Optimal Policy for Software Vulnerability Disclosure

Arora, Ashish; Telang, Rahul; Xu, Hao

doi:10.1287/mnsc.1070.0771

Cited by 127 publications

(71 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Only recently have researchers started investigating important economic questions in the area of information security. Our research is motivated by theoretical models of the relationship between the timing of vulnerability disclosure and the expected losses from attacks (Schneier, 2000;Arora et al, 2008;Cavusoglu et al, 2005) and more broadly research that has studied the factors shaping the timing and nature (public or private) of vulnerability disclosure by firms and third parties (Kannan and Telang, 2005;Nizovtsev and Thursby, 2007;Choi et al, 2005).…”

Section: Related Literature and Contributionmentioning

confidence: 99%

“…Even the release of a patch results in a temporary increase in attacks but a sharp decline thereafter, resulting in a lower average attack frequency. Arora et al (2008) use a dataset assembled from CERT/CC's vulnerability notes and SecurityFocus database to show that early disclosure leads to faster patch release times. Telang and Wattal (2007) use an event study methodology to show that vulnerability disclosure leads to a loss of market value.…”

Section: Related Literature and Contributionmentioning

confidence: 99%

“…associated with briefer times to patch release (Arora et al, 2006). Prior work has focused on how public disclosure of vulnerabilities by third party intermediaries shapes patch release behavior (Schneier, 2000;Arora et al, 2008;Cavusoglu et al, 2005). While disclosure of vulnerabilities by third parties is important, a vulnerability can also be disclosed when someone issues a patch for it.…”

Section: Conceptual Framework and Hypothesesmentioning

confidence: 99%

See 2 more Smart Citations

Competition and patching of security vulnerabilities: An empirical analysis

Arora

Forman

Nandkumar

et al. 2010

Information Economics and Policy

Self Cite

View full text Add to dashboard Cite

a b s t r a c tWe empirically estimate the effect of competition on vendor patching of software defects by exploiting variation in number of vendors that share a common flaw or common vulnerabilities. We distinguish between two effects: the direct competition effect when vendors in the same market share a vulnerability, and the indirect effect, which operates through non-rivals that operate in different markets but nonetheless share the same vulnerability. Using time to patch as our measure of quality, we find empirical support for both direct and indirect effects of competition. Our results show that ex-post product quality in software markets is not only conditioned by rivals that operate in the same product market, but by also non-rivals that share the same common flaw.

show abstract

Section: Related Literature and Contributionmentioning

confidence: 99%

Section: Related Literature and Contributionmentioning

confidence: 99%

Section: Conceptual Framework and Hypothesesmentioning

confidence: 99%

See 1 more Smart Citation

Competition and patching of security vulnerabilities: An empirical analysis

Arora

Forman

Nandkumar

et al. 2010

Information Economics and Policy

Self Cite

View full text Add to dashboard Cite

show abstract

“…In addition, for situations in which the actions of users impact upon the welfare of others, they develop a set of incentive structures for the implementation of effective patch management. The timing of vulnerability disclosures by vendors is modelled by [5], where it is shown that, with no regulation, the vendor releases a patch less frequently than is socially optimal. In [11], the relationship between the release of patches by vendors and their implementation by users is studied.…”

Section: Introductionmentioning

confidence: 99%

Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Ioannidis

Pym

Williams

2012

Economics of Information Security and Privacy III

View full text Add to dashboard Cite

This paper addresses the question of determining the optimal timing of interventions in information security management. Using utility theory, we derive the limiting condition under which, given a potential or realized risk, a decision to invest, delay, or abandon can be justified. Our primary focus is on the decision to defer costly deterministic investments, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with irreversible fixed costs that introduces a rigidity into the investment decision-making profile. This rigidity introduces delay in the implementation of security measures, resulting in cyclical investments in information security, as the decision-maker determines the optimal investment horizon. We therefore show that cycles emerge endogenously given the policy-maker's chosen trade-offs between investment and the deterioration of the system attributes.

show abstract

“…Arora, Telang, and Xu (2004) theoretically examine the optimal policy for software vulnerability disclosure. The software vendor strategy is limited to whether it will release a patch and if so when to release the patch.…”

Section: Examining Incentives For Software Vendorsmentioning

confidence: 99%

An Introduction to Key Themes in the Economics of Cyber Security

Gandal¹

Cyber Warfare and Cyber Terrorism

View full text Add to dashboard Cite

In this brief paper, I discuss key themes in the budding literature on the economics of cyber-security. My primary focus is on how economics incentives affect the major issues and themes in information security.I thank Jay P. Choi, Chaim Fershtman, Jacques Lawarree, Shlomit Wagman, several anonymous reviewers from WEIS 2005 and this encyclopedia, and seminar participants from WEIS 2005 for their helpful comments. A research grant from Microsoft is gratefully acknowledged. Any opinions expressed are those of the author.

show abstract

Optimal Policy for Software Vulnerability Disclosure

Cited by 127 publications

References 11 publications

Competition and patching of security vulnerabilities: An empirical analysis

Competition and patching of security vulnerabilities: An empirical analysis

Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

An Introduction to Key Themes in the Economics of Cyber Security

Contact Info

Product

Resources

About