Hacker behavior, network effects, and the security software market

Journal of Management Information Systems

Volumn 29, Issue 2, 2012, Pages 77-108

  Dey, Debabrata ^a   Lahiri, Atanu ^a   Zhang, Guoying ^b  

^a UNIVERSITY OF WASHINGTON   (United States)

^b MIDWESTERN STATE UNIVERSITY   (United States)

Author keywords

Market structure; Mass attacks; Negative network effect; Network effect; Oligopoly; Pricing; Security software; Strategic hacker; Targeted attacks

Indexed keywords

MARKET STRUCTURES; MASS ATTACKS; NETWORK EFFECTS; OLIGOPOLY; SECURITY SOFTWARE; STRATEGIC HACKER; TARGETED ATTACKS;

COMMERCE; COMPETITION; COSTS; ECONOMICS; PERSONAL COMPUTING; SECURITY OF DATA;

COMPUTER CRIME;

EID: 84870616747     PISSN: 07421222     EISSN: None     Source Type: Journal    
DOI: 10.2753/MIS0742-1222290204     Document Type: Article

References (43)

1. Anderson, R., and Moore, T. The economics of information security. Science, 314, 5799 (October 2006), 610-613. (Pubitemid 44646376)
2. August, T., and Tunca, T.I. Network software security and user incentives. Management Science, 52, 11 (2006), 1703-1720. (Pubitemid 44706077)
3. August, T., and Tunca, T.I. Let the pirates patch? An economic analysis of software security patch restrictions. Information Systems Research, 19, 1 (2008), 48-70.
4. Braverman, M. Win32/Blaster: A case study from Microsoft's perspective. Paper presented at the Virus Bulletin Conference, Dublin, Ireland, October 7 2005.
5. Brynjolfsson, E., and Kemerer, C. Network externalities in microcomputer software: An econometric analysis of the spreadsheet market. Management Science, 42, 12 (1996), 1627-1647. (Pubitemid 126584790)
6. Camp, L.J., and Wolfram, C. Pricing security: A market in vulnerabilities. In L.J. Camp and S. Lewis (eds.), Economics of Information Security, Advances in Information Security, vol. 12. New York: Kluwer Academic, 2004, pp. 17-34.
7. Cavusoglu, H.; Raghunathan, S.; and Yue, W.T. Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25, 2 (Fall 2008), 281-304.
8. Cremonini, M., and Nizovtsev, D. Risks and benefits of signaling information system characteristics to strategic attackers. Journal of Management Information Systems, 26, 3 (Winter 2009-10), 241-274.
9. Eckelberry, A. Microsoft practices predatory pricing. Sunbeltblog, June 2006 (available at www.gfi.com/blog/microsoft-practices-predatory-pricing/).
10. Eichorn, K., and Smith, J. McAfee releases online banking safety guide for the 47 percent of consumers who are underprotected. Press Release, McAfee, Santa Clara, CA, August 2011 (available at www.mcafee.com/us/about/news/2011/q3/ 20110803-01.aspx).
11. Email attacks: This time it's personal. Cisco Security White Paper, San Jose, CA, June 2011 (available at www.cisco.com/en/US/prod/collateral/vpndevc/ ps10128/ps10339/ps10354/ targeted-attacks.pdf).
12. Farrell, J., and Saloner, G. Installed base and compatibility: Innovation, product preannouncements, and predation. American Economic Review, 76, 5 (1986), 940-955.
13. Gabszewicz, J.J., and Thisse, J.-F. Entry (and exit) in a differentiated industry. Journal of Economic Theory, 22, 2 (1980), 327-338.
14. Galbreth, M.R., and Shor, M. The impact of malicious agents on the enterprise software industry. MIS Quarterly, 34, 3 (2010), 595-612.
15. Gartner says security software revenue totaled $7.4 billion in 2005. Press Release, Gartner, Stamford, CT, September 2006 (available at www.gartner.com/it/page.jsp?id=496491/).
16. Gartner says security software market grew 12 percent in 2010. Press Release, Gartner, Stamford, CT, June 2011 (available at www.gartner.com/it/page. jsp?id=1714714/).
17. Giarratana, M.S. The birth of a new industry: Entry by start-ups and the drivers of vendor growth: The case of encryption software. Research Policy, 33, 5 (2004), 787-806.
