Patch release behaviors of software vendors in response to vulnerabilities: An empirical analysis

Journal of Management Information Systems

Volumn 28, Issue 4, 2012, Pages 305-338

  Temizkan, Orcun ^a   Kumar, Ram L ^a   Park, Sungjune ^a   Subramaniam, Chandrasekar ^a  

^a UNIVERSITY OF NORTH CAROLINA AT CHARLOTTE   (United States)

Author keywords

patch quality; patch release time; patch types; software vendor types; software vulnerability characteristics; survival analysis

Indexed keywords

PATCH TYPE; RELEASE TIME; SOFTWARE VENDORS; SOFTWARE VULNERABILITIES; SURVIVAL ANALYSIS;

BIOINFORMATICS; COMPUTER CRIME; COMPUTER SOFTWARE SELECTION AND EVALUATION; LAWS AND LEGISLATION; PERSONAL COMPUTING; STATISTICAL TESTS;

OPEN SYSTEMS;

EID: 84860651147     PISSN: 07421222     EISSN: None     Source Type: Journal    
DOI: 10.2753/MIS0742-1222280411     Document Type: Conference Paper

References (51)

1. Allison, P.D. Survival Analysis Using the SAS System: A Practical Guide. Cary, NC: SAS, 1995.
2. Anand, S. Information security implications of Sarbanes-Oxley. Information Security Journal: A Global Perspective, 17, 2 (2008), 75-79.
3. Arbaugh, W.A.; Fithen, W.L.; and McHugh, J. Windows of vulnerability: A case study analysis. Computer, 33, 12 (2000), 52-58.
4. Arora, A.; Caulkins, J.P.; and Telang, R. Sell first, fix later: Impact of patching on software quality. Management Science, 52, 3 (2006), 465-471.
5. Arora, A.; Nandkumar, A.; and Telang, R. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Information Systems Frontiers, 8, 5 (2006), 350-362.
6. Arora, A.; Telang, R.; and Xu, H. Optimal policy for software vulnerability disclosure. Management Science, 54, 4 (2008), 642-656.
7. Arora, A.; Forman, C.; Nandkumar, A.; and Telang, R. Competition and patching of security vulnerabilities: An empirical analysis. Information Economics and Policy, 22, 2 (2010), 164-177.
8. Arora, A.; Krishnan, R.; Telang, R.; and Yang, Y. An empirical analysis of software vendors' patch release behavior: Impact of vulnerability disclosure. Information Systems Research, 21, 1 (2010), 115-132.
9. Avizienis, A.; Laprie, J.C.; Randell, B.; and Landwehr, C. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1, 1 (2004), 11-33.
10. Banker, R.D., and Slaughter, S.A. The moderating effects of structure on volatility and complexity in software enhancement. Information Systems Research, 11, 3 (2000), 219-240.
11. Banker, R.D.; Bardhan, I.; and Asdemir, O. Understanding the impact of collaboration software on product design and development. Information Systems Research, 17, 4 (2006), 352-373.
12. Banker, R.D.; Davis, G.B.; and Slaughter, S.A. Software development practices, software complexity, and software maintenance performance: A field study. Management Science, 44, 4 (1998), 433-450.
13. Baron, D.P. Private politics, corporate social responsibility, and integrated strategy. Journal of Economics & Management Strategy, 10, 1 (2001), 7-45.
14. Beattie, S.; Arnold, S.; Cowan, C.; Wagle, P.; and Wright, C. Timing the application of security patches for optimal uptime. In Proceedings of LISA '02: Sixteenth Systems Administration Conference. Berkeley, CA: USENIX Association, 2002, pp. 233-242.
15. Biskup, J. Security in Computing Systems: Challenges, Approaches and Solutions. Berlin: Springer, 2009.
16. Brigham, E.F., and Ehrhardt, M.C. Financial Management: Theory and Practice. Mason, OH: Thomson South-Western, 2008.
17. Carroll, A.B. A three-dimensional conceptual model of corporate social performance. Academy of Management Review, 4 (1979), 497-505.
18. Cavusoglu, H.; Cavusoglu, H.; and Raghunathan, S. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering, 33, 3 (2007), 171-184.
19. Chandramouli, R.; Grance, T.; Kuhn, R.; and Landau, S. Common vulnerability scoring system. IEEE Security & Privacy, 4, 6 (2006), 85-89.
20. Cox, D.R. Regression models and life tables. Journal of the Royal Statistical Society, Series B (Methodological), 34, 2 (1972), 187-220.
21. Espinosa, J.A.; Slaughter, S.A.; Kraut, R.E.; and Herbsleb, J.D. Team knowledge and coordination in geographically distributed software development. Journal of Management Information Systems, 24, 1 (Summer 2007), 135-169.
22. Faraj, S., and Sproull, L. Coordinating expertise in software development teams. Management Science, 46, 12 (2000), 1554-1568.
23. Feller, J., and Fitzgerald, B. Understanding Open Source Software Development. London: Pearson Education, 2002.
24. Fox, J. Regression Diagnostics. Beverly Hills, CA: Sage, 1991.
