InfoSec Warranties and Guarantees
99.9% of current InfoSec vendors do not offer any warranties or guarantees. Although offering them presents a unique opportunity for them to differentiate themselves from competitors, they simply do not want the liability.
In the absence of warranties and guarantees, customers are facing the following challenges:
- Lack of guarantees makes it difficult to differentiate effective solutions from those that are less effective.
- No warranties or guarantees makes it impossible to justify the cost of InfoSec products to management.
- Without guarantees or warranties, customers find it hard to trust their InfoSec vendors since they are not accountable for the performance of their products.
This Working Session will examine the need for InfoSec warranties and guarantees, and how they might be designed and implemented.
- Are warranties and guarantees in InfoSec inevitable?
- How to make warranties and guarantees work
- What should be covered?
- Should governments have a role in (for example) providing ‘Cyber Insurance’ for ‘well-behaved companies’?
- The roles of labels and market forces
- Are we in a ‘market for lemons’?
- The role of Government Agencies
- What lessons can be learned from the Food and Public Safety agencies (and activities)?
This Working Session will try to answer the question whether security companies should issue guarantees and warranties and provide a set of guidelines on how they should be designed and implemented.
Synopsis and Takeaways
Decisions on purchasing security products with Cyber Insurance should not be based solely on the warranty (no matter how good it seems). Some Warranties may only cover secondary insurance that can cost the policyholder thousands if not millions.
Reliance on warranties requires scrutiny, equivalent to buying cyberinsurance; however, warranties could be seen as a marketing ploy. It is normally not worth investigating a warranty for a product when the cost of the investigation is weighed against the cost of the initial cover. Normally negotiating warranty contracts can achieve more favourable terms. Collecting information on companies that have submitted claims and the results of the claims process would prove useful.
Warranties should include:
- Provide data to backup marketing claims
- Independently validated data
- Monetary value at least equivalent to what was paid at the point of deployment.
- Refunds, not credit for more services from the same vender
- Should not be conditional based on incident response or other internal procedures
- Include the right to breach the contract (Termination Clause)
You cannot make decisions based purely on warranty claims.
Provided marketing data to support claims Collecting information about companies that submitted claims and the results of that process would prove useful. Warranties that provide something that the policy holder has complete control over such as:
- Direct performance indicators
The target audience for this Working Session is:
- Buyers of InfoSec products and services
- InfoSec Products and Services providers
- Government Agencies
- Jeremiah Grossman
- Infosec Warranties and Guarantees - list of companies
- An Insiders Guide To Cyber Insurance And Security Guarantees - presentation
- Geekonomics: The Real Cost of Insecure Software - book
- BBC Click - 29/04/2017 - BBC Click investigates a company claiming to offer ‘absolute security’ and discovers all is not what it seems.
- OWASP Security Labeling System Project
- Market for Lemons
Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions):
- draft document explaining why and how InfoSec should offer guarantees and warranties
Related Working Session(s)
Back to list of all Working Sessions and Tracks
Edit this page here