IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v57y2011i5p934-959.html
   My bibliography  Save this article

Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments

Author

Listed:
  • Terrence August

    (Rady School of Management, University of California, San Diego, La Jolla, California 92093)

  • Tunay I. Tunca

    (Graduate School of Business, Stanford University, Stanford, California 94305)

Abstract

In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of zero-day attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a zero-day attack is low, or patching costs are small and zero-day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the zero-day attack probability is high but can increase both vendor investment in security and social welfare when zero-day attack likelihood is sufficiently low. When the zero-day attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low zero-day attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if zero-day attack likelihood is sufficiently low. However, if zero-day attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. This paper was accepted by Sandra Slaughter, information systems.

Suggested Citation

  • Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    • Handle: RePEc:inm:ormnsc:v:57:y:2011:i:5:p:934-959
    DOI: 10.1287/mnsc.1100.1304
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.1100.1304
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.1100.1304?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Jean-Jacques Laffont & Jean Tirole, 1993. "A Theory of Incentives in Procurement and Regulation," MIT Press Books, The MIT Press, edition 1, volume 1, number 0262121743, April.
    3. Jay Pil Choi & Chaim Fershtman & Neil Gandal, 2010. "Network Security: Vulnerabilities And Disclosure Policy," Journal of Industrial Economics, Wiley Blackwell, vol. 58(4), pages 868-894, December.
    4. Steven Shavell, 1982. "On Liability and Insurance," Bell Journal of Economics, The RAND Corporation, vol. 13(1), pages 120-132, Spring.
    5. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    6. Michael Spence, 1977. "Consumer Misperceptions, Product Failure and Producer Liability," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 44(3), pages 561-572.
    7. Li, Lode & McKelvey, Richard D. & Page, Talbot, 1987. "Optimal research for cournot oligopolists," Journal of Economic Theory, Elsevier, vol. 42(1), pages 140-166, June.
    8. Muller, Holger M., 2000. "Asymptotic Efficiency in Dynamic Principal-Agent Problems," Journal of Economic Theory, Elsevier, vol. 91(2), pages 292-301, April.
    9. Zhixi Wan & Damian R. Beil, 2009. "RFQ Auctions with Supplier Qualification Screening," Post-Print hal-00471441, HAL.
    10. Drew Fudenberg & Eric Maskin, 2008. "The Folk Theorem In Repeated Games With Discounting Or With Incomplete Information," World Scientific Book Chapters, in: Drew Fudenberg & David K Levine (ed.), A Long-Run Collaboration On Long-Run Games, chapter 11, pages 209-230, World Scientific Publishing Co. Pte. Ltd..
    11. Kolstad, Charles D & Ulen, Thomas S & Johnson, Gary V, 1990. "Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements?," American Economic Review, American Economic Association, vol. 80(4), pages 888-901, September.
    12. Walter Y. Oi, 1973. "The Economics of Product Safety," Bell Journal of Economics, The RAND Corporation, vol. 4(1), pages 3-28, Spring.
    13. Polinsky, A Mitchell, 1980. "Strict Liability vs. Negligence in a Market Setting," American Economic Review, American Economic Association, vol. 70(2), pages 363-367, May.
    14. Jeroen M. Swinkels & Wolfgang Pesendorfer, 2000. "Efficiency and Information Aggregation in Auctions," American Economic Review, American Economic Association, vol. 90(3), pages 499-525, June.
    15. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    16. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    17. Laffont, Jean-Jacques & Tirole, Jean, 1988. "The Dynamics of Incentive Contracts," Econometrica, Econometric Society, vol. 56(5), pages 1153-1175, September.
    18. MacLeod, W Bentley & Malcomson, James M, 1993. "Investments, Holdup, and the Form of Market Contracts," American Economic Review, American Economic Association, vol. 83(4), pages 811-837, September.
    19. Rubinstein, Ariel, 1979. "Equilibrium in supergames with the overtaking criterion," Journal of Economic Theory, Elsevier, vol. 21(1), pages 1-9, August.
    20. Zhixi Wan & Damian R. Beil, 2009. "RFQ Auctions with Supplier Qualification Screening," Operations Research, INFORMS, vol. 57(4), pages 934-949, August.
