Cyber-warranties as a quality signal for information security products

Consumers struggle to distinguish between the quality of different enterprise security products. Evaluating performance is complicated by the stochastic nature of losses. It is recognised that this information asymmetry may lead to a "market for lemons" in which suppliers face no incentive to provide higher quality products. Some security vendors have begun to offer cyber-warranties - voluntary ex-ante obligations to indemnify the customer in the event of a cyber attack - to function as a quality signal. Much like how consumer protection laws are relatively more costly to firms offering low quality products, cyberwarranties are more costly for firms developing low quality enterprise security products. In this paper, we introduce a decision-theoretic model to explore how consumers might use cyber-warranties to increase information when purchasing security products. Our analysis derives four inferences that consumers can make about a security product. We discuss the difficulties customers might face in using these inferences to make real world decisions.