18. Giarratana, M.S., and Fosfuri, A. Product strategies and survival in Schumpeterian environments: Evidence from the U.S. security software industry. Organization Studies, 28, 6 (2007), 909-929.
19. Goodchild, J. Botnets: Size isn't everything, says new report. Computerworld, August 3, 2011 (available at http://news.idg.no/cw/art.cfm?id= E795F760-1A64-6A71- CEE2E437E7955007/).
20. Gordon, L.A., and Loeb, M.P. The economics of information security investment. ACM Transactions on Information and System Security, 5, 4 (2002), 438-457.
21. Gordon, L.A., and Loeb, M.P. Budgeting process for information security expenditures. Communications of the ACM, 49, 1 (2006), 121-125.
22. Herath, H.S.B., and Herath, T.C. Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems, 25, 3 (Winter 2008-9), 337-375.
23. Hethcote, H.W. The mathematics of infectious diseases. SIAM Review, 42, 4 (2000), 599-653.
24. Hotelling, H. Stability in competition. Economic Journal, 39, 153 (1929), 41-57.
25. Katz, M.L., and Shapiro, C. Network externalities, competition and compatibility. American Economic Review, 75, 3 (1985), 424-440.
26. Katz, M.L., and Shapiro, C. Technology adoption in the presence of network externalities. Journal of Political Economy, 94, 4 (1986), 822-841.
27. Keizer, G. Rival calls Microsoft's security pricing "predatory, " "ruthless." Informwationweek, June 2006 (available at www.informationweek.com/rival-calls-microsofts-securitypricing/ 189600302/).
28. Kreps, D.M., and Scheinkman, J.A. Quantity precommitment and Bertrand competition yield Cournot outcomes. Bell Journal of Economics, 14, 2 (Autumn 1983), 326-337.
29. Kumar, R.L.; Park, S.; and Subramaniam, C. Understanding the value of countermeasure portfolios in information systems security. Journal of Management Information Systems, 25, 2 (Fall 2008), 241-279.
30. Lacy, S. Microsoft sweeps into security. Bloomberg Businessweek (May 31, 2006) (available at www.businessweek.com/stories/2006-05-31/microsoft-sweeps- into-security/).
31. Lahiri, A. Revisiting the incentive to tolerate illegal distribution of software products. Decision Support Systems, 53, 2 (2012), 357-367.
32. Mamani, H.; Adida, E.; and Dey, D. Vaccine market coordination using subsidy. IIE Transactions on Healthcare Systems Engineering, 2, 1 (2012), 78-96.
33. Mullins, R. Cisco study shows mass phishing attacks down, targeted attacks up. Network Computing (July 1, 2011) (available at www.networkcomputing. com/wan-security/cisco-studyshows- mass-phishing-attacks/231000854/).
34. Png, I., and Wang, Q.-H. Information security: Facilitating user precautions vis-à-vis enforcement against attackers. Journal of Management Information Systems, 26, 2 (Fall 2009), 97-121.
35. Ransbotham, S., and Mitra, S. Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20, 1 (2009), 121-139.
36. Salop, S.C. Monopolistic competition with outside goods. Bell Journal of Economics, 10, 1 (Spring 1979), 141-156.
37. Sancho, D. The future of BOT worms. White Paper, Trend Micro, Cupertino, CA, 2005 (available at www.trendmicro.com/cloud-content/us/pdfs/security- intelligence/white-papers/ wp-future-of-bots-final.pdf).
38. Security industry market share analysis. Market Share Report, OPSWAT, San Francisco, March 2012 (available at www.opswat.com/sites/default/files/OPSWAT- market-share-reportmarch- 2012.pdf).
39. Shapiro, C., and Varian, H.R. Information Rules: A Strategic Guide to the Network Economy. Boston: Harvard Business School Press, 1999.
40. Sun, L.; Srivastava, R.P.; and Mock, T.J. An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22, 4 (Spring 2006), 109-142. (Pubitemid 44377673)
41. Tirole, J. The Theory of Industrial Organization. Cambridge: MIT Press, 1988.
42. van Herck, G. Entry, exit and profitability. Managerial and Decision Economics, 5, 1 (1984), 25-31.
43. Varian, H.R. Managing online security risks. New York Times (June 1, 2000) (available at www.nytimes.com/library/financial/columns/060100econ-scene. html).