IDEAS home Printed from https://ideas.repec.org/a/eee/ejores/v216y2012i2p434-444.html
   My bibliography  Save this article

Information security trade-offs and optimal patching policies

Author

Listed:
  • Ioannidis, Christos
  • Pym, David
  • Williams, Julian

Abstract

We develop and simulate a basic mathematical model of the costly deployment of software patches in the presence of trade-offs between confidentiality and availability. The model incorporates representations of the key aspects of the system architecture, the managers’ preferences, and the stochastic nature of the threat environment. Using the model, we compute the optimal frequencies for regular and irregular patching, for both networks and clients, for two example types of organization, military and financial. Such examples are characterized by their constellations of parameters. Military organizations, being relatively less cost-sensitive, tend to apply network patches upon their arrival. The relatively high cost of applying irregular client patches leads both types of organization to avoid deployment upon arrival.

Suggested Citation

  • Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.
  • Handle: RePEc:eee:ejores:v:216:y:2012:i:2:p:434-444
    DOI: 10.1016/j.ejor.2011.05.050
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S037722171100498X
    Download Restriction: Full text for ScienceDirect subscribers only

    File URL: https://libkey.io/10.1016/j.ejor.2011.05.050?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Mark McCord & Richard de Neufville, 1986. ""Lottery Equivalents": Reduction of the Certainty Effect Problem in Utility Assessment," Management Science, INFORMS, vol. 32(1), pages 56-60, January.
    2. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    3. Hausken, Kjell & Bier, Vicki M., 2011. "Defending against multiple different attackers," European Journal of Operational Research, Elsevier, vol. 211(2), pages 370-384, June.
    4. John C. Hershey & Howard C. Kunreuther & Paul J. H. Schoemaker, 1982. "Sources of Bias in Assessment Procedures for Utility Functions," Management Science, INFORMS, vol. 28(8), pages 936-954, August.
    5. Pennings, Enrico & Lint, Onno, 2000. "Market entry, phased rollout or abandonment? A real option approach," European Journal of Operational Research, Elsevier, vol. 124(1), pages 125-138, July.
    6. A. Robert Nobay & David A. Peel, 2003. "Optimal Discretionary Monetary Policy in a Model of Asymmetric Central Bank Preferences," Economic Journal, Royal Economic Society, vol. 113(489), pages 657-665, July.
    7. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    8. Bobtcheff, Catherine & Villeneuve, Stéphane, 2010. "Technology choice under several uncertainty sources," European Journal of Operational Research, Elsevier, vol. 206(3), pages 586-600, November.
    9. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    2. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    3. Lee, Sangjae & Costello, Francis Joseph & Lee, Kun Chang, 2021. "Hierarchical balanced scorecard-based organizational goals and the efficiency of controls processes," Journal of Business Research, Elsevier, vol. 132(C), pages 270-288.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    2. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    3. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    4. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    5. Lévesque, Moren & Schade, Christian, 2002. "Intuitive optimizing for time allocation decisions in newly formed ventures," SFB 373 Discussion Papers 2002,24, Humboldt University of Berlin, Interdisciplinary Research Project 373: Quantification and Simulation of Economic Processes.
    6. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    7. Antoni Bosch-Domènech & Joaquim Silvestre, 2013. "Measuring risk aversion with lists: a new bias," Theory and Decision, Springer, vol. 75(4), pages 465-496, October.
    8. Levesque, Moren & Schade, Christian, 2005. "Intuitive optimizing: experimental findings on time allocation decisions with newly formed ventures," Journal of Business Venturing, Elsevier, vol. 20(3), pages 313-342, May.
    9. Antoni Bosch-Domènech & Joaquim Silvestre, 2013. "Measuring risk aversion with lists: a new bias," Theory and Decision, Springer, vol. 75(4), pages 465-496, October.
    10. Anshul Tickoo & P. K. Kapur & A. K. Shrivastava & Sunil K. Khatri, 2016. "Testing effort based modeling to determine optimal release and patching time of software," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 427-434, December.
    11. Ferdinand Vieider, 2016. "Certainty Preference, Random Choice, and Loss Aversion: A Comment on "Violence and Risk Preference: Experimental Evidence from Afghanistan"," Economics Discussion Papers em-dp2016-06, Department of Economics, University of Reading.
    12. Antoni Bosch-Domènech & Joaquim Silvestre, 2012. "Measuring risk aversion with lists: A new bias," Working Papers 239, University of California, Davis, Department of Economics.
    13. Birgit Löhndorf & Anna-Lena Sachs & Rudolf Vetschera, 2014. "Stability of probability effects in utility elicitation," Central European Journal of Operations Research, Springer;Slovak Society for Operations Research;Hungarian Operational Research Society;Czech Society for Operations Research;Österr. Gesellschaft für Operations Research (ÖGOR);Slovenian Society Informatika - Section for Operational Research;Croatian Operational Research Society, vol. 22(4), pages 755-777, December.
    14. Don N. Kleinmuntz & George Wu, 2006. "From the Special Issue Editors... Special Issue on Psychology and Decision Analysis," Decision Analysis, INFORMS, vol. 3(3), pages 121-123, September.
    15. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    16. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    17. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    18. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    19. José Luis Pinto, 1995. "Is the person trade-off a valid method for allocating health care resources? Some caveats," Economics Working Papers 140, Department of Economics and Business, Universitat Pompeu Fabra.
    20. Kavitha Ranganathan, 2018. "Does Global Shapes Of Utility Functions Matter For Investment Decisions?," Bulletin of Economic Research, Wiley Blackwell, vol. 70(4), pages 341-361, October.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ejores:v:216:y:2012:i:2:p:434-444. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/locate/eor .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.