negative information seems profitable in the short run³¹². Only when the quality and security information is easily controllable, which is not the case with the quality aspect of security as discussed above, can the customers expect to get truthful quality and security information. Thus, advertising and other general information sharing by industry is not a likely means

Understanding secure software development 129

313 Not even competitors might have sufficient incentive to intervene in unfair marketing practices. This is especially so when they share the same negative attribute (vulnerability of software) or are subject to externalities like the benefits from corrected customer beliefs that have to be shared with other competitors and are thus inadequately internalised by the intervening competitor, or like the increased customer belief that a proportion of security claims are false that harms the industry in general. (Beales et al., The Efficient Regulation of Consumer Information, p. 506)

314 Esther Gal-Or and Anindya Ghose make this argument in The Economic Consequences of Sharing Security Information, p. 3.

315 Beales et al., The Efficient Regulation of Consumer Information, p. 527.

316 I.e, competition over vulnerability reduces the sale of the whole COTS industry, instead of enhancing the sale of certain software brand inside it.

317 This argument in general is made, e.g., by Beales et al., The Efficient Regulation of Consumer Information, p. 503-4.

of correcting the informational asymmetries related to the quality aspect of security³¹³.

General voluntary disclosure of security information is further hampered by the possible spillovers which result in positive externalities for the industry as a whole. This is so especially in relation to the customer confidence aspect; enhanced customer trust in transacting with a particular firm also expands the overall market size within the industry³¹⁴. Seller-provided information creates externalities that can lead to an undersupply of general information. In particular, advertising that provides positive general information about all brands in a product class benefits every brand, not simply the one generating the information. In such as case, the disclosing firm’s competitors will share in the benefits as free riders³¹⁵. Advertising that provides negative general information about a product class is likely to reduce the sales of each firm³¹⁶ and possibly benefit the sales of substitute products, thus reducing the incentive of any single seller to provide this information.³¹⁷

The willingness of a firm to spend money on advertising as such, without necessarily offering information, can in itself also be a signal of the quality of the product. The economic argument is that advertising is worthwhile only if it leads to repeat sales for experience

Regulating Secure Software Development 130

318 Advertising as a signal of product quality has been analysed in the law and economics literature, e.g., by Paul H. Rubin in Information Regulation (incl.

Regulation of Advertising), p. 278-279, and Juergen Noll in Comparing Quality Signals as Tools of Consumer Protection, p. 229.

319 This does not apply in relation to one-off transactions; but even here, reputation may have a value when recommendations are made by friends or relatives as noted by Anthony Ogus in Regulation, p. 133.

320 See Noll, Comparing Quality Signals as Tools of Consumer Protection, p.

229-230, for the general argument.

goods. Firms can expect repeat sales only if the product is of sufficiently high quality. Therefore the investments in advertising signal to the market that the firm expects repeat sales because it believes that its products are of high quality. Same line of argumentation applies also to investments in establishing trademarks and brand names, and also in physical assets, such as signs and décor.³¹⁸

Reputation, which is largely connected to the above mentioned investments on capital and advertising, that will be lost if the firm goes out of business, as such can serve as an indicator of quality. A firm selling low-quality products at high-quality prices will soon acquire a bad reputation and be excluded from the market. Consumers may, over time, also accumulate trust in the quality of a particular firm’s output or a particular brand name. With the desire to preserve goodwill, it will be in the interest of the supplier or brand manufacturer to maintain quality³¹⁹. But the reputation mechanism is workable only if the product is an experience good, i.e. that buyers can find out the quality and security of the product after buying it.

As has been argued, this is not the case with the credence characteristics like quality aspect of security. Even when the buyers can find out the quality and security of the product after buying it, reputation adjustment only rewards quality upgrading with a time lag, which means that firms will not provide so high quality as with under perfect information. Therefore, despite being necessary in certain surroundings, reputation is an unreliable indicator of the quality aspect of security.³²⁰

Understanding secure software development 131

321 This argument is made, e.g., by Ogus in Regulation, p. 133 and Beales et al. in The Efficient Regulation of Consumer Information, p. 511.

