The Effect of Liability and Patch Release on Software Security: The Monopoly Case

Kim, Byung Cho; Chen, Pei-Yu; Mukhopadhyay, Tridas

doi:10.1111/j.1937-5956.2010.01189.x

Cited by 38 publications

(35 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other refinements for software liability have been suggested [5,2,3,23,4]. These works suggest various types of liability, applied to various parties within the software deployment/development chain.…”

Section: Software Liabilitymentioning

confidence: 98%

“…A European Union working group further suggested that software vendors have upper and lower limited liability thresholds based on the potential harm or criticality of software [4]. Models for liability have examined the effectiveness of different liability policies, finding that their effectiveness can be highly variable depending on the probability of zero-day exploits, the cost of patch deployment, the nature of loss, and whether a software vendor holds a monopoly [3,23].…”

Section: Software Industrymentioning

confidence: 99%

See 1 more Smart Citation

Panel Summary

Edwards

Locasto

Epstein

2014

Proceedings of the 2014 New Security Paradigms Workshop

View full text Add to dashboard Cite

A panel at the New Security Paradigms Workshop (2014) discussed the topic of regulation and licensing of software developers and information security professionals. This included topics of the current state of certification, future possibilities, and challenges associated with new forms of regulation. This paper presents a brief background on the subject, three opinions presented by the panelists, and finally a summary of the discussion which occurred at the workshop, including input from both the panelists and the workshop attendees.

show abstract

Section: Software Liabilitymentioning

confidence: 98%

Section: Software Industrymentioning

confidence: 99%

Panel Summary

Edwards

Locasto

Epstein

2014

Proceedings of the 2014 New Security Paradigms Workshop

View full text Add to dashboard Cite

show abstract

“…Our setting, where the MSSP's protection effort is related to security breach probability, and the fact that the MSSP is liable for the client's damage when protection fails, is commonly seen in the product failure and insurance literature (e.g., [46, Downloaded by [University of Otago] at 06:09 24 July 2015 51,52]). Also, the use of software or system liability as an incentive mechanism in managing security risks has been widely proposed (e.g., [4,31,47]). For example, August and Tunca [6] analyze the impact of different liability policies on software vulnerability and derive the conditions under which loss liability and patch liability can be effective.…”

Section: Related Literaturementioning

confidence: 99%

Information Security Outsourcing with System Interdependency and Mandatory Security Requirement

Hui

Yue

2012

Journal of Management Information Systems

View full text Add to dashboard Cite

“…Risk , defined as “uncertainty inherent in doing business” (Straub & Welke, , p. 442), is further divided into business risks of “systems for delivering goods/services to a customer” or systems risk , defined as “the likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss” (Straub & Welke, , p. 441–442). The wide application of technology to create business processes blurs these risk categories; business risks are now often systems risks (O'Donnell, ; Ransbotham & Mitra, ; Kim, Chen, & Mukhopadhyay, ). Outside of natural disasters and innate process failures, these risks arise from abuse of vulnerabilities via three enterprise conduits: organizational environment, internal enterprise systems, and the knowledge of individual actors about enterprise systems and their embedded risks (Straub & Welke, ).…”

Section: Introductionmentioning

confidence: 99%

“…ERM strives to catalog a firm's risks, aggregate similar risks, identify correlated risks, and carefully estimate their potential costs to an organization, as inputs to monitor and optimize a firm's actions across a risk portfolio (Nocco & Stulz, ; Wu & Olson, ). Doing so can lessen a firm's exposure to operational risks that can be managed by patching technologies and processes (Nocco & Stulz, ), versus by vendor contract liability clauses (Kim et al., ; August & Tunca, ), insurance, markets, or financial hedging (Anderson & Moore, ; Nocco & Stulz, ). The objective is to generate decision models managers can use to manage risks systematically (Wu & Olson, ), limiting harmful events by internally managing risks for which they have a comparative managerial advantage (Nocco & Stulz, ).…”

Section: Introductionmentioning

confidence: 99%

Managing Enterprise Risks of Technological Systems: An Exploratory Empirical Analysis of Vulnerability Characteristics as Drivers of Exploit Publication*

Sen

Heim

2016

Decision Sciences

View full text Add to dashboard Cite

Enterprises experience opportunistic exploits targeted at vulnerable technology. Vulnerabilities in software-based applications, service systems, enterprise platforms, and supply chains are discovered and disclosed on an alarmingly regular basis. A necessary enterprise risk management task concerns identifying and patching vulnerabilities. Yet it is a costly affair to develop and deploy patches to alleviate risk and prevent damage from exploit attacks. Given the limited resources available, technology producers and users must identify priorities for such tasks. When not overlooked, vulnerability-patching tasks often are prioritized based on vulnerability disclosure dates, thus vulnerabilities disclosed earlier usually have patches developed and deployed earlier. We suggest priorities also should focus on time-dependent likelihoods of exploits getting published. We analyze data on software exploits to identify factors associated with the duration between a vulnerability discovery date and the date when an exploit is publicly available, a time window for patching before exploit attack levels may escalate. Actively prioritizing vulnerability patching based on likelihoods of exploit publication may help lessen losses due to exploit attacks. Technology managers might apply the insights to better estimate relative risk levels, and better prioritize protection efforts toward vulnerabilities having higher risk of earlier exploitation.

show abstract

The Effect of Liability and Patch Release on Software Security: The Monopoly Case

Cited by 38 publications

References 32 publications

Panel Summary

Panel Summary

Information Security Outsourcing with System Interdependency and Mandatory Security Requirement

Managing Enterprise Risks of Technological Systems: An Exploratory Empirical Analysis of Vulnerability Characteristics as Drivers of Exploit Publication*

Contact Info

Product

Resources

About