25. Frühwirth, C., and Männistö, T. Improving CVSS-based vulnerability prioritization and response with context information. In Proceedings of the 3rd International Symposium on Empirical Software Engineering and Measurement. Washington, DC: IEEE Computer Society, 2009, pp. 535-544.
26. Gordon, L.A.; Loeb, M.P.; Lucyshyn, W.; and Richardson, R. 2006 CSI/FBI Computer Crime and Security Survey. Computer Security Institute, New York, 2006.
27. Hosmer, D.W., and Lemeshow, S. Applied Survival Analysis: Regression Modeling of Time to Event Data. New York: John Wiley, 1999.
28. Houmb, S.H.; Nunes Leal Franqueira, V.; and Engum, E.A. Estimating impact and frequency of risks to safety and mission critical systems using CVSS. Paper presented at the ISSRE 2008: 1st Workshop on Dependable Software Engineering, Seattle, November 11, 2008.
29. IEEE Standard for Software Maintenance. New York: Institute of Electrical and Electronics Engineers, 1993.
30. Jaisingh, J.; See-To, E.W.K.; and Tam, K.Y. The impact of open source software on the strategic choices of firms developing proprietary software. Journal of Management Information Systems, 25, 3 (Winter 2008-9), 241-275.
31. Johnson, M.E. Information risk of inadvertent disclosure: An analysis of file-sharing risk in the financial supply chain. Journal of Management Information Systems, 25, 2 (Fall 2008), 97-123.
32. Kannan, K.; Rees, J.; and Sridhar, S. Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce, 12, 1 (2007), 69-91.
33. Kemerer, C.F. Software complexity and software maintenance: A survey of empirical research. Annals of Software Engineering, 1, 1 (1995), 1-22.
34. Khoshgoftaar, T.M.; Allen, E.B.; Jones, W.D.; and Hudepohl, J.P. Classification-tree models of software-quality over multiple releases. IEEE Transactions on Reliability, 49, 1 (2000), 4-11.
35. Lin, D.Y., and Wei, L.J. The robust inference for the Cox proportional hazards model. Journal of the American Statistical Association, 84, 408 (1989), 1074-1078.
36. Liu, X., and Iyer, B. Design architecture, developer networks, and performance of open source software projects. In Proceedings of the 2007 International Conference on Information Systems. Atlanta: Association for Information Systems, 2007 (available at http://aisel.aisnet .org/icis2007/90/).
37. Mell, P., and Scarfone, K. Improving the common vulnerability scoring system. IET Information Security, 1, 3 (2007), 119-127.
38. Mell, P.; Scarfone, K.; and Romanosky, S. A complete guide to the Common Vulnerability Scoring System version 2.0. Forum of Incident Response and Security Teams (FIRST), June 2007 (available at www.first.org/cvss/cvss-guide. pdf).
39. O'Brien, J.A., and Marakas, G.M. Management Information Systems. New York: McGraw- Hill/Irwin, 2008.
40. Peduzzi, P.; Concato, J.; Feinstein, A.R.; and Holford, T.R. Importance of events per independent variable in proportional hazards regression analysis II: Accuracy and precision of regression estimates. Journal of Clinical Epidemiology, 48, 12 (1995), 1503-1510.
41. Pfleeger, C.P., and Pfleeger, S.L. Security in Computing. Upper Saddle River, NJ: Prentice Hall, 2003.
42. Png, I.P.L.; Wang, C.Y.; and Wang, Q.H. The deterrent and displacement effects of information security enforcement: International evidence. Journal of Management Information Systems, 25, 2 (Fall 2008), 125-144.
43. Poel, D.V.D., and Lariviere, B. Customer attrition analysis for financial services using proportional hazard models. European Journal of Operational Research, 157, 1 (2004), 196-217.
44. Ransbotham, S., and Mitra, S. Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20, 1 (2009), 121-139.
45. Raymond, E.S. The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary. Cambridge, MA: O'Reilly Media, 1999.
46. Roberts, T.L.; Cheney, P.H.; Sweeney, P.D.; and Hightower, R.T. The effects of information technology project complexity on group interaction, Journal of Management Information Systems, 21, 3 (Winter 2004-5), 223-247.
47. Sen, R. A strategic analysis of competition between open source and proprietary software. Journal of Management Information Systems, 24, 1 (Summer 2007), 233-257.
48. Slaughter, S.A.; Harter, D.E.; and Krishnan, M.S. Evaluating the cost of software quality. Communications of the ACM, 41, 8 (1998), 67-73.
49. Weitzner, D.J.; Abelson, H.; Berners-Lee, T.; Feigenbaum, J.; Hendler, J.; and Sussman, G.J. Information accountability. Communications of the ACM, 51, 6 (2008), 82-87.
50. Wood, D.J. Corporate social performance revisited. Academy of Management Review, 16, 4 (1991), 691-718.
51. Xia, W., and Lee, G. Complexity of information systems development projects: Conceptualization and measurement development. Journal of Management Information Systems, 22, 1 (Summer 2005), 45-83