IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v54y2008i4p657-670.html
   My bibliography  Save this article

Security Patch Management: Share the Burden or Share the Damage?

Author

Listed:
  • Hasan Cavusoglu

    (Sauder School of Business, University of British Columbia, Vancouver, British Columbia V6T 1Z2, Canada)

  • Huseyin Cavusoglu

    (School of Management, University of Texas at Dallas, Richardson, Texas 75083)

  • Jun Zhang

    (School of Management, University of Texas at Dallas, Richardson, Texas 75083)

Abstract

Patch management is a crucial component of information security management. An important problem within this context from a vendor's perspective is to determine how to release patches to fix vulnerabilities in its software. From a firm's perspective, the issue is how to update vulnerable systems with available patches. In this paper, we develop a game-theoretic model to study the strategic interaction between a vendor and a firm in balancing the costs and benefits of patch management. Our objective is to examine the consequences of time-driven release and update policies. We first study a centralized system in a benchmark scenario to find the socially optimal time-driven patch management. We show that the social loss is minimized when patch-release and update cycles are synchronized. Next, we consider a decentralized system in which the vendor determines its patch-release policy and the firm selects its patch-update policy in a Stackelberg framework, assuming that release and update policies are either time driven or event driven. We develop a sufficient condition that guarantees that a time-driven release by the vendor and a time-driven update by the firm is the equilibrium outcome for patch management. However, in this equilibrium, the patch-update cycle of the firm may not be synchronized with the patch-release cycle of the vendor, making it impossible to achieve the socially optimal patch management in the decentralized system. Therefore, we next examine cost sharing and liability as possible coordination mechanisms. Our analysis shows that cost sharing itself may achieve synchronization and social optimality. However, liability by itself cannot achieve social optimality unless patch-release and update cycles are already synchronized without introducing any liability. Our results also demonstrate that cost sharing and liability neither complement nor substitute each other. Finally, we show that an incentive-compatible contract on cost sharing can be designed to achieve coordination in case of information asymmetry.

