Network software security and user incentives

Management Science

Volumn 52, Issue 11, 2006, Pages 1703-1720

  August, Terrence ^a   Tunca, Tunay I ^a  

^a STANFORD UNIVERSITY   (United States)

Author keywords

Economics of IS; Information systems; IT policy and management; Network economics

Indexed keywords

FREEWARE; MANDATORY PATCHING; NETWORK SECURITY; USER INCENTIVES;

COMPUTER NETWORKS; COSTS; INFORMATION ANALYSIS; OPTIMIZATION; RISK ASSESSMENT; SECURITY OF DATA;

COMPUTER SOFTWARE;

EID: 33750703619     PISSN: 00251909     EISSN: 15265501     Source Type: Journal    
DOI: 10.1287/mnsc.1060.0568     Document Type: Article

References (52)

1. Anderson, R. J. 2001. Why information security is hard - An economic perspective. Proc. 17th Ann. Comput. Security Appl. Conf. IEEE Computer Society, Los Alamitos, CA, 358-365.
2. Anderson, R. M., R. M. May. 1991. Infectious Diseases of Humans: Dynamics and Control. Oxford University Press, Oxford, UK.
3. Arora, A., R. Telang, H. Xu. 2005. Optimal policy for software vulnerability disclosure. Working paper, Carnegie Mellon University, Pittsburgh, PA.
4. Bailey, N. T. 1975. The Mathematical Theory of Infectious Diseases and Its Applications. Oxford University Press, Oxford, UK.
5. Bentley, A. 2005. Developing a patch and vulnerability management strategy. SC Magazine. Retrieved March 2006, http://www. scmagazine.com.
6. Bloor, B. 2003. The patch problem: It's costing your business real dollars. Baroudi Bloor. http://www.baroudi.com/pdfs/patch. pdf.
7. Bragg, R. 2004. The perils of patching. (February), http://www. redmondmag.com.
8. Brito, D. L., E. Sheshinski, M. D. Intriligator. 1991. Externalities and compulsory vaccinations. J. Public Econom. 45(1) 69-90.
9. Cavusoglu, H., H. Cavusoglu, J. Zhang. 2005. Security patch management: Share the burden or share the damage. Working paper, University of British Columbia, Vancouver, Canada.
10. CERT. 2004. CERT/CC Statistics 1988-2003. CERT Coordination Center. Retrieved August 2004, http://www.cert.org/stats.
11. Choi, J. P., C. Fershtman, N. Gandal. 2005. Internet security, vulnerability disclosure, and software provision. Fourth Workshop on the Economics of Information Security, Harvard University, Cambridge, MA.
12. Computer Economies. 2004. The cost impact of major virus attacks since 1995. (February).
13. D'Amico, A. D. 2000. What does a computer security breach really cost? Secure Decisions, Applied Visions Inc., Northport, NY.
14. Davidson, M. A. 2004. Automatic software patching: Boon or bane? (June), http://www.globeandmail.com.
15. Francis, P. J. 1997. Dynamic epidemiology and the market for vaccinations. J. Public Econom, 63(3) 383-406.
16. Garg, A. 2003. The cost of information security breaches. CrossCur-rents. Ernst & Young, New York.
17. Geer, D. E. 2004. The economics of shared risk at the national scale. Third Annual Workshop on Economics and Information Security, University of Minnesota, Minneapolis, MN. Available at http://www.dtc.umn.edu/weis2004/weis- geer.pdf.
18. Geoffard, P.-Y., T. Philipson. 1996. Rational epidemics and their public control. Internat. Econom. Rev, 37(3) 603-624.
19. Gersovitz, M. 2003. Births, recoveries, vaccinations and externalities. Economies for an Imperfect World: Essays in Honor of Joseph E. Stiglitz. MIT Press, Cambridge, MA, 469-483.
20. Gersovitz, M., J. S. Hammer. 2004. The economical control of infectious diseases. Econom, J, 114(492) 1-27.
21. Gersovitz, M., J. S. Hammer. 2005. Tax/subsidy policies toward vector-borne infectious disease. J. Public Econom. 89(4) 647-674.
22. Goldman, S. M., J. Lightwood. 2002. Cost optimization in the SIS model of infectious disease with treatment. Topics Econom. Anal. Policy 2(1) 1-22.
23. Internet World Stats. 2004. World internet usage and population statistics. Retrieved March 2004, http://www.internetworldstats. com/stats.htm.
