The effect of liability and patch release on software security: The monopoly case

Byung Cho Kim, Pei Yu Chen, Tridas Mukhopadhyay

Research output: Contribution to journalArticle

21 Scopus citations

Abstract

An abundance of flawed software has been identified as the main cause of the poor security of computer networks because major viruses and worms exploit the vulnerabilities of such software. As an incentive mechanism for software security quality improvement, software liability has been intensely discussed among both academics and practitioners for a long time. An alternative approach to managing software security is patch release, which has been widely adopted in practice. In this paper, we examine these two different ways of mitigating customer risk in the software market: liability and patch release. We study the impact of both mechanisms on a monopolistic software vendor's decision on security quality. We find the conditions under which each mechanism is effective in terms of improving security quality and increasing social surplus. The heterogeneous nature of loss is identified to be a key factor for the effectiveness of the liability mechanism. On the other hand, patch release can be effective and welfare-enhancing regardless of the nature of loss as long as customers incur low patching cost, and/or the vendor incurs low patch development cost. We also examine the impact of customer misperception of the outcome from vulnerable software on the effectiveness of liability.

Original languageEnglish (US)
Pages (from-to)603-617
Number of pages15
JournalProduction and Operations Management
Volume20
Issue number4
DOIs
StatePublished - Jul 1 2011
Externally publishedYes

Keywords

  • liability
  • monopoly
  • patch release
  • security awareness
  • software security

ASJC Scopus subject areas

  • Management Science and Operations Research
  • Industrial and Manufacturing Engineering
  • Management of Technology and Innovation

Fingerprint Dive into the research topics of 'The effect of liability and patch release on software security: The monopoly case'. Together they form a unique fingerprint.

  • Cite this