Who should be responsible for software security? A comparative analysis of liability policies in network environments

Management Science

Volumn 57, Issue 5, 2011, Pages 934-959

  August, Terrence ^a   Tunca, Tunay I ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b STANFORD UNIVERSITY   (United States)

Author keywords

Economics of IS; Enabling technologies; IT policy and management; Liability; Network economics; Software; Zero day

Indexed keywords

ECONOMICS OF IS; ENABLING TECHNOLOGIES; IT POLICY AND MANAGEMENT; LIABILITY; NETWORK ECONOMICS; SOFTWARE; ZERO-DAY;

COMPUTER CRIME; COSTS; ECONOMICS; INFORMATION TECHNOLOGY; INVESTMENTS; NETWORK MANAGEMENT; PERSONAL COMPUTING; PROBABILITY; PUBLIC POLICY;

SECURITY OF DATA;

EID: 79956063140     PISSN: 00251909     EISSN: 15265501     Source Type: Journal    
DOI: 10.1287/mnsc.1100.1304     Document Type: Article

References (91)

1. Armour, J., W. S. Humphrey. 1993. Software product liability. Technical report, Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
2. Arora, A., R. Telang, H. Xu. 2008. Optimal policy for software vulnerability disclosure. Management Sci. 54(4) 642-656.
3. Asay, M. 2009. EC takes three steps back on software liability. CNET News (May 12), http://news.cnet.com/8301-13505-3 -10238475-16.html.
4. August, T., T. I. Tunca. 2006. Network software security and user incentives. Management Sci. 52(11) 1703-1720. (Pubitemid 44706077)
5. August, T., T. I. Tunca. 2008. Let the pirates patch? An economic analysis of software security patch restrictions. Inform. Systems Res. 19(1) 48-70.
6. Beattie, S., S. Arnold, C. Cowan, P. Wagle, C. Wright, A. Shostack. 2002. Timing the application of security patches for optimal uptime. Proc. 16th USENIX Conf. System Admin., USENIX Association, Berkeley, CA, 233-242.
7. Bennett, J. 2010. NHTSA to test Lexus SUV for rollover. Wall Street Journal (April 15), http://online. wsj.com/article/ SB10001424052702304510004575185983714141448.html.
8. Beres, Y., J. Griffin. 2009. Optimizing network patching policy decisions. Technical Report HPL-2009-153, Hewlett-Packard Laboratories, Palo Alto, CA.
9. Berzon, A. 2010. OSHA boosts oversight of state safety agencies. Wall Street Journal (March 29), http://online. wsj.com/article/ SB1000142405274803409804575143994200426192.html.
10. Bloor, B. 2003. The patch problem: It's costing your business real dollars. http://www.netsense. info/downloads/PatchProblemReport-BaroudiBloor. pdf.
11. Calabresi, G., K. C. Bass, III. 1970. Right approach, wrong implications: A critique of McKean on products liability. Univ. Chicago Law Rev. 38(1) 74-91.
12. Cavusoglu, H., H. Cavusoglu, S. Raghunathan. 2007. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. 33(3) 171-185. (Pubitemid 46443998)
13. Cavusoglu, H., H. Cavusoglu, J. Zhang. 2008. Security patch management: Share the burden or share the damage? Management Sci. 54(4) 657-670.
14. Cavusoglu, H., B. Mishra, S. Raghunathan. 2004. The effect of Internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. Internat. J. Electronic Commerce 9(1) 69-104. (Pubitemid 39444049)
15. Chen, P., G. Kataria, R. Krishnan. 2011. Correlated failures, diversification, and information security risk management. MIS Quart. Forthcoming.
16. Chertoff, M. 2008. Remarks by Homeland Security Secretary Michael Chertoff at the Chamber of Commerce on Cybersecurity. Office of the Press Secretary, Washington, DC. http://www . dhs. gov/xnews/releases/pr- 1224091491881.shtm.
17. Choi, J. P., C. Fershtman, N. Gandal. 2010. Network security: Vulnerabilities and disclosure policy. J. Indust. Econom. 58(4) 868-894.
