Share Prices & Company Research


18 January 2022

Lemons, Peaches and Cybersecurity Breaches

In his seminal 1970 paper, Nobel Prize-winning economist George Akerlof demonstrated the tendency of markets to break down in the presence of asymmetric information, applying it to the used car market. While salesmen knew the quality and true value of the car they were selling, consumers were unable to tell the ‘lemons’ (shoddy cars) from the ‘peaches’ (quality cars). This uncertainty made consumers unwilling to pay for peaches, in case they were lemons, and made them overpay for lemons, in case they were peaches, incentivising the provision of lemons. This analysis can be applied to the complex and mystifying world of cybersecurity.
Cybersecurity budgets are soaring, rising nearly 60% between 2014 and 2019 – the number of security breaches rose nearly 70% in the same period – and by nearly another third since. Despite this, standards are failing to keep pace, suggesting that more investment is required, with a study revealing that 90% of over one hundred experts in the field believe cybersecurity is not good enough. When assessing the efficacy of cybersecurity solutions there are four broad measures: how capable the product is to perform its function, how well it works in reality, how well it was built, and the security of the supplier.
Product Complexity
To the untrained eye, complexity is impressive; to the trained, the opposite is true. Many products are overcomplex; the more overcomplex the product, the more likely it has undetected design weaknesses and the more likely it is insecure. Since firms are wary of their security systems failing, they layer solutions on top of each other, which is cost-inefficient and leads to overspending. This increases complexity in already complex systems and, by extension, the workload on each system which must interact with and monitor the other systems, reducing their efficacy. Overworked systems then process complex data, which is more likely to cause a false positive and then be analysed, raising the chances of data slipping through. An important point to note is that complexity increases opacity. It becomes difficult for a firm to assess or audit its own security systems and cybersecurity firms rarely share the limits or true efficacy of their products.
Risk Aversion
Partly due to the lack of available information, the industry is awash with risk aversion. Cybersecurity tools need to be executed perfectly and even standard firewalls are hard to set up. As a result, when chief information security officers (CISOs) inherit legacy systems and do not understand their efficacy or workings, they keep them for fear of what could happen if they changed it. Often, intermediaries are used to advise on the sea of solutions available, and are themselves risk averse, generally preferring the ‘industry standard’. In so doing, they cannot be held accountable when things go wrong, unlike the ‘riskier’ new option, and stifle innovation while entrenching broken norms.
Ruthless Competition
An inability to differentiate between good solutions and bad means that success is a matter of marketing, not of quality products. This creates a feedback loop where many companies exist in cutthroat competition, spending extravagantly on marketing to tread water rather than investment, which prevents a quality product from being either created or marketed competitively, ultimately maintaining the cutthroat competition. The high levels of competition mean new products are typically brought to market only 60-70% complete, and low-level developers under pressure cut corners and exaggerate their products’ capabilities.
Assessing the Crowd
If the market is rife with incomplete, flawed products, and the intermediaries offer inadequate answers, the onus is on firms to make the right choice. Free risk assessments are the common measurement of efficacy, but usually only assess the solutions with checklists. Selected labs, for a fee, offer varying levels of risk assessment including penetration testing (full scale hacking operations on security systems) and risk assessments that prioritise risks. One such lab, ScienceSoft, uses techniques from sophisticated web-based hacking to social engineering to identify employee vulnerabilities. This and softer services provide firms with detailed reports and actionable recommendations. When data and information are so valuable, it makes sense for firms to take their time to validate the claims of new providers and test the defences of existing system’s software updates.
A Game of Resources
A self-explanatory solution is to allocate resources to the problem; an illustrative example reveals its root. Product A, for example, has £300,000 spent on penetration testing, but is tested by 30 different clients with a budget of £10,000 each. This means a hacking group only needs a budget of more than £10,000 to find flaws the tests otherwise missed, and they often have considerably more. This could call for groups of clients respective to a product to pool penetration testing resources and force improvements, though it would be difficult to execute. The more that is spent on testing, the more the best products will come to the fore in the long run.
Lessons for Investors
What lessons can be drawn from this? In selecting cybersecurity companies, many embrace those that innovate away from industry norms. They look for simplified, differentiated products that are made easy to understand (if you can understand the solution then so can customers), and longer development cycles that indicate a more complete product. A firm that subjects itself to rigorous, well-funded and independent testing regularly in the interest of its customers is not only a sign of a good product, but a great sustainable

Please note that this communication is for information only and does not constitute a recommendation to buy or sell the shares of the investments mentioned. The value of investments and any income derived from them may go down as well as up and you could get back less than you invested.
This article was taken from the November 2021 Market Insight. To subscribe to our investment publications, please visit
Lemons, Peaches and Cybersecurity Breaches
We offer complimentary investment publications produced by our in-house Investment Research team. Please click here to view our range.
Continuing our Personal Service: View our Latest COVID-19 Update: 17th May 2022
We use cookies on this site to improve your experience and help us provide you with a better website. An explanation of the cookies we use and their purpose can be found within our Cookie Policy. Your continued use of this site means you consent to the use of cookies.