Optimal Policies for Security Patch Management

Dey, Debabrata; Lahiri, Atanu; Zhang, Guoying

doi:10.1287/ijoc.2014.0638

Cited by 42 publications

(28 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Beattie et al (2002) characterize the optimal time to apply patches when trading off patch instability and security risk exposure. Dey et al (2015) compare several patch application policies, varying by a measure of interest including the number of patches, time between patching, and cumulative severity of patches. Cavusoglu et al (2008) examine the role of cost sharing and loss liability on time-driven patch management.…”

Section: Literature Reviewmentioning

confidence: 99%

Market Segmentation and Software Security: Pricing Patching Rights

2019

View full text Add to dashboard Cite

The patching approach to security in the software industry has been less effective than desired. One critical issue with the status quo is that the endowment of “patching rights” (the ability for a user to choose whether security updates are applied) lacks the incentive structure to induce better security-related decisions. However, producers can differentiate their products based on the provision of patching rights. By characterizing the price for these rights, the optimal discount provided to those who relinquish rights and have their systems automatically updated in a timely manner, and the consumption and protection strategies taken by users in equilibrium as they strategically interact because of the security externality associated with product vulnerabilities, it is shown that the optimal pricing of these rights can segment the market in a manner that leads to both greater security and greater profitability. This policy greatly reduces unpatched populations and has a relative hike in profitability that is increasing in the extent to which patches are bundled together. Social welfare may decrease when automated patching costs are small because strategic pricing contracts usage in the market and also incentivizes loss-inefficient choices. However, welfare benefits when the policy either (1) greatly expands automatic updating in cases in which it is minimally observed or (2) significantly reduces the patching process burden of those who most value the software. This paper was accepted by Anandhi Bharadwaj, information systems.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Market Segmentation and Software Security: Pricing Patching Rights

2019

View full text Add to dashboard Cite

show abstract

“…The research agenda on the economics of information security has been extensively developed along multiple directions such as patching management and incentives (Cavusoglu et al 2008, Ioannidis et al 2012, Dey et al 2015, August et al 2016, software liability Tunca 2011, Kim et al 2011), network security (August and Tunca 2006, August et al 2014, piracy (August and Tunca 2008, Lahiri 2012, Kannan et al 2016, vulnerability disclosure (Cavusoglu and Raghunathan 2007, Arora et al 2008, Choi et al 2010, Mitra and Ransbotham 2015, and markets for information security and managed security services (Kannan and Telang 2005, Dey et al 2012, Gupta and Zhdanov 2012, Ransbotham et al 2012, Dey et al 2014, Cezar et al 2017. However, study of the economic dynamics of markets affected by ransomware remains relatively scarce.…”

Section: Literature Reviewmentioning

confidence: 99%

“…Most prior work has aimed at understanding how a software firm and its users react to security risk tend to model both patching costs and security losses, and these models can cover a wide variety of cyber attacks (August and Tunca 2006;Cavusoglu et al 2008;Dey et al 2015). However, ransomware is unique in that it presents users with an opportunity to pay in exchange for a possible reduction in security losses.…”

Section: Introductionmentioning

confidence: 99%

Economics of Ransomware Attacks

2019

View full text Add to dashboard Cite

“…Current VRM methods, used in production environments, prioritize vulnerability patching based on the severity score, thus vulnerabilities with critical and high severity are patched first. D. Dey et al [3] compares several practical patch policies and concludes that patch policies relying on a single metric such as severity level are not optimal. Indeed, if the severity level of a vulnerability is high but the risk of exploitation is low, it can be patched in a later time.…”

Section: Introductionmentioning

confidence: 99%

Normalization of Severity Rating for Automated Context-aware Vulnerability Risk Management

Ahmadi

Arlos

Casalicchio

2020

2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion (ACSOS-C)

View full text Add to dashboard Cite

In the last three years, the unprecedented increase in discovered vulnerabilities ranked with critical and high severity raise new challenges in Vulnerability Risk Management (VRM). Indeed, identifying, analyzing and remediating this high rate of vulnerabilities is labour intensive, especially for enterprises dealing with complex computing infrastructures such as Infrastructure-as-a-Service providers. Hence there is a demand for new criteria to prioritize vulnerabilities remediation and new automated/autonomic approaches to VRM. In this paper, we address the above challenge proposing an Automated Context-aware Vulnerability Risk Management (AC-VRM) methodology that aims: to reduce the labour intensive tasks of security experts; to prioritize vulnerability remediation on the basis of the organization context rather than risk severity only. The proposed solution considers multiple vulnerabilities databases to have a great coverage on known vulnerabilities and to determine the vulnerability rank. After the description of the new VRM methodology, we focus on the problem of obtaining a single vulnerability score by normalization and fusion of ranks obtained from multiple vulnerabilities databases. Our solution is a parametric normalization that accounts for organization needs/specifications.

show abstract

Optimal Policies for Security Patch Management

Cited by 42 publications

References 19 publications

Market Segmentation and Software Security: Pricing Patching Rights

Market Segmentation and Software Security: Pricing Patching Rights

Economics of Ransomware Attacks

Normalization of Severity Rating for Automated Context-aware Vulnerability Risk Management

Contact Info

Product

Resources

About