Market for software vulnerabilities? Think again

Management Science

Volumn 51, Issue 5, 2005, Pages 726-740

  Kannan, Karthik ^a   Telang, Rahul ^b  

^a PURDUE UNIVERSITY   (United States)

^b CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Game theory; Information security; Public policy; Software vulnerabilities; Vulnerability disclosure

Indexed keywords

SOCIAL OUTCOMES; SOCIAL PLANNERS; SOFTWARE VULNERABILITIES; VULNERABILITY DISCLOSURE;

COMPETITION; GAME THEORY; INFORMATION ANALYSIS; MARKETING; PUBLIC POLICY; SECURITY OF DATA; SOCIAL ASPECTS;

COMPUTER SOFTWARE;

EID: 20944441343     PISSN: 00251909     EISSN: None     Source Type: Journal    
DOI: 10.1287/mnsc.1040.0357     Document Type: Article

References (30)

1. Arora, A., J. P. Caulkins, R. Telang. 2003. Provision of software quality in the presence of patching technology. Working paper, Carnegie Mellon University, Pittsburgh, PA.
2. Arora, A., R. Telang, H. Xu. 2004. An economic model of software vulnerability disclosure. 3rd Workshop Econom. Inform. Security, Minneapolis, MN.
3. Bakos, Y., E. Brynjolfsson. 1999. Bundling information goods: Pricing, profits and efficiency. Management Sci. 45(12) 1613-1630.
4. Bakos, Y., E. Brynjolfsson, D. Lichtman. 1999. Shared information goods. J. Law Econom. 34(1) 117-155.
5. C-Net. 2003. Microsoft to offer bounty on hackers, http://rss.com. com/2100-7355-5102110.html.
6. Camp, J. L., C. Wolfram. 2004. Pricing security. L. J. Camp, S. Lewis, eds. Economics of Information Security. Advances in Information Security, Vol. 12. Springer.
7. Computer Emergency Response Team (CERT). 2003. CERT/CC Statistics 1988-2003. http://www.cert.org/stats/.
8. Dasgupta, P. S., J. E. Stiglitz. 1980. Uncertainty, industrial structure, and the speed of R&D. Bell J. Econom. 11 1-8.
9. Dingledine, R., M. Freedman, D. Molnar. 2001. Accountability. A. Oram, ed. Peer-to-Peer Harnessing the Power of Disruptive Technologies. MIT Press, Cambridge, MA, 271-334.
10. Du, W., A. P. Mathur. 1998a. Categorization of software errors that led to security breaches. Proc. 21st National Inform. Systems Security Conf., Crystal City, VA, 392-407.
11. Du, W., A. P. Mathur. 1998b. Vulnerability testing of software system using fault injection. Technical report, Reference: Coast TR 98-02, Department of Computer Science, Purdue University, West Lafayette, IN.
12. eWeek. 2003. CERT, Feds consider new reporting process, http:// www.eweek.com/article2/0,3959,970574,00.asp.
13. Gal-Or, E., A. Ghose. 2003. The economic incentives for sharing security information. Inform. Systems Res. Forthcoming.
14. Gordon, L. A., M. P. Loeb. 2002. The economics of information security investment. ACM Trans. Inform. System Security 5(4) 438-457.
15. Gordon, L. A., M. P. Loeb, W. Lucyshyn. 2002. An economic perspective on the sharing of information related to security breaches: Concepts and empirical evidence. 1st Workshop Econom. Inform. Security, Berkeley, CA
16. Gordon, L. A., M. P. Loeb, W. Lucyshyn. 2003a. Sharing information on computer systems: An economic analysis. J. Accounting Public Policy 22(6) 461-485.
17. Gordon, L. A., M. P. Loeb, T. Sohail. 2003b. A framework for using insurance for cyber risk management. Comm. ACM 46(3) 81-85.
18. Jones, S. 2002. The Internet goes to college. Technical report, Pew Internet & American Life Project, http://www.pewinternet.org.
19. Krsul, I., E. Spafford, M. Tripunitara. 1998. Computer vulnerability analysis. Technical report, Department of Computer Science, Purdue University, West Lafayette, IN.
20. National Institute of Standards and Technology (NIST). 2002. The economic impacts of inadequate infrastructure for software testing. Technical report, www.nist.gov/director/progofc/report02-03.pdf.
21. Poulson, K. 2003. Security research exemption to DMCA considered. Security-Focus, http://www.securityfocus.com/news/4729.
22. Preston, E., J. Lofton. 2002. Computer security publications: Information economics, shifting liability and the first amendment. Whittier Law Rev. 24 71-142.
23. Reinganum, J. 1982. A dynamic game of R&D: Patent protection and competitive behavior. Econometrica 48 671-688.
24. Schechter, S. E. 2002. How to buy better testing: Using competition to get the most security and robustness for your dollar. G. Davida, Y. Frankel, O. Rees, eds. Proc. Infrastructure Security Conf. Springer-Verlag.
25. Schechter, S. E., M. D. Smith. 2003. How much security is enough to stop a thief? 7th Internat. Financial Cryptography Conf., Gosiea, Guadeloupe.
26. Shapiro, C., H. Varian. 1998. Information Rules. Harvard Business School Press, Cambridge, MA.
27. Varian, H. R. 2000a. Buying, sharing and renting information goods. J. Indust. Econom. 48(4) 473-488.
28. Varian, H. R. 2000b. Managing online security risks. New York Times (June 1).
29. Varian, H. R. 2002. System reliability and free riding. 1st Workshop Econom. Inform. Security, Berkeley, CA.
30. Yurcik, W., D. Doss. 2002. Cyberinsurance: A market solution to Internet security market failure. 1st Workshop Econom. Inform. Security, Berkeley, CA.