    21. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    22. Galina Vereshchagina & Hugo A. Hopenhayn, 2009. "Risk Taking by Entrepreneurs," American Economic Review, American Economic Association, vol. 99(5), pages 1808-1830, December.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2013. "Licensing and Competition for Services in Open Source Software," Information Systems Research, INFORMS, vol. 24(4), pages 1068-1086, December.
    2. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    3. Xing Gao, 2020. "Open Source or Closed Source? A Competitive Analysis with Software Security," Decision Analysis, INFORMS, vol. 17(1), pages 56-73, March.
    4. Da, Gaofeng & Xu, Maochao & Zhao, Peng, 2021. "Multivariate dependence among cyber risks based on L-hop propagation," Insurance: Mathematics and Economics, Elsevier, vol. 101(PB), pages 525-546.
    5. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    6. Tunay I. Tunca & Qiong Wu, 2013. "Fighting Fire with Fire: Commercial Piracy and the Role of File Sharing on Copyright Protection Policy for Digital Goods," Information Systems Research, INFORMS, vol. 24(2), pages 436-453, June.
    7. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    8. Bienz, Carsten & Juranek, Steffen, 2020. "Software vulnerabilities and bug bounty programs," Discussion Papers 2020/4, Norwegian School of Economics, Department of Business and Management Science.
    9. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    10. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    11. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    12. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    13. Berg, Nathan & Kim, Jeong-Yoo, 2022. "Optimal online-payment security system and the role of liability sharing," Economic Modelling, Elsevier, vol. 110(C).
    14. Terrence August & Duy Dao & Hyoduk Shin, 2015. "Optimal Timing of Sequential Distribution: The Impact of Congestion Externalities and Day-and-Date Strategies," Marketing Science, INFORMS, vol. 34(5), pages 755-774, September.
    15. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    16. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    17. Lam, W., 2015. "Attack-Deterring and Damage-Control Investments in Cybersecurity," LIDAM Discussion Papers CORE 2015023, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    18. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    19. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    20. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    21. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    2. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    3. Terrence August & Wei Chen & Kevin Zhu, 2021. "Competition Among Proprietary and Open-Source Software Firms: The Role of Licensing in Strategic Contribution," Management Science, INFORMS, vol. 67(5), pages 3041-3066, May.
    4. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2013. "Licensing and Competition for Services in Open Source Software," Information Systems Research, INFORMS, vol. 24(4), pages 1068-1086, December.
    5. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    6. Terrence August & Duy Dao & Hyoduk Shin, 2015. "Optimal Timing of Sequential Distribution: The Impact of Congestion Externalities and Day-and-Date Strategies," Marketing Science, INFORMS, vol. 34(5), pages 755-774, September.
    7. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2018. "Generating Value Through Open Source: Software Service Market Regulation and Licensing Policy," Information Systems Research, INFORMS, vol. 29(1), pages 186-205, March.
    8. Joshua Schwartzstein & Andrei Shleifer, 2013. "An Activity-Generating Theory of Regulation," Journal of Law and Economics, University of Chicago Press, vol. 56(1), pages 1-38.
    9. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    10. Steven Shavell, 2005. "Liability for Accidents," NBER Working Papers 11781, National Bureau of Economic Research, Inc.
    11. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    12. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    13. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    14. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    15. Gérard Mondello, 2013. "Ambiguous Beliefs on Damages and Civil Liability Theories"," Post-Print halshs-00929948, HAL.
    16. Yonatan Gur & Gregory Macnamara & Daniela Saban, 2022. "Sequential Procurement with Contractual and Experimental Learning," Management Science, INFORMS, vol. 68(4), pages 2714-2731, April.
    17. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    18. Bartsch, Elga, 1997. "Environmental liability, imperfect information, and multidimensional pollution control," International Review of Law and Economics, Elsevier, vol. 17(1), pages 139-146, March.
    19. Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
    20. Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:57:y:2011:i:5:p:934-959. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.