24. Jaisingh, J., Q. Li. 2005. The optimal time to disclose software vulnerability: Incentive and commitment. Working paper, Hong Kong University of Science and Technology, Hong Kong.
25. Joyce, E. 2005. More regulation for the software industry? Enterprise IT Planet (February), http://www.enterpriseitplanet.com/security/news/article.php/ 3483876.
26. Kessing, S., R. Nuscheier. 2003. Monopoly pricing with negative network effects: The case of vaccines. Working paper, Social Science Research Center, Berlin, Germany.
27. Kremer, M. 1996. Integrating behavioral choice into epidemiological models of AIDS. Quart. J. Econom. 111(2) 549-573.
28. Krim, J. 2004. U.S. goals solicited on software security. Washington-Post.com.
29. Kunreuther, H., G. M. Heal. 2002. Interdependent security: The case of identical agents. Working paper, Columbia University, New York.
30. Kunreuther, H., G. M. Heal, P. R. Orszag. 2002. Interdependent security: Implications for homeland security policy and other areas. Policy Brief 108, The Brookings Institution, Washington, D.C.
31. Lemos, R. 2003. Squashing the next worm. CNET News (August).
32. Lemos, R. 2004. Witty worm proves patching "not viable." CNET News (March).
33. Lemos, R. 2005. Patching takes over IT for a day. Techworld (January).
34. Leung, L. 2001. EPA offers incentives to firms that adopt telecommuting in five U.S. metros. Online Insider (May), http://www. conway.com/ssinsider/ incentive/ti0105.htm.
35. Maguire, J. 2004. Who's patching open source? Enterprise Linux IT (January).
36. Messmer, E. 2004a. Can software patching be automated? Network World Fusion (May), http://www.nwfusion.com/weblogs/security/005182.html.
37. Messmer, E. 2004b. Sasser worm exposes patching failures. 'Network World Fusion (May), http://www.nwfusion.com/news/ 2004/0510sasser.html.
38. Middleton, J. 2001. U.S. government calls for enforced patches. VNUnet (December), http://www.vnunet.com/.
39. Mimoso, M. 2003. Regulation, bad software, new threats fodder for Congress. Search Security (September), http://www. searchsecurity.com/.
40. Moore, D., C. Shannon, J. Brown. 2002. Code-red: A case study on the spread and victims of an Internet worm. Proc. Second ACM SIGCOMM Internet Measurement Workshop, Marseille, France, 273-284.
41. Moore, D., V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver. 2003. The spread of the Sapphire/Slammmer worm. Working paper, Berkeley, CA.
42. MS-Support. 2004. US problems after applying a security patch. Microsoft Corporation.
43. Nicastro, F. 2005. Network security tactics. Step-by-step guide: How to deploy a successful patch. Searchsecurity (September), http://www. searchsecurity.techtarget.com/.
44. Schweitzer, D. 2003. Emerging technology: Patch me if you can! Network-Magazine (August), http://www.network-magazine. com/.
45. Shannon, C, D. Moore. 2004. The spread of the witty worm. IEEE Security Privacy 2(4) 46-50.
46. Sullivan, B. 2004. "Sasser" infections begin to subside. MSNBC (May), http://www.msnbc.msn.com/id/4890780/.
47. Symantec. 2004. Automating patch management. Symantec Corporation, Cupertino, CA.
48. Timms, S., C. Potter, A. Beard. 2004. Information security breaches survey 2004. UK Department of Trade and Industry, London, UK.
49. US-CERT 2004. US-CERT vulnerability notes database. U.S. Department of Homeland Security, Washington, D.C., http://www. kb.cert.org/vuls/.
50. Varian, H. 2004. System reliability and free riding. Working paper, University of California, Berkeley, CA.
51. Weaver, N., V. Paxson, S. Staniford, R. Cunningham. 2003. A taxonomy of computer worms. Proc. 2003 ACM Workshop Rapid Malcode, ACM, Washington, D.C., 11-18.
52. Williams, M. 2000. Attack takes down Yahoo for three hours. IDG News Service (February).