Monday, November 3, 2008

A Security Market for Lemons

Prelude...
Today, I attended a talk by Dr. Prabhakar Raghavan, the head of Yahoo research. It was quite interesting and a main take away point for me was we, as scientists/engineers, need to seriously consider economic aspects (mainly monetization) along with technical details (correctness, scalability, responsiveness, security, etc.) when designing/developing systems. He nicely explained how Yahoo was loosing money 2 years ago because of not considering other factors (such as click rate) along with bid prices to order the list of ads shown to users. (Companies are charged only when users click on their ads, but not for showing them. Companies can bid high for their ads and have a top spot in the ads bar even though the ads may not be very relevant to users' intent. They continue to enjoy top spot (as user's hardly click on irrelevant links) at the cost of more relevant ones not getting the due attention. However, such top ads gets the unfair attention of users over others as conveying their brand plays a big part of initial selection of products by users. To prevent such an unfair or kind of lemon market for ads, you need to consider other factors in addition to the bid they make.) Now they have corrected this. Here's how Google ranks ads.

Now to the $subject...
I was curious to find out what a lemon market is all about - especially how it affects security. I must admit that my knowledge on economic concepts is very limited. However, I found some good reference about it on the web [1, 2, 3]. Let me try to explain the core:

The concept of lemon markets was introduced by George Akerlof, the joint Nobel price winner in Economics in 2001, in his 1970 paper "The market for lemons: Quality uncertainty and the market mechanisms" (Has about 5000 citations and counting in Google Scholar).

What is a lemon market? How are they get formed?
The basic idea is that in a market (in author's terminology, with asymmetric information) where sellers have more information than buyers about the product (and no buyers can accurately assess the quality of the product), bad products can drive away good products from the market creating a lemon market for lemons (low quality products). This happens because buyers get some kind of incentive (e.g. lower price) in exchange of lemons. You can find the detailed requirements for its formation in the paper.

Akerlof uses used car market as an example to explain this concept. There are good used cars and defective used cars (lemons). Sellers know what is what, but buyers don't know until at least they purchase them. Sparing the technical details mentioned in the paper, buyers position their perceived price for a good car a little over the price of an average used car in the hope that they will trade for a good used car. Since good used cars are priced higher than what buyers may be willing to pay, good used cars do not get sold and the lemons (the crappy ones) take over the market.

I think, the key reason for such formation of lemon markets is the lack of credible disclosure of the quality of the products being sold. If we have a trusted independent party to assert the quality, we may prevent lemon markets. For example, we have kbb here in USA to check prices for used cars; it gives a trust worthy measure of how much a used car actually worth. Even though it has some subjective components in its evaluation, it is better to have something like that than nothing.

Does marketing create lemon markets? I think it contributes towards that; with competition, marketing companies may bend the facts to get a more favorable perception among buyers for certain products. However, it is not quite sure if they will survive in the long run. You can find a detailed treatment of it here. With many major online companies providing customer reviews/ratings for products, I think people become more informed about lemons. When I buy from Amazon or other sites, first thing I do is to go through customer reviews to see their experience with the product - so fat it has been quite reliable way of avoiding lemons.

What are the imprecations of lemon markets on security? I found this interesting post regarding this. In this, Schneier points out some good examples. The bottom line is that there is no market for good security (since mediocre security is cheaper and companies base their decisions mainly on price) unless there is some sort of "signal" (example: warranty, a third-party verification, etc) that informs buyers about differences in the same product in the market. Of course, the "signal" should be trustworthy in order for it to work.

From the lemon paper - the cost of lemon markets:
"The cost of dishonesty, therefore, lies not only in the amount by which the purchaser is cheated; the cost also must include the loss incurred from driving legitimate business out of existence".

No comments: