An empirical analysis of software vendors' patch release behavior: Impact of vulnerability disclosure

Information Systems Research

Volumn 21, Issue 1, 2010, Pages 115-132

  Arora, Ashish ^a   Krishnan, Ramayya ^a   Telang, Rahul ^a   Yang, Yubao ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Disclosure policy; Hazard model; Information security; Open source vendors; Patch release time; Security vulnerability; Software vendors

Indexed keywords

DECISION MAKING; OPEN SYSTEMS; SECURITY OF DATA;

DISCLOSURE POLICIES; HAZARD MODELING; OPEN SOURCES; PATCH RELEASE TIME; SECURITY VULNERABILITIES; SOFTWARE VENDORS;

OPEN SOURCE SOFTWARE;

EID: 77954250852     PISSN: 10477047     EISSN: 15265536     Source Type: Journal    
DOI: 10.1287/isre.1080.0226     Document Type: Article

References (26)

1. Anderson, R., T. Moore. 2006. The economics of information security. Science 27(314) 610-613.
2. Arbaugh, W. A., W. L. Fithen, J. McHugh. 2000. Windows of vulnerability: A case study analysis. IEEE Comput. 33(12) 52-59.
3. Arora, A., J. P. Caulkins, R. Telang. 2006a. Sell first, fix later: Impact of patching on software quality. Management Sci. 52(3) 465-471.
4. Arora, A., A. Nandkumar, R. Telang. 2006b. Impact of patches and software vulnerability information on frequency of security attacks-An empirical analysis. Inform. Systems Frontier 8(5) 350-362.
5. Arora, A., R. Telang, H. Xu. 2008. Optimal policy for vulnerability disclosure. Management Sci. 54(4) 642-656.
6. August, T., T. Tunca. 2006. Network software security and user incentives. Management Sci. 52(11) 1703-1720.
7. Banker, R., G. Davis, S. Slaughter. 1998. Software development practices, software complexities, and software maintenance. Management Sci. 44(4) 433-450.
8. Belzil, C. 1995. Unemployment insurance and unemployment over time: An analysis with event history data. Rev. Econom. Statist. 77(1) 113-126.
9. Camp, L., C. Wolfram. 2000. Pricing security. Proc. CERT Inform. Survivability Workshop, Boston, 31-39.
10. Cavusoglu, H., H. Cavusoglu, S. Raghunathan. 2004. How should we disclose software vulnerabilities? Proc. 14th Annual Workshop Inform. Tech. Systems, Washington, D.C.
11. Choi, J. P., C. Fershtman, N. Gandal. 2005. Internet security, vulnerability disclosure, and software provision. Proc. 4th Workshop Econom. Inform. Systems, Boston.
12. Cox, D. R. 1975. Partial likelihood. Biometrika 62(2, May/August) 269-276.
13. Green, W. 1992. Econometric Analysis. Macmillan Publishing Company, New York.
14. Information Week. 2005. Cisco details IOS vulnerability spilled at Black Hat. http://www.informationweek.com/story/showArticle.jhtml?articleID=166403842 (July 29).
15. Kalbfleisch, J. D., R. L. Prentice. 2002. The Statistical Analysis of Failure Time Data, 2nd ed. John Wiley & Sons, New York.
16. Kannan, K., R. Telang. 2005. Market for software vulnerabilities? Think again. Management Sci. 51(5) 726-740.
17. Kaplan, E. L., P. Meier. 1958. Nonparametric estimation from incomplete observations. J. Amer. Statist. Assoc. 53 457-548.
18. Krishnan, M. S., C. Kriebel, S. Kekre, T. Mukhopadhyay. 2000. An empirical analysis of cost and conformance quality in software products. Management Sci. 46 745-759.
19. National Vulnerability Database (NVD). http://www.nvd.nist.gov/.
20. Nizovtsev, D., M. Thursby. 2007. To disclose or not? An analysis of software user behavior. Inform. Econom. Policy 19(1) 43-64.
21. Ozment, A. 2004. Bug auctions: Vulnerability markets reconsidered. 3rd Workshop Econom. Inform. Security, Minneapolis.
22. Png, I., C. Tang, Q.-H. Wang. 2006. Information security: User precaution and hacker targeting. http://ssrn.com/abstract=912161.
23. Symantec Inc. Symantec Internet Security Threat Report. Accessed June 24, 2003, http://www.symantec.com.
24. Telang, R., S. Wattal. 2007. Impact of vulnerability disclosure on market value of software vendors: An empirical analysis. IEEE Trans. Software Engrg. 33(8) 544-557.
25. Vaupel, J. W., K. G. Manton, E. Stallard. 1979. The impact of heterogeneity in individual frailty on the dynamics of mortality. Demography 16 439-454.
26. Wheeler, D. 2002. Why open source software/free software (OSS/FS)? Look at the numbers! Accessed June 19, 2007, https://wideopennews.com/archives/open-source-now-list/2002-May/pdf00000.pdf.