Network software security and user incentives

被引:77
作者
August, Terrence [1 ]
Tunca, Tunay I. [1 ]
机构
[1] Stanford Univ, Grad Sch Business, Stanford, CA 94305 USA
关键词
information systems; IT policy and management; network economics; economics of IS;
D O I
10.1287/mnsc.1060.0568
中图分类号
C93 [管理学];
学科分类号
12 ; 1201 ; 1202 ; 120202 ;
摘要
We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) consumer self-patching (where no external incentives are provided for patching or purchasing); (ii) mandatory patching; (iii) patching rebate; and (iv) usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare-maximizing social planner and a profit-maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self-patching is best. We also show that when a rebate is effective, the profit-maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare-maximizing rebates are also increasing in patching costs, but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs, and security risk are low, in which case a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs, but can decrease in the security risk for high-risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security.
引用
收藏
页码:1703 / 1720
页数:18
相关论文
共 46 条
[1]   Why information security is hard - An economic perspective [J].
Anderson, R .
17TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, PROCEEDINGS, 2001, :358-365
[2]  
ANDERSON R M, 1991
[3]  
Arora A., 2005, OPTIMAL POLICY SOFTW
[4]  
Bailey N, 1975, MATH THEORY INFECT D
[5]  
BENTLEY A, 2005, SC MAGAZINE
[6]  
BLOOR B, 2003, BAROUDI BLOOR
[7]  
BRAGG R, 2004, PERILS PATCHING
[8]   EXTERNALITIES AND COMPULSORY VACCINATIONS [J].
BRITO, DL ;
SHESHINSKI, E ;
INTRILIGATOR, MD .
JOURNAL OF PUBLIC ECONOMICS, 1991, 45 (01) :69-90
[9]  
CAVUSOGLU H, 2002, SECURITY PATCH MANAG
[10]  
*CERT, 2004, CERT CC STAT 1988 20