The effect of liability and patch release on software security

The monopoly case

Byung Cho Kim, Pei-yu Chen, Tridas Mukhopadhyay

Research output: Contribution to journalArticle

16 Citations (Scopus)

Abstract

An abundance of flawed software has been identified as the main cause of the poor security of computer networks because major viruses and worms exploit the vulnerabilities of such software. As an incentive mechanism for software security quality improvement, software liability has been intensely discussed among both academics and practitioners for a long time. An alternative approach to managing software security is patch release, which has been widely adopted in practice. In this paper, we examine these two different ways of mitigating customer risk in the software market: liability and patch release. We study the impact of both mechanisms on a monopolistic software vendor's decision on security quality. We find the conditions under which each mechanism is effective in terms of improving security quality and increasing social surplus. The heterogeneous nature of loss is identified to be a key factor for the effectiveness of the liability mechanism. On the other hand, patch release can be effective and welfare-enhancing regardless of the nature of loss as long as customers incur low patching cost, and/or the vendor incurs low patch development cost. We also examine the impact of customer misperception of the outcome from vulnerable software on the effectiveness of liability.

Original languageEnglish (US)
Pages (from-to)603-617
Number of pages15
JournalProduction and Operations Management
Volume20
Issue number4
DOIs
StatePublished - Jul 2011
Externally publishedYes

Fingerprint

Computer networks
Viruses
Costs
Monopoly
Liability
Software
Vendors

Keywords

  • liability
  • monopoly
  • patch release
  • security awareness
  • software security

ASJC Scopus subject areas

  • Industrial and Manufacturing Engineering
  • Management Science and Operations Research
  • Management of Technology and Innovation

Cite this

The effect of liability and patch release on software security : The monopoly case. / Kim, Byung Cho; Chen, Pei-yu; Mukhopadhyay, Tridas.

In: Production and Operations Management, Vol. 20, No. 4, 07.2011, p. 603-617.

Research output: Contribution to journalArticle

@article{d528922b9a394fe184c0839353f3b6a0,
title = "The effect of liability and patch release on software security: The monopoly case",
abstract = "An abundance of flawed software has been identified as the main cause of the poor security of computer networks because major viruses and worms exploit the vulnerabilities of such software. As an incentive mechanism for software security quality improvement, software liability has been intensely discussed among both academics and practitioners for a long time. An alternative approach to managing software security is patch release, which has been widely adopted in practice. In this paper, we examine these two different ways of mitigating customer risk in the software market: liability and patch release. We study the impact of both mechanisms on a monopolistic software vendor's decision on security quality. We find the conditions under which each mechanism is effective in terms of improving security quality and increasing social surplus. The heterogeneous nature of loss is identified to be a key factor for the effectiveness of the liability mechanism. On the other hand, patch release can be effective and welfare-enhancing regardless of the nature of loss as long as customers incur low patching cost, and/or the vendor incurs low patch development cost. We also examine the impact of customer misperception of the outcome from vulnerable software on the effectiveness of liability.",
keywords = "liability, monopoly, patch release, security awareness, software security",
author = "Kim, {Byung Cho} and Pei-yu Chen and Tridas Mukhopadhyay",
year = "2011",
month = "7",
doi = "10.1111/j.1937-5956.2010.01189.x",
language = "English (US)",
volume = "20",
pages = "603--617",
journal = "Production and Operations Management",
issn = "1059-1478",
publisher = "Wiley-Blackwell",
number = "4",

}

TY - JOUR

T1 - The effect of liability and patch release on software security

T2 - The monopoly case

AU - Kim, Byung Cho

AU - Chen, Pei-yu

AU - Mukhopadhyay, Tridas

PY - 2011/7

Y1 - 2011/7

N2 - An abundance of flawed software has been identified as the main cause of the poor security of computer networks because major viruses and worms exploit the vulnerabilities of such software. As an incentive mechanism for software security quality improvement, software liability has been intensely discussed among both academics and practitioners for a long time. An alternative approach to managing software security is patch release, which has been widely adopted in practice. In this paper, we examine these two different ways of mitigating customer risk in the software market: liability and patch release. We study the impact of both mechanisms on a monopolistic software vendor's decision on security quality. We find the conditions under which each mechanism is effective in terms of improving security quality and increasing social surplus. The heterogeneous nature of loss is identified to be a key factor for the effectiveness of the liability mechanism. On the other hand, patch release can be effective and welfare-enhancing regardless of the nature of loss as long as customers incur low patching cost, and/or the vendor incurs low patch development cost. We also examine the impact of customer misperception of the outcome from vulnerable software on the effectiveness of liability.

AB - An abundance of flawed software has been identified as the main cause of the poor security of computer networks because major viruses and worms exploit the vulnerabilities of such software. As an incentive mechanism for software security quality improvement, software liability has been intensely discussed among both academics and practitioners for a long time. An alternative approach to managing software security is patch release, which has been widely adopted in practice. In this paper, we examine these two different ways of mitigating customer risk in the software market: liability and patch release. We study the impact of both mechanisms on a monopolistic software vendor's decision on security quality. We find the conditions under which each mechanism is effective in terms of improving security quality and increasing social surplus. The heterogeneous nature of loss is identified to be a key factor for the effectiveness of the liability mechanism. On the other hand, patch release can be effective and welfare-enhancing regardless of the nature of loss as long as customers incur low patching cost, and/or the vendor incurs low patch development cost. We also examine the impact of customer misperception of the outcome from vulnerable software on the effectiveness of liability.

KW - liability

KW - monopoly

KW - patch release

KW - security awareness

KW - software security

UR - http://www.scopus.com/inward/record.url?scp=79960144492&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79960144492&partnerID=8YFLogxK

U2 - 10.1111/j.1937-5956.2010.01189.x

DO - 10.1111/j.1937-5956.2010.01189.x

M3 - Article

VL - 20

SP - 603

EP - 617

JO - Production and Operations Management

JF - Production and Operations Management

SN - 1059-1478

IS - 4

ER -