18. Clarke, R. 2003. Interview: Frontline cyber war! PBS (March 18), http://www.pbs. org/wgbh/pages/frontline/shows/cyberwar/ interviews/clarke.html.
19. Collins, B. 2007. Lords tell government to clean up "Wild West" Internet. PC Pro (August 10), http://www.pcpro.co.uk/news/ broadband/122086/ lords-tell-government-to-clean-up-wild -west-internet.
20. Computer Economics. 2004. The cost impact of major virus attacks since 1995. (February), http://www.computereconomics.com/article. cfm?id=936
21. Cox, R. S., S. D. Gribble, H. M. Levy, J. G. Hansen. 2006. A safetyoriented platform for Web applications. Proc. 2006 IEEE Sympos. Security Privacy, IEEE Computer Society, Washington, DC, 350-364.
22. Cusumano, M. A. 2004. Who is liable for bugs and security flaws in software? Commun. ACM 47(3) 25-27.
23. D'Amico, A. D. 2000. What does a computer security breach really cost? White paper, September 7, Secure Decisions, Applied Visions Inc., Northport, NY.
24. Dorfman, R. 1970. The economics of products liability: A reaction to McKean. Univ. Chicago Law Rev. 38(1) 92-102.
25. Epple, D., A. Raviv. 1978. Product safety: Liability rules, market structure, and imperfect information. Amer. Econom. Rev. 68(1) 80-95.
26. Feinman, J. 2009. OWASP sheds light on its security standards. SDTimes (May 13), http://www.sdtimes.com/link/33469.
27. Fisher, D. 2002. Software liability gaining attention. eWeek.com (January 14), http://mobile. eweek.com/c/a/Application -Development/Software-Liability- Gaining-Attention/.
28. Forbath, T., P. Kalaher, T. O'Grady. 2005. The total cost of security patch management. White paper, Wipro Technologies, Ltd., Bangalore, India.
29. Fudenberg, D., E. Maskin. 1986. The folk theorem in repeated games with discounting or with incomplete information. Econometrica 54(3) 533-554.
30. Garg, A. 2003. The cost of information security breaches. Cross- Currents (Spring) 8-11.
31. Ghosh, B. 2009. How vulnerable is the power grid? TIME (April 15), http://www.time.com/time/nation/article/0,8599,1891562,00.html.
32. Gilmore, G. 1970. Products liability: A commentary. Univ. Chicago Law Rev. 38(1) 103-116.
33. Goodin, D. 2009. Webhost hack wipes out data for 100s,000 sites. The Register (June 8), http://www.theregister.co.uk/ 2009/06/08/webhost-attack/.
34. Haase, G. 2004. Security liability laws are NOT the answer. One- FreeVoice.com (November 1), http://blog. onefreevoice.com/ 2004/11/01/security- liability-laws-are-not-the-answer/.
35. Halfond, W. G., J. J. Viegas, A. Orso. 2006. A classification of SQL-injection attacks and countermeasures. Proc. IEEE Internat. Sympos. Secure Software Engrg., IEEE Computer Society, Los Alamitos, CA.
36. Heckman, C. 2003. Two views on security software liability: Using the right legal tools. IEEE Security & Privacy 1(1) 73-75.
37. Hewlett-Packard. 2010. HP TippingPoint zero day initiative. http:// www.zerodayinitiative.com/advisories/published/.
38. Ho, V. 2009. EU software liability law could divide open source. CNET News (June 11), http://news.cnet.com/8301-1001-3 -10262503-92.html.
39. IBM. 2008. IBM Internet security systems X-Force® 2008 midyear trend statistics. Report, IBM Global Technology Services, Armonk, NY.
40. Joyce, E. 2005. More regulation for the software industry? eSecurity Planet.com (February 16), http://www.esecurityplanet.com/ trends/article. php/3483876/More-Regulation-For-The-Software -Industry.htm.
41. Kaner, C. 1997. Software liability. Unpublished paper, http://www.badsoftware.com/theories.htm.
42. Keizer, G. 2004. Sasser worm impacted businesses around the world. TechWeb News (May 7), http://www.networkcomputing .com/data-protection/sasser- worm-impacted-businesses-around -the-world. php.