322 Note that industrial buyers have at least a theoretical possibility to buy better guarantees and to negotiate requirements for secure development into the agreement with the consequence of needing to pay more for the software at the same time. Without any empirical facts one can only assume that the price charged for the software sold with security guarantees would be extensively higher than its list price. Whether industrial buyers would be likely to buy better guarantees if they do not perceive the vulnerability issue as an important factor in purchasing decisions is a matter of empirical study that still, to my knowledge, remains unanswered. In addition, high transaction costs in mass-marketed COTS software products at least diminishes, if not prevents altogether, also the possibility for industrial buyers to settle warranties individually.

Contractual terms, such as product warranties or even money back guarantees, maybe more reliable signal of quality. They partially indemnify the buyer against the possibility that lack of information leads to making a wrong choice. In addition to this insurance effect, such contractual terms may as such signal of the quality of the product since warranties and money back guarantees are cheaper to provide if product failures seldom occur.³²¹

However, warranties are almost inexistent in software markets.

Software vendors assume no liability and try to avoid giving any warranties (not that even of merchantability, fitness for purpose or any alike) by standard licensing provisions³²². The justifications wary but the essential point is that unlike traditional commodities, defects in software are likely to exist in every copy sold, thus making the compensation or repair especially expensive. Disclaimance is a routine despite the threat of suspicion towards vendors lack of care of software quality and security being fed and the confidence into the quality of the software products possibly being eroded by disclaimers of warranties with which the products may well comply. Even in cases where warranties still exist despite of the software licences, the incentives for their enforcement are still reduced since the likelihood

Regulating Secure Software Development 132

323 It is worth pointing out that in cases where warranties are based on extensively on law, as in consumer law, their informational value for the customer and the signalling value for the producers are diminished (Noll 2003, p. 219-231).

324 Even though this try-before-you-by characteristic makes software more transparent, it also easily leads to users not paying for the software.

325 These information provision mechanisms have been analysed by J. Bradford DeLong and A. Michael Froomkin in Speculative Microeconomics for Tomorrow's Economy, heading “The Market for Software: Shareware, Public Betas and More”. Newest development in the correction of the transparency problem is open source that possibly can also be beneficial for security. Note that its main function is not to provide information for users since only a possibility to derive security information from the source code is enabled.

Instead it constitutes a method of developing software and ideological approaches to software markets.

of successful litigation is decreased and the claims often cannot be enforced because of the global nature of the market³²³.

In addition to trials, typically used in marketing of more traditional goods, there are special ways for the vendors to provide information about the functionalities of the program. The logic in shareware, allowing interested persons to download the full program, is that if they like it they would send its author some money, and perhaps in return you get a manual, access to support, and/or an upgraded version³²⁴. The public beta is a time-limited (or bug-ridden, or otherwise restricted) version of the product. It allows users to investigate the properties of the public beta version to figure out whether the product is worthwhile. But to get the permanent (or the less bug-ridden) version, they have to pay. A similar method is the free provision of lesser version of programs and making advanced version chargeable.³²⁵

These methods enable the possible purchaser to familiarise with the experience characteristics before purchase and lower the costs of finding information about the software. Even though competition through distribution of lesser versions of the ultimate product as such is a relatively benign development, they are not providing information about the security (excluding observable security features). In addition, as argued above, the first-to-market competition (which partly explains

Understanding secure software development 133

326 This is a matter of controversy. People tend to assert that they are concerned with privacy and security and are willing to even pay for it.

However, their behaviour does not always agree. For wider discussion, see the analysis of Alessandro Acquisti and Jens Grossklags in Losses, Gains, and Hyperbolic Discounting, from 2003. However, the general assumption goes in favour of buyers’ readiness to pay for increased security and higher quality.

Many of the arguments by security professionals that consumers lack the interest in investing into information security are explained by the asymmetry in the information or the simple lack of it.

this development since these methods to provide information can be ways to introduce products to the markets earlier) can mean that the security of these lesser versions is not necessarily increasing. At least, these methods to provide information do not correct the

this development since these methods to provide information can be ways to introduce products to the markets earlier) can mean that the security of these lesser versions is not necessarily increasing. At least, these methods to provide information do not correct the

In document Regulating secure software development : analysing the potential regulatory solutions for the lack of security in software (sivua 176-191)