Cybersecurity is a Market for Lemons
A ‘Market for Lemons’ is a term used by economists to denote market failure. Bernard Parsons, founder and CEO of Becrypt, summarises his presentation at the recent CYBERUK conference explaining how the term has relevance to cybersecurity
I recently attended CYBERUK, which is the UK government's flagship cybersecurity event hosted by the National Cybersecurity Centre (NCSC). The event features world-class speakers, and opportunities for interaction between the public and private sectors.
It was a fascinating couple of days, partly as Becrypt is working with government on projects featured at the event, but it was also a great opportunity for the Cyber Growth Partnership (CGP) Assurance Working Group, of which Becrypt is a member, to promote cross-industry and government collaboration towards common objectives.
One area in particular that CGP and the High Assurance UK industry association (HAUK) are focused on is around how to better articulate and differentiate quality of security of products and services. During the event I delivered a presentation entitled: ‘Cybersecurity is a Market for Lemons’ which was on this very topic and I’ve summarised the key points in this article.
A ‘Market for Lemons’ is a term used by economists to denote market failure, where a free market does not self-optimise output for social benefit.
There has been a debate taking place for some time as to whether this applies to cybersecurity. A number of characteristics are typically associated with market failure and I believe that two of these are particularly relevant to cyber, as touched on below.
The classic example of information asymmetry is buying a used car, where the buyer has less information than the seller. It is very difficult, if you are buying a used car, to know whether you are buying a car that is above average quality or one that is a real ‘lemon’.
The market tends to price cars on the average quality of all cars in the market, which can disadvantage cars that are higher quality, whose sellers may lose out if they can’t evidence this quality. Such cars may therefore get withdrawn from the market, driving down the average quality of remaining cars, and therefore average market price into a potential spiral.
Arguably, information asymmetry applies widely within the cybersecurity market. Buyers often have significantly less information about complex products and services than the sellers. Furthermore, sellers themselves often have less information than is required to robustly defend some of the claims they make about their products or services.
“Buyers often have significantly less information about complex products and services than the sellers.”
The second characteristic is negative externalities, where bad effects of the market are felt by third parties, in other words it is a cost that is suffered by a third party as a result of an economic transaction.
For example, if I have a fridge that has been compromised because it is connected to the internet with poor security, the buyers and sellers do not automatically lose out.
Indeed the buyer probably got the fridge cheaper than they would have if the manufacturer had invested in robust security controls. The real losers are those that may be subject to the botnet that the compromised fridge forms a part of.
Regulation may be necessary, but is not sufficient
Where market failure occurs, regulation is often required. Many would argue that within the cyber sector regulation may be necessary but is not sufficient.
The whole world of technology is far too diverse and fast-paced, whether that is mobile, cloud, big data or AI, for regulation to keep sufficient pace and relevance to be the entire answer – there is more that we need to do as an industry to better optimise our output.
One of the big challenges that the cybersecurity sector faces is that it values volume over validity. There is much more emphasis on making a noise in the market and analyst influence than defining and validating products’ security controls.
In fact, for many procurement processes security requirements are not explicitly defined, it is more about features and functionality, making it difficult for buyers to quantify what they are getting in terms of return on security investment.
“There is much more emphasis on making a noise in the market and analyst influence than defining and validating products’ security controls.”
Government as an exemplar
Today, a number of exemplar government IT projects that successfully balance the security requirements of ‘High Assurance’ environments with broader user needs, as discussed at CYBERUK, have relevance to the market failure debate.
This relevance results in part as there has been significant convergence between government and private sector IT requirements.
On the one hand, both sectors have been increasingly subjected to overlapping threat actor communities, whilst in parallel government has developed an increased need and desire to adopt new technologies that offer increased flexibility at pace – moving from government bespoke to commercial of the shelf.
Within these projects, government has had the resource, expertise and need to address information asymmetry, through thorough product and service assurance, and by working closely with the vendor ecosystem to both understand and influence product security controls.
An important question that arises, is how elements of relevant government successes may scale and apply to the private sector. Both CGP industry members and HAUK are focused on providing an industry voice to support government’s review of product assurance. Aspiring to achieve more agile and scalable approaches to gaining confidence of the value and effectiveness of security investment, and nudging our market towards more optimised output.
Agree or disagree? We’d love to hear your views. #CyberSector #MarketforLemons.