IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v51y2005i5p726-740.html
   My bibliography  Save this article

Market for Software Vulnerabilities? Think Again

Author

Listed:
  • Karthik Kannan

    (Krannert School of Management, Purdue University, West Lafayette, Indiana 47906)

  • Rahul Telang

    (H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213)

Abstract

Software vulnerability disclosure has become a critical area of concern for policymakers. Traditionally, a Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public advisory so that users can safeguard their systems against potential exploits. Lately, firms such as iDefense have been implementing a new market-based approach for vulnerability information. The market-based infomediary provides monetary rewards to identifiers for each vulnerability reported. The infomediary then shares this information with its client base. Using this information, clients protect themselves against potential attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement toward such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive CERT-type mechanism. This counterintuitive result is attributed to the market-based infomediary's incentive to leak the vulnerability information inappropriately. If a profit-maximizing firm is not allowed to (or chooses not to) leak vulnerability information, we find that social welfare improves. Even a regulated market-based mechanism performs better than a CERT-type one, but only under certain conditions. Finally, we extend our analysis and show that a proposed mechanism---federally funded social planner---always performs better than a market-based mechanism.

Suggested Citation

  • Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    • Handle: RePEc:inm:ormnsc:v:51:y:2005:i:5:p:726-740
    DOI: 10.1287/mnsc.1040.0357
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.1040.0357
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.1040.0357?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Partha Dasgupta & Joseph Stiglitz, 1980. "Uncertainty, Industrial Structure, and the Speed of R&D," Bell Journal of Economics, The RAND Corporation, vol. 11(1), pages 1-28, Spring.
    2. Reinganum, Jennifer F, 1982. "A Dynamic Game of R and D: Patent Protection and Competitive Behavior," Econometrica, Econometric Society, vol. 50(3), pages 671-688, May.
    3. Bakos, Yannis & Brynjolfsson, Erik & Lichtman, Douglas, 1999. "Shared Information Goods," Journal of Law and Economics, University of Chicago Press, vol. 42(1), pages 117-155, April.
    4. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    5. Yannis Bakos & Erik Brynjolfsson, 1999. "Bundling Information Goods: Pricing, Profits, and Efficiency," Management Science, INFORMS, vol. 45(12), pages 1613-1630, December.
    6. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Pu Li & H. Raghav Rao, 2007. "An examination of private intermediaries’ roles in software vulnerabilities disclosure," Information Systems Frontiers, Springer, vol. 9(5), pages 531-539, November.
    2. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    3. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    4. Fang Fang & Manoj Parameswaran & Xia Zhao & Andrew B. Whinston, 2014. "An economic mechanism to manage operational security risks for inter-organizational information systems," Information Systems Frontiers, Springer, vol. 16(3), pages 399-416, July.
    5. Vidyanand Choudhary & Zhe (James) Zhang, 2015. "Research Note—Patching the Cloud: The Impact of SaaS on Patching Strategy and the Timing of Software Release," Information Systems Research, INFORMS, vol. 26(4), pages 845-858, December.
    6. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    7. Saini Das & Arunabha Mukhopadhyay & Debashis Saha & Samir Sadhukhan, 2019. "A Markov-Based Model for Information Security Risk Assessment in Healthcare MANETs," Information Systems Frontiers, Springer, vol. 21(5), pages 959-977, October.
    8. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    9. Nikhil Malik & Manmohan Aseri & Param Vir Singh & Kannan Srinivasan, 2022. "Why Bitcoin Will Fail to Scale?," Management Science, INFORMS, vol. 68(10), pages 7323-7349, October.
    10. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    11. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    12. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    13. Kalpit Sharma & Arunabha Mukhopadhyay, 2023. "Cyber-risk Management Framework for Online Gaming Firms: an Artificial Neural Network Approach," Information Systems Frontiers, Springer, vol. 25(5), pages 1757-1778, October.
    14. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    15. Jingguo Wang & Aby Chaudhury & H. Raghav Rao, 2008. "Research Note ---A Value-at-Risk Approach to Information Security Investment," Information Systems Research, INFORMS, vol. 19(1), pages 106-120, March.
    16. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    17. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    18. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    19. Stoel, M. Dale & Muhanna, Waleed A., 2011. "IT internal control weaknesses and firm performance: An organizational liability lens," International Journal of Accounting Information Systems, Elsevier, vol. 12(4), pages 280-304.
    20. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    21. Harish Guda & Milind Dawande & Ganesh Janakiraman, 2021. "“Seemingly‐Beneficial” Interventions," Production and Operations Management, Production and Operations Management Society, vol. 30(10), pages 3337-3353, October.
    22. Fabio BISOGNI & Simona CAVALLINI & Sara DI TROCCHIO, 2011. "Cybersecurity at European Level: The Role of Information Availability," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(81), pages 105-124, 1st quart.
    23. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    24. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    25. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Stavins, Robert & Jaffe, Adam & Newell, Richard, 2000. "Technological Change and the Environment," Working Paper Series rwp00-002, Harvard University, John F. Kennedy School of Government.
    2. Matros, Alexander & Smirnov, Vladimir, 2016. "Duplicative search," Games and Economic Behavior, Elsevier, vol. 99(C), pages 1-22.
    3. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    4. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    5. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    6. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    7. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    8. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    9. Mehrez, Abraham & Justman, Moshe, 2001. "On the efficiency of the parallel path R&D approach: a stochastic game analysis," Mathematics and Computers in Simulation (MATCOM), Elsevier, vol. 57(1), pages 19-28.
    10. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    11. Kartik Hosanagar & John Chuang & Ramayya Krishnan & Michael D. Smith, 2008. "Service Adoption and Pricing of Content Delivery Network (CDN) Services," Management Science, INFORMS, vol. 54(9), pages 1579-1593, September.
    12. Johnson, Justin P., 2014. "Defensive publishing by a leading firm," Information Economics and Policy, Elsevier, vol. 28(C), pages 15-27.
    13. Paul, Jomon A. & Zhang, Minjiao, 2021. "Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker," European Journal of Operational Research, Elsevier, vol. 291(1), pages 349-364.
    14. Suzanne Scotchmer, 2006. "Consumption Externalities, Rental Markets and Purchase Clubs," Studies in Economic Theory, in: Christian Schultz & Karl Vind (ed.), Institutions, Equilibria and Efficiency, chapter 19, pages 351-369, Springer.
    15. Aldieri, Luigi & Aprile, Maria Carmela & Vinci, Concetto Paolo, 2015. "R&D Spillovers Effects on strategic behaviour of Large International Firms," MPRA Paper 63402, University Library of Munich, Germany.
    16. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    17. Drew Fudenberg, 2015. "Tirole's Industrial Regulation and Organization Legacy in Economics," Scandinavian Journal of Economics, Wiley Blackwell, vol. 117(3), pages 771-800, July.
    18. Almeida Costa, Luis & Dierickx, Ingemar, 2002. "Licensing and bundling," International Journal of Industrial Organization, Elsevier, vol. 20(2), pages 251-267, February.
    19. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    20. Guang Zhu & Hu Liu & Mining Feng, 2018. "An Evolutionary Game-Theoretic Approach for Assessing Privacy Protection in mHealth Systems," IJERPH, MDPI, vol. 15(10), pages 1-27, October.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:51:y:2005:i:5:p:726-740. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.