To disclose or not? An analysis of software user behavior

Information Economics and Policy

Volumn 19, Issue 1, 2007, Pages 43-64

  Nizovtsev, Dmitri ^a   Thursby, Marie ^b  

^a WASHBURN UNIVERSITY   (United States)

^b GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

Economics of information security; Open source; Patching; Software vulnerabilities; Vulnerability disclosure

Indexed keywords

DECISION THEORY; GAME THEORY; SECURITY OF DATA;

OPEN SOURCE; SOFTWARE USER; SOFTWARE VULNERABILITY; VULNERABILITY DISCLOSURE;

ECONOMICS;

GAME THEORY; SOFTWARE;

EID: 33846588487     PISSN: 01676245     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infoecopol.2006.10.001     Document Type: Article

References (33)

1. Arora, A., Telang, R., Xu, H., 2004a. Optimal Policy for Software Vulnerability Disclosure, Working paper, Carnegie Mellon University.
2. Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y., 2004b. Impact of Vulnerability Disclosure and Patch Availability - an Empirical Analysis. In: Third Workshop on the Economics of Information Security, Minneapolis. MN.
3. Arora A., Caulkins J.P., and Telang R. Research note - sell first, fix later: impact of patching on software quality. Management Science 52 3 (2005) 465-471
4. Bank, D., 2004. MyDoom worm renews debate on cyber-ethics, The Wall Street Journal, November 11, 2004.
5. Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A., 2002. Timing the Application of Security Patches for Optimal Uptime. In: Proceedings of LISA 2002: Sixteenth Systems Administration Conference.
6. Camp, L.J., 2006. Economics of Information Security, SSRN Working Paper. Available from: .
7. Caplin A., and Leahy J. The social discount rate. Journal of Political Economy 112 6 (2004) 1257-1268
8. Cavusoglu, H., Cavusoglu, H., Raghunathan, S., 2004. How Should We Disclose Software Vulnerabilities? Workshop on Information Technology and Systems (WITS), Washington, DC, December 2004.
9. Choi, J.P., Fershtman, C., Gandal, N., 2005. Internet Security, Vulnerability Disclosure, and Software Provision, Fourth Workshop on the Economics of Information Security (WEIS), Cambridge, MA, June 2005.
10. Gal-Or E., and Ghose A. The economic incentives for sharing security information. Information Systems Research 16 2 (2005) 186-208
11. Gordon A.L., Loeb M., and Lucyshyn W. Sharing information on computer system security: an economic analysis. Journal of Accounting and Public Policy 22 6 (2003) 461-485
12. Gordon, L.A., Loeb, M., Lucyshyn, W., Richardson, R., 2005. 2005 CSI/FBI Computer Crime and Security Survey, Computer Security Institute.
13. Granick, J.S., 2005. The price of restricting vulnerability publications, International Journal of Communications Law and Policy Special Issue on Cybercrime, Spring, 2005, pp. 1-35.
14. Harsanyi, J.C., 1967-1968. Games with incomplete information played by 'Bayesian' players, Parts I, II, and III, Management Science 14, pp. 159-182, 320-324, and 486-502.
15. Holmstrom B. Managerial incentive problems: a dynamic perspective. Review of Economic Studies 66 (1999) 169-182
16. Kannan K., and Telang R. Market for software vulnerabilities? Think again. Management Science 51 5 (2005) 726-740
17. Kenneally, E., 2001. Stepping on the Digital Scale: Duty and Liability for Negligent Internet Security, login: The Magazine of USENIX and SAGE, 26(8), pp. 62-77. Available from: .
18. Lasser, J., 2002. Irresponsible disclosure, Security Focus, June 26, 2002.
19. Lee, J., 2001a. Man Denies Digital Piracy in First Case Under '98 Act, The New York Times, August 31, 2001.
20. Lee, J., 2001b. In Digital Copyright Case, Programmer Can Go Home, The New York Times, December 14, 2001.
21. Lemos, R., 2006. Security Flaws on the Rise, Questions Remain, SecurityFocus, January 5, 2006. Available from: .
22. Lerner J., and Tirole J. Some simple economics of open source. Journal of Industrial Economics 50 2 (2002) 197-234
23. Meunier, P., 2006. Reporting Vulnerabilities is for the Brave, CERIAS Weblogs, May 22, 2006. Available from: .
24. Nash J. Equilibrium points in N-person games. Proceedings of the National Academy of Sciences of the United States of America 36 (1950) 48-49
25. Ozment, A., 2004. Bug Auctions: Vulnerability Markets Reconsidered, Third Workshop on the Economics of Information Security.
26. Pavlicek, R., 2002. DMCA Horror Show, InfoWorld, October 19, 2002.
27. Pond, W., 2000. Do Security Holes Demand Full Disclosure? eWeek, August 16, 2000.
28. Poulsen, K., 2003. Super-DMCA' Fears Suppress Security Research, SecurityFocus, April 14, 2003. Available from: .
29. Preston E., and Lofton J. Computer security publications: information economics, shifting liability and the first amendment. Whittier Law Review 24 (2002) 71-142
30. Raikow, D., 2000. Bug Fixes Have No Profit Margin, eWeek, October 19, 2000.
31. Rauch, J., 1999, Full Disclosure: The Future of Vulnerability Disclosure? Login: The Magazine of USENIX and SAGE, Special Issue on Security, November 1999. Available from .
32. Schneier, B., 2000. Full Disclosure and the Window of Exposure," CRYPTO-GRAM, September 15, 2000. Counterpane Internet Security, Inc. Available from: .
33. Telang, R., Wattal, S., 2005. Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation, Fourth Workshop on the Economics of Information Security (WEIS), Cambridge, MA, June 2005.