In This Story
Despite the software industry’s rapid growth and deep pockets, tech companies are still engaged in bare-knuckles battle with cybercriminals. Hardly a week goes by without a high-profile cyberattack hitting the headlines.
Most recently, vulnerabilities in the Log4j open-source framework—used in hundreds of software products from IBM, Microsoft, Cisco, and others—handed hackers a huge opening, which has yet to be completely patched. While the fallout from the Log4j fiasco hasn’t been as grave as some feared, experts worry that cybercriminals are waiting for the frenzy to die down before launching major attacks in the coming months.
Like Log4j, the 2014 Heartbleed bug involved flaws in widely used open-source software. A team of hackers took advantage of Heartbleed’s vulnerabilities to gain illicit access to the Community Health Systems network and steal the personal data of an estimated 4.5 million patients.
These lapses point to the lingering dangers inherent in tech companies’ reliance upon free open-source software that carries little or no security and community support. The Heartbleed bug went undetected for nearly two years. As late as November 2020, more than 200,000 machines were found to be still compromised by Heartbleed, even though fixes had long been available.
For Nirup Menon, associate dean for Arlington Ventures at Mason, and Pallab Sanyal, chair of the Information Systems and Operations Management area at Mason, the current cybersecurity morass is inseparable from economic incentives. Companies hesitate to invest enough in cybersecurity, not out of general miserliness but because they don’t see much ROI from those investments. At the end of the day, the end consumer is reluctant to pay for additional security, compared to extra features that improve user experience.
Menon and Sanyal’s recent paper in MIS Quarterly, co-authored by Mikko Siponen of the University of Jyväskylä, confirms the existence of this willingness-to-pay (WTP) dilemma. Instead of attempting to cover the entire software industry, their research focuses on mobile apps, a narrower area, but one with which most consumers are familiar. Menon and Sanyal sent surveys to 580 people recruited through Amazon’s Mechanical Turk platform, describing three hypothetical apps for which paid upgrades were being offered: a password manager, a home expenses and income manager, and a medical records manager. All three types of apps would presumably have access to sensitive user information, thus making security a higher priority than it would be for, say, a news aggregation or mindfulness app. Participants were presented with a usability-based and a security-based feature, each with a nominal price tag, and asked which, if any, they would pay for. They could choose to purchase both, one, or none (no actual money changed hands). For example, in the password manager condition, they were asked if they would buy auto-login capability (usability) and advanced encryption (security).
All else being equal, Menon and Sanyal found that customers were about 43 percent less likely to pay for security than usability, amounting to a wide and worrying WTP gap between the two categories.
Based on that figure alone, you might think that consumers simply don’t care nearly as much about cybersecurity. A deeper dive into the results reveals a more complicated situation. Women and participants who, in their answers to other questions in the surveys, said they tended to avoid risk were more likely than the rest to pay for mobile app security—older and less wealthy participants were less so. Surprisingly, those who were told about past security breaches affecting the hypothetical app were less likely to pay for security, perhaps because of the quirky human propensity to believe oneself immune to the misfortunes of others.
But the most significant difference concerned the issue of outside confirmation. In the surveys, the feature descriptions were framed as either verified by an independent third party or “according to the application producer.” Restricting their analysis to third-party verified features, Menon and Sanyal found the WTP discrepancy disappeared. People were just as willing to buy security features that had been vouched for by a credible source.
A separate survey provides clarifying context. Respondents were asked to rate all the hypothetical features for difficulty of verifiability, and the security features ranked significantly higher. This helps explain why, without third-party confirmation, cybersecurity enhancements face a WTP disadvantage: A moderately safe app will feel the same as an extremely safe one to the average consumer. A non-tech professional is not well-equipped to decide whether the upgrade is worth paying for, but if an outside authority endorses the feature, users will accept it as desirable.
Menon and Sanyal’s study suggests a number of ways software producers could monetize enhanced security features. Most obviously, companies could seek and promote verification from top security companies. In addition, they arguably need to work on improving communications about security so that ordinary users better understand the tech-speak, empowering consumers to make more informed buying decisions. By contrast, a communications approach emphasizing cautionary tales of past cyberattacks may well backfire due to the “it can’t happen to me” effect noted above. Theoretically, as more and more people start voting for enhanced security with their wallets, the internet would become safer for legitimate business and more dangerous for bad actors.