Suggested Citation

  • Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    • Handle: RePEc:inm:ormnsc:v:54:y:2008:i:4:p:657-670
    DOI: 10.1287/mnsc.1070.0794
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.1070.0794
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.1070.0794?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Maurice D. Levi & Barrie R. Nault, 2004. "Converting Technology to Mitigate Environmental Damage," Management Science, INFORMS, vol. 50(8), pages 1015-1030, August.
    2. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    3. David Cutler & Alan Garber, 2006. "Frontiers in Health Policy Research, Volume 9," NBER Books, National Bureau of Economic Research, Inc, number cutl06-1.
    4. Gérard P. Cachon & Paul H. Zipkin, 1999. "Competitive and Cooperative Inventory Policies in a Two-Stage Supply Chain," Management Science, INFORMS, vol. 45(7), pages 936-953, July.
    5. Fernando Bernstein & Awi Federgruen, 2004. "A General Equilibrium Model for Industries with Price and Service Competition," Operations Research, INFORMS, vol. 52(6), pages 868-886, December.
    6. Fuqiang Zhang, 2006. "Competition, Cooperation, and Information Sharing in a Two-Echelon Assembly System," Manufacturing & Service Operations Management, INFORMS, vol. 8(3), pages 273-291, March.
    7. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Hasan Cavusoglu & Huseyin Cavusoglu & Xianjun Geng, 2020. "Bloatware and Jailbreaking: Strategic Impacts of Consumer-Initiated Modification of Technology Products," Information Systems Research, INFORMS, vol. 31(1), pages 240-257, March.
    2. Huseyin Cavusoglu & Hasan Cavusoglu, 2007. "Assessing the Value of Network Security Technologies: The Impact of Configuration and Interaction on Value," Working Papers 07-19, NET Institute, revised Aug 2007.
    3. Vidyanand Choudhary & Zhe (James) Zhang, 2015. "Research Note—Patching the Cloud: The Impact of SaaS on Patching Strategy and the Timing of Software Release," Information Systems Research, INFORMS, vol. 26(4), pages 845-858, December.
    4. Yiting Xing & Ling Li & Zhuming Bi & Marzena Wilamowska‐Korsak & Li Zhang, 2013. "Operations Research (OR) in Service Industries: A Comprehensive Review," Systems Research and Behavioral Science, Wiley Blackwell, vol. 30(3), pages 300-353, May.
    5. Doroudi, Sherwin & Avgerinos, Thanassis & Harchol-Balter, Mor, 2021. "To clean or not to clean: Malware removal strategies for servers under load," European Journal of Operational Research, Elsevier, vol. 292(2), pages 596-609.
    6. Li, Bo & Tan, Zhen & Arreola-Risa, Antonio & Huang, Yiwei, 2023. "On the improvement of uncertain cloud service capacity," International Journal of Production Economics, Elsevier, vol. 258(C).
    7. Anshul Tickoo & P. K. Kapur & A. K. Shrivastava & Sunil K. Khatri, 2016. "Testing effort based modeling to determine optimal release and patching time of software," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 427-434, December.
    8. Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.
    9. Arunabha Mukhopadhyay & Samir Chatterjee & Kallol K. Bagchi & Peteer J. Kirs & Girja K. Shukla, 2019. "Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance," Information Systems Frontiers, Springer, vol. 21(5), pages 997-1018, October.
    10. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    11. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    12. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    13. Ankit Shah & Katheryn A. Farris & Rajesh Ganesan & Sushil Jajodia, 2022. "Vulnerability Selection for Remediation: An Empirical Analysis," The Journal of Defense Modeling and Simulation, , vol. 19(1), pages 13-22, January.
    14. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    15. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    16. Chen, Wenbo, 2018. "Retailer-driven carbon emission abatement with consumer environmental awareness and carbon tax: Revenue-sharing versus Cost-sharingAuthor-Name: Yang, Huixiao," Omega, Elsevier, vol. 78(C), pages 179-191.
    17. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    18. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    19. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    20. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    21. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    22. Yogita Kansal & Gurinder Singh & Uday Kumar & P. K. Kapur, 2016. "Optimal release and patching time of software with warranty," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 462-468, December.
    23. Chao Luo & Hiroyuki Okamura & Tadashi Dohi, 2016. "Optimal planning for open source software updates," Journal of Risk and Reliability, , vol. 230(1), pages 44-53, February.
    24. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    25. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    2. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    3. Tetsuo Iida & Paul Zipkin, 2010. "Competition and Cooperation in a Two-Stage Supply Chain with Demand Forecasts," Operations Research, INFORMS, vol. 58(5), pages 1350-1363, October.
    4. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    5. Terrence August & Duy Dao & Hyoduk Shin, 2015. "Optimal Timing of Sequential Distribution: The Impact of Congestion Externalities and Day-and-Date Strategies," Marketing Science, INFORMS, vol. 34(5), pages 755-774, September.
    6. Fuqiang Zhang, 2006. "Competition, Cooperation, and Information Sharing in a Two-Echelon Assembly System," Manufacturing & Service Operations Management, INFORMS, vol. 8(3), pages 273-291, March.
    7. I. Zouaghi, 2011. "A theoretical systemic analysis of organizational tacit knowledge memorization," Post-Print halshs-00665703, HAL.
    8. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    9. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2013. "Licensing and Competition for Services in Open Source Software," Information Systems Research, INFORMS, vol. 24(4), pages 1068-1086, December.
    10. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    11. Dexiang Yang & Lei Zhang & Ying Wu & Sidai Guo & Hua Zhang & Lijian Xiao, 2018. "A Sustainability Analysis on Retailer’s Sales Effort in A Closed-Loop Supply Chain," Sustainability, MDPI, vol. 11(1), pages 1-20, December.
    12. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    13. Atanu Lahiri & Debabrata Dey, 2013. "Effects of Piracy on Quality of Information Goods," Management Science, INFORMS, vol. 59(1), pages 245-264, June.
    14. Yu, Yugang & Huang, George Q., 2010. "Nash game model for optimizing market strategies, configuration of platform products in a Vendor Managed Inventory (VMI) supply chain for a product family," European Journal of Operational Research, Elsevier, vol. 206(2), pages 361-373, October.
    15. Nils Rudi & Sandeep Kapur & David F. Pyke, 2001. "A Two-Location Inventory Model with Transshipment and Local Decision Making," Management Science, INFORMS, vol. 47(12), pages 1668-1680, December.
    16. Yan, Xiaoming & Chao, Xiuli & Lu, Ye, 2024. "Optimal control policies for dynamic inventory systems with service level dependent demand," European Journal of Operational Research, Elsevier, vol. 314(3), pages 935-949.
    17. Vishal Gaur & Young-Hoon Park, 2007. "Asymmetric Consumer Learning and Inventory Competition," Management Science, INFORMS, vol. 53(2), pages 227-240, February.
    18. Yenipazarli, Arda, 2016. "Managing new and remanufactured products to mitigate environmental damage under emissions regulation," European Journal of Operational Research, Elsevier, vol. 249(1), pages 117-130.
    19. Kevin H. Shang & Jing-Sheng Song & Paul H. Zipkin, 2009. "Coordination Mechanisms in Decentralized Serial Inventory Systems with Batch Ordering," Management Science, INFORMS, vol. 55(4), pages 685-695, April.
    20. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:54:y:2008:i:4:p:657-670. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.