IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v54y2008i4p657-670.html
   My bibliography  Save this article

Security Patch Management: Share the Burden or Share the Damage?

Author

Listed:
  • Hasan Cavusoglu

    (Sauder School of Business, University of British Columbia, Vancouver, British Columbia V6T 1Z2, Canada)

  • Huseyin Cavusoglu

    (School of Management, University of Texas at Dallas, Richardson, Texas 75083)

  • Jun Zhang

    (School of Management, University of Texas at Dallas, Richardson, Texas 75083)

Abstract

Patch management is a crucial component of information security management. An important problem within this context from a vendor's perspective is to determine how to release patches to fix vulnerabilities in its software. From a firm's perspective, the issue is how to update vulnerable systems with available patches. In this paper, we develop a game-theoretic model to study the strategic interaction between a vendor and a firm in balancing the costs and benefits of patch management. Our objective is to examine the consequences of time-driven release and update policies. We first study a centralized system in a benchmark scenario to find the socially optimal time-driven patch management. We show that the social loss is minimized when patch-release and update cycles are synchronized. Next, we consider a decentralized system in which the vendor determines its patch-release policy and the firm selects its patch-update policy in a Stackelberg framework, assuming that release and update policies are either time driven or event driven. We develop a sufficient condition that guarantees that a time-driven release by the vendor and a time-driven update by the firm is the equilibrium outcome for patch management. However, in this equilibrium, the patch-update cycle of the firm may not be synchronized with the patch-release cycle of the vendor, making it impossible to achieve the socially optimal patch management in the decentralized system. Therefore, we next examine cost sharing and liability as possible coordination mechanisms. Our analysis shows that cost sharing itself may achieve synchronization and social optimality. However, liability by itself cannot achieve social optimality unless patch-release and update cycles are already synchronized without introducing any liability. Our results also demonstrate that cost sharing and liability neither complement nor substitute each other. Finally, we show that an incentive-compatible contract on cost sharing can be designed to achieve coordination in case of information asymmetry.

Suggested Citation

  • Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    • Handle: RePEc:inm:ormnsc:v:54:y:2008:i:4:p:657-670
    DOI: 10.1287/mnsc.1070.0794
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.1070.0794
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.1070.0794?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. David Cutler & Alan Garber, 2006. "Frontiers in Health Policy Research, Volume 9," NBER Books, National Bureau of Economic Research, Inc, number cutl06-1, February.
    2. Fernando Bernstein & Awi Federgruen, 2004. "A General Equilibrium Model for Industries with Price and Service Competition," Operations Research, INFORMS, vol. 52(6), pages 868-886, December.
    3. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    4. Maurice D. Levi & Barrie R. Nault, 2004. "Converting Technology to Mitigate Environmental Damage," Management Science, INFORMS, vol. 50(8), pages 1015-1030, August.
    5. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    6. Gérard P. Cachon & Paul H. Zipkin, 1999. "Competitive and Cooperative Inventory Policies in a Two-Stage Supply Chain," Management Science, INFORMS, vol. 45(7), pages 936-953, July.
    7. Fuqiang Zhang, 2006. "Competition, Cooperation, and Information Sharing in a Two-Echelon Assembly System," Manufacturing & Service Operations Management, INFORMS, vol. 8(3), pages 273-291, March.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    2. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    3. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    4. Tetsuo Iida & Paul Zipkin, 2010. "Competition and Cooperation in a Two-Stage Supply Chain with Demand Forecasts," Operations Research, INFORMS, vol. 58(5), pages 1350-1363, October.
    5. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    6. Terrence August & Duy Dao & Hyoduk Shin, 2015. "Optimal Timing of Sequential Distribution: The Impact of Congestion Externalities and Day-and-Date Strategies," Marketing Science, INFORMS, vol. 34(5), pages 755-774, September.
    7. Fuqiang Zhang, 2006. "Competition, Cooperation, and Information Sharing in a Two-Echelon Assembly System," Manufacturing & Service Operations Management, INFORMS, vol. 8(3), pages 273-291, March.
    8. I. Zouaghi, 2011. "A theoretical systemic analysis of organizational tacit knowledge memorization," Post-Print halshs-00665703, HAL.
    9. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    10. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2013. "Licensing and Competition for Services in Open Source Software," Information Systems Research, INFORMS, vol. 24(4), pages 1068-1086, December.
    11. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    12. Dexiang Yang & Lei Zhang & Ying Wu & Sidai Guo & Hua Zhang & Lijian Xiao, 2018. "A Sustainability Analysis on Retailer’s Sales Effort in A Closed-Loop Supply Chain," Sustainability, MDPI, vol. 11(1), pages 1-20, December.
    13. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    14. Atanu Lahiri & Debabrata Dey, 2013. "Effects of Piracy on Quality of Information Goods," Management Science, INFORMS, vol. 59(1), pages 245-264, June.
    15. Yu, Yugang & Huang, George Q., 2010. "Nash game model for optimizing market strategies, configuration of platform products in a Vendor Managed Inventory (VMI) supply chain for a product family," European Journal of Operational Research, Elsevier, vol. 206(2), pages 361-373, October.
    16. Nils Rudi & Sandeep Kapur & David F. Pyke, 2001. "A Two-Location Inventory Model with Transshipment and Local Decision Making," Management Science, INFORMS, vol. 47(12), pages 1668-1680, December.
    17. Yan, Xiaoming & Chao, Xiuli & Lu, Ye, 2024. "Optimal control policies for dynamic inventory systems with service level dependent demand," European Journal of Operational Research, Elsevier, vol. 314(3), pages 935-949.
    18. Vishal Gaur & Young-Hoon Park, 2007. "Asymmetric Consumer Learning and Inventory Competition," Management Science, INFORMS, vol. 53(2), pages 227-240, February.
    19. Yenipazarli, Arda, 2016. "Managing new and remanufactured products to mitigate environmental damage under emissions regulation," European Journal of Operational Research, Elsevier, vol. 249(1), pages 117-130.
    20. Kevin H. Shang & Jing-Sheng Song & Paul H. Zipkin, 2009. "Coordination Mechanisms in Decentralized Serial Inventory Systems with Batch Ordering," Management Science, INFORMS, vol. 55(4), pages 685-695, April.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:54:y:2008:i:4:p:657-670. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.