43. Keizer, G. 2007. FAQ: The Monster.com mess. Computerworld (August 24), http://www.computerworld.com/s/article/ 9032518/FAQ-The-Monster.com-mess.
44. Keizer, G. 2009. Researchers wait for Downadup worm's second act. Computerworld (January 23), http://www.computerworld .com/s/article/9126691/ Researchers-wait-for-Downadup-worm-s-second-act.
45. Keizer, G. 2010. Pwn2Own winner tells Apple, Microsoft to find their own bugs. Computerworld (March 25), http://www .computerworld.com/s/article/9174120/ Pwn2Own-winner-tells-Apple-Microsoft-to-find-their-own-bugs.
46. Kim, B. C., P. Chen, T. Mukhopadhyay. 2010a. An economic analysis of the software market with a risk-sharing contract. Internat. J. Electronic Commerce 14(2) 7-39.
47. Kim, B. C., P. Chen, T. Mukhopadhyay. 2010b. The effect of liability and patch release on software security: The monopoly case. Production Oper. Management, ePub ahead of print October 19, http://onlinelibrary. wiley.com/doi/10. 1111/j. 1937-5956. 2010. 01189. x/full.
48. Kolstad, C. D., T. S. Ulen, G. V. Johnson. 1990. Ex post liability for harm vs. ex ante safety regulation: Substitutes or complements? Amer. Econom. Rev. 80(4) 888-901.
49. Krebs, B. 2003. Bush approves cybersecurity strategy. Washington Post (January 31), http://www.washingtonpost.com/.
50. Krebs, B. 2007. Should e-mail addresses be considered private data? Washington Post (October 19), http://voices . washingtonpost.com/securityfix/ 2007/10/database-theft-leads-to-target.html.
51. Laffont, J. -J., J. Tirole. 1988. The dynamics of incentive contracts. Econometrica 56(5) 1153-1175.
52. Laffont, J. -J., J. Tirole. 1993. A Theory of Incentives in Procurement and Regulation. MIT Press, Cambridge, MA.
53. Lewis, J. 2009. Innovation and cybersecurity regulation. CircleID (March 31), http://www.circleid.com/posts/20090331-innovation-and-cybersecurity- regulation/.
54. Li, L., R. D. McKelvey, T. Page. 1987. Optimal research for cournot oligopolists. J. Econom. Theory 42(1) 140-166.
55. MacLeod, W. B., J. M. Malcomson. 1993. Investments, holdup, and the form of market contracts. Amer. Econom. Rev. 83(4) 811-837.
56. Markoff, J. 2009. Defying experts, rogue computer code still lurks. New York Times (August 26), http://www.nytimes.com/ 2009/08/27/technology/27compute. html.
57. McBride, S. 2005. Zero day attack imminent. Computerworld (February 3), http://www.computerworld.com. au/article/1535/zero-day-attack-imminent/.
58. McCullagh, D. 2010. Buggy McAfee update whacks Windows XP PCs. CNET News (April 21), http://news.cnet.com/8301-1009-3-20003074-83.html.
59. McKean, R. N. 1970a. Products liability: Implications of some changing property rights. Quart. J. Econom. 84(4) 611-626. McKean, R. N. 1970b. Products liability: Trends and implications. Univ. Chicago Law Rev. 38(1) 3-63.
60. Moore, D., C. Shannon, J. Brown. 2002. Code-Red: A case study on the spread and victims of an Internet worm. Proc. Second ACM SIGCOMM Workshop Internet Measurement, ACM, New York, 273-284.
61. Muller, H. M. 2000. Asymptotic efficiency in dynamic principalagent problems. J. Econom. Theory 91(2) 292-301.
62. National Infrastructure Advisory Council. 2003. The national strategy to secure cyberspace. Report, U. S. Department of Homeland Security, Washington, DC, http://www.dhs. gov/ xlibrary/assets/National-Cyberspace-Strategy.pdf.
63. Oi, W. Y. 1973. The economics of product safety. Bell J. Econom. Management Sci. 4(1) 3-28.
64. Payne, J. E. 2004. Regulation and information security: Can Y2K lessons help us? IEEE Security & Privacy 2(2) 32-35.
65. Pesendorfer, W., J. M. Swinkels. 2000. Efficiency and information aggregation in auctions. Amer. Econom. Rev. 90(3) 499-525.
