Tragedy of the Thermostats: Myth vs Market

Abstract

2016 marked the year that Internet of Things (IoT) came to the forefront of cybersecurity conversations, as the community witnessed an unprecedented Distributed Denial of Service attack because of manufacturer installed default passwords. This lack of due diligence is often claimed to be evidence of the cybersecurity market failure, i.e. vendors do not invest in cybersecurity to lack of market incentives. This market failure happens because 1) consumers do not care about security (and therefore do not take security into consideration when making purchasing decisions) and 2) consumers are unable to distinguish between secure and insecure products (creating a market of security lemons). This myth of Tragedy of Thermostats ignores the market reality where different vendors do invest in security and do so due to market drivers.

Cybersecurity is certainly a collective action problem that requires the entire ecosystem, including switch manufacturers, router vendors, cloud providers, software companies, hardware manufacturers, CDNs, and ISPs, all to work together. This collaboration must extend across local, state, and national jurisdictional boundaries and as such can be constrained if led by governmental or quasi-governmental institutions. Self-organization amongst such a diverse set of actors is daunting but not unprecedented; this same coalition does support the operational aspects of the Internet.

Cybersecurity efforts follow in the same vein. A group of ISPs authored MANRS and as well as ABCs for ISPs. Both impinge network security, arguably positively. In (consumer) IoT, companies across the Internet ecosystem are developing the Open Connectivity Foundation standard for interoperability and security. Similar ecosystem support is seen for Let’s Encrypt. These select examples illustrate both the incentive to invest in security and that collective action is possible. So then where is the tragedy? Or are these actors simply not economically rational?

This paper aims to highlight the market incentives companies have to invest in security. First, security breaches have a reputational impact, which includes stock price, consumer sales, and quarterly earnings. Second, (lack of) security may increase operational cost – such as by driving the call volume in customer support centers. Third, security concerns may limit adoption of (new) technology. Fourth, security can act as market differentiator for consumers, especially when security is considered as a proxy for maturity (or quality). Finally, proactive security investment may paradoxically save money; it is cheaper to build security in than to code and deploy patches later.

It would be disingenuous to argue that these incentives apply to all actors in the ecosystem equally. Cybersecurity public policy must differentiate between actors subject to these incentives and those that are not. We argue that entities who engage with consumers directly as well as frequently are incented to make security investments compared to those whose actions are less transparent to consumers. We ground our arguments in the dominant strategies for repeated prisoner’s dilemma.