Those sort of information asymmetry problems (in this case, you can't know the quality of the service you're buying until it's far too late) are a textbook case of market failure [1] [2]. You can improve the outcome sometimes with some smart regulation.
But in the security industry there are multiple levels of this problem:
- The end user doesn't generally know how hardened the product he buys is
- The manufacturer is rarely certain how high quality the security auditing/services he is buying
- How much to invest in securing a product is not an easy decision.
I'm of course simplifying a lot here, but you asked for the economics of those problems, and hopefully this was interesting to some.
But in the security industry there are multiple levels of this problem:
- The end user doesn't generally know how hardened the product he buys is
- The manufacturer is rarely certain how high quality the security auditing/services he is buying
- How much to invest in securing a product is not an easy decision.
I'm of course simplifying a lot here, but you asked for the economics of those problems, and hopefully this was interesting to some.
[1] http://www.sfu.ca/~allen/leffler2.pdf [2]https://www.iei.liu.se/nek/730g83/artiklar/1.328833/AkerlofM...