Security patch management: Share the burden or share the damage?

Management Science

Volumn 54, Issue 4, 2008, Pages 657-670

  Cavusoglu, Hasan ^a,b   Cavusoglu, Huseyin ^c   Jun, Zhang ^c  

^a UNIVERSITY OF BRITISH COLUMBIA   (Canada)

^b University of Texas at Dallas ^*

^c UNIVERSITY OF TEXAS AT DALLAS   (United States)

Author keywords

Coordination schemes; Cost sharing; Information technology security; Liability; Patch management

Indexed keywords

COORDINATION SCHEMES; COST SHARING; INFORMATION TECHNOLOGY SECURITY; LIABILITY; PATCH MANAGEMENT;

COST EFFECTIVENESS; COSTS; INDUSTRIAL MANAGEMENT; INFORMATION TECHNOLOGY; SECURITY OF DATA;

COST BENEFIT ANALYSIS;

EID: 61849135265     PISSN: 00251909     EISSN: 15265501     Source Type: Journal    
DOI: 10.1287/mnsc.1070.0794     Document Type: Article

References (42)

1. Anderson, R. 2001. Why information security is hard: An economic perspective. Proc. 17th Annual Comput. Security Appl. Conf., IEEE Computer Society, Washington, D.C., 358-365.
2. Arora, A., R. Krishnan, R. Telang, Y. Yang. 2005. An empirical analysis of vendor response to disclosure policy. Fourth Workshop Econom. Inform. Security Proc., Boston.
3. August, T., T. I. Tunca. 2006. Network software security and user incentives. Management Sci. 52(11) 1703-1720.
4. August, T., T. I. Tunca. 2008. Let the pirates patch? An economic analysis of network software security patch restrictions. Inform. Systems Res. Forthcoming.
5. Beattie, S., S. Arnold, C. Cowan, P. Wagle, C. Wright, A. Shostack. 2002. Timing the application of security patches for optimal uptime. Proc. LISA '02: Sixteenth Systems Admin. Conf., Berkeley, CA, 233-242.
6. Bernstein, F., A. Federgruen. 2004. A general equilibrium model for industries with price and service competition. Oper. Res. 52(6) 868-886.
7. Bloor, B. 2003. The patch problem. White paper. http://www.baroudi.com.
8. Cachon, G. P., P. H. Zipkin. 1999. Competitive and cooperative inventory policies in a two-stage supply chain. Management Sci. 45(7) 936-953.
9. Cavusoglu, H., H. Cavusoglu, S. Raghunathan. 2004a. Economics of IT security management: Four improvements to current security practices. Comm. AIS 14 65-75.
10. Cavusoglu, H., H. Cavusoglu, S. Raghunathan. 2007. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. 33(3) 171-185.
11. Cavusoglu, H., B. Mishra, S. Raghunathan. 2004b. The effect of Internet security breach announcements on market value: Capital market reaction for breached firms and Internet security developers. Internat. J. Electronic Commerce 9(4) 69-105.
12. CERT. 2007. CERT/CC statistics 1988-2007. http://www.cert.org/stats/.
13. Dacey, R. F. 2003. Effective patch management is critical to mitigating software vulnerabilities. GAO-03-1138T. United States General Accounting Office, Washington, D.C.
14. Davidson, M. A. 2003. Automatic patching-Boon or bane? Sec. Bus. Quart. 3(2) 1-4.
15. Donner, M. 2003. Patch management-Bits, bad guys, and bucks! Sec. Bus. Quart. 3(2) 1-4.
16. Farber, D. 2003. Should Microsoft pay for your security patch costs? Tech Update (January 30). http://techupdate.zdnet.com/techupdate/stories/ main/0,14179,2909857,00.html.
17. Fisher, D. 2002. Contracts getting tough on security. eWeek (April 15) 1-2.
18. Fisher, D. 2006. Third-party Microsoft patches could get new life. Search Security.com (August 1).
19. Foley, J., G. V. Hulme. 2004. Get ready to patch. Information Week (August 30) 18-21.
20. Fontana, J. 2003. Patching: Process matters. Network World 20(48) 50-52.
21. Fudenberg, D., J. Tirole. 1991. Game Theory. MIT Press, Boston.
22. Havana, T. 2003. Communication in the software vulnerability reporting process. M.A. thesis, The University of Oulu, Oulu, Finland.
23. Kannan, K., R. Telang. 2004. Market for vulnerabilities? Think again. Management Sci. 51(5) 726-740.
24. Kim, B. C., P. Chen, T. Mukhopadhyay. 2005. An economic analysis of software market with risk sharing contract. Fourth Workshop Econom. Inform. Security Proc., Boston.
25. Laakso, M., A. Takanen, J. Roning. 1999. The vulnerability process: A tiger team approach to resolving vulnerability cases. Proc. 11th FIRST Conf. Computer Security Incident Handling and Response, Brisbane, Australia.
26. Levi, M., B. Nault. 2004. Converting technology to mitigate environmental damage. Management Sci. 50(8) 1015-1030.
27. McGhie, L. 2003. Software patch management-The new frontier. Sec. Bus. Quart. 3(2) 1-4.
28. Microsoft. 2005. Security tools. Microsoft TechNet. http//www.microsoft. com/technet/security.
29. Naraine, R. 2005. Security patch deluge: A double-edged sword. eWeek (July 14). http://www.eweek.com/c/a/Security/Security-Patch-Deluge- A-DoubleEdged-Sword/.
30. NetSupport Solutions. 2003. Beating hackers to the patch. http://www.secinf.net.
31. Nizovtsev, D., M. Thursby. 2005. Economic analysis of incentives to disclose software vulnerabilities. Fourth Workshop Econom. Inform. Security Proc., Boston.
32. Ozment, A. 2004. Bug auctions: Vulnerability markets reconsidered. Third Workshop Econom. Inform. Security Proc., Minneapolis.
33. Pruitt, S. 2003. Software users hit a rough patch. PC World (November 10). http://www.pcworld.com/article/id,113296-page,1/article.html.
34. Rescorla, E. 2004. Is finding security holes a good idea? Third Workshop Econom. Inform. Security Proc., Minneapolis.
35. Schechter, S. 2002. How to buy better testing: Using competition to get the most security and robustness for your dollar. Proc. Infrastructure Security Conf., Bristol, UK, 78-87.
36. Schneier, B. 2004. Information security: How liable should vendors be? Computer World (October 28). http://www.computerworld.com/securitytopics/ security/story/0,,96948,00.html?SKC=security-96948.
37. Schneier, B. 2006. Quickest patch ever. Wired (September 7). http://www.wired.com/politics/security/commentary/securitymatters/2006/09/71738.
38. Shipley, G. 2004. Painless (well, almost) patch management procedures. Network Comput. (April 1). http://www.networkcomputing. com/showitem.jhtml?docid=1506f1.
39. Shostack, A. 2003. Quantifying patch management. Sec. Bus. Quart. 3(2) 1-4.
40. Travis, L. 2003. Patch management is about process, not just technology. AMR Res. (December 2). http://www.amrresearch.com/Content/View.asp? pmillid=16832.
41. Ulfelder, S. 2002. Practical patch management. Network World Fusion. (October 21) http://www.networkworld.com/supp/security2/patch.html.
42. Zhang, F. 2006. Competition, cooperation and information sharing in a two-echelon assembly system. Manufacturing Service Oper. Management 8(3) 273-291.