66. Png, I. P. L., Q. -H. Wang. 2009. Information security: User precautions, attacker efforts, and enforcement. Proc. 42nd Hawaii Internat. Conf. System Sci., IEEE Computer Science, Los Alamitos, CA, 1-11.
67. Polinsky, A. M. 1980. Strict liability vs. negligence in a market setting. Amer. Econom. Rev. Papers Proc. 70(2) 363-367.
68. Poulsen, K. 2003. Slammer worm crashed Ohio nuke plant network. SecurityFocus (August 19), http://www.securityfocus .com/news/6767.
69. Ransbotham, S., S. Mitra. 2009. Choice and chance: A conceptual model of paths to information security compromise. Inform. Systems Res. 20(1) 121-139.
70. Ransbotham, S., S. Mitra, J. Ramsey. 2011. Are markets for vulnerabilities effective? MIS Quart. Forthcoming.
71. Rubinstein, A. 1979. Equilibrium in supergames with the overtaking criterion. J. Econom. Theory 21(1) 1-9.
72. Ryan, D. J. 2003. Two views on security software liability: Let the legal system decide. IEEE Security & Privacy 1(1) 70-72.
73. SANS Institute. 2009. The top cyber security risks. Report, SANS Institute, Bethesda, MD.
74. Schneider, F. B. 2005. It depends on what you pay. IEEE Security & Privacy 3(3) 3. (Pubitemid 40860465)
75. Schneier, B. 2004. Information security: How liable should vendors be? Computerworld (October 28), http://www.computerworld .com/s/article/96948/ Information-security-How-liable-should-vendors-be-.
76. Schneier, B. 2008. Software makers should take responsibility. The Guardian (July 17), http://www.guardian.co.uk/technology/ 2008/jul/17/internet. security.
77. Schweitzer, D. 2003. Emerging technology: Patch me if you can! NetworkMagazine.com. (August 5).
78. Shavell, S. 1982. On liability and insurance. Bell J. Econom. 13(1) 120-132.
79. Singel, R. 2007. Zero-day Malware attacks you can't block. PC World (February 21), http://www.pcworld.com/article/129020/zeroday-malware-attacks- you-cant-block.html.
80. Spence, M. 1977. Consumer misperceptions, product failure and producer liability. Rev. Econom. Stud. 44(3) 561-572.
81. Timms, S., C. Potter, A. Beard. 2004. Information security breaches survey 2004. UK Department of Trade and Industry, Apr.
82. Tirole, J. 1988. The Theory of Industrial Organization, 1st ed. MIT Press, Cambridge, MA.
83. U. S. Department of Homeland Security. 2007. National strategy for homeland security, October. Homeland Security Council, Washington, DC.
84. U. S. Department of Transportation. 2004. Federal motor vehicle safety standards and regulations. Report, National Highway Traffic Safety Administration, Washington, DC. http://www . nhtsa. gov/cars/rules/standards/ FMVSS-Regs/index.htm.
85. Vereshchagina, G., H. A. Hopenhayn. 2009. Risk taking by entrepreneurs. Amer. Econom. Rev. 99(5) 1808-1830.
86. Viscusi, W. K., M. J. Moore. 1993. Product liability, research and development, and innovation. J. Political Econom. 101(1) 161-184.
87. Wan, Z., D. Beil. 2009. RFQ auctions with supplier qualification screening. Oper. Res. 57(4) 934-949.
88. Weise, E. 2009. "All hands on deck" as FDA aims to fix food safety. USA Today (July 7), http://www.usatoday.com/ news/health/2009-07-07- food-safety-guidelines-N.htm.
89. Werth, C. 2009. Software crackdown. Newsweek (July 25), http:// www.newsweek.com/2009/07/25/software-crackdown.html.
90. Worthen, B., J. E. Vascellaro. 2010. Google attackers gained access to computer code. Wall Street Journal (April 20). http://online. wsj.com/ article/SB10001424052748703757504575194873659727984.html.
91. Zhou, Z. Z., M. E. Johnson. 2010. The impact of professional information risk ratings on vendor competition. Working paper, Rady School of Management, University of California, San Diego, La Jolla.