Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Two Views on Security Software Liability: Let the Legal System Decide
IEEE Security and Privacy
Two Views on Security Software Liability: Using the Right Legal Tools
IEEE Security and Privacy
Who is liable for bugs and security flaws in software?
Communications of the ACM - Homeland security
Timing the Application of Security Patches for Optimal Uptime
LISA '02 Proceedings of the 16th USENIX conference on System administration
IEEE Security and Privacy
A Safety-Oriented Platform for Web Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Network Software Security and User Incentives
Management Science
Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge
IEEE Transactions on Software Engineering
International Journal of Electronic Commerce
Regulation and Information Security: Can Y2K Lessons Help Us?
IEEE Security and Privacy
Information Security: User Precautions, Attacker Efforts, and Enforcement
HICSS '09 Proceedings of the 42nd Hawaii International Conference on System Sciences
Optimal Policy for Software Vulnerability Disclosure
Management Science
Security Patch Management: Share the Burden or Share the Damage?
Management Science
Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions
Information Systems Research
Choice and Chance: A Conceptual Model of Paths to Information Security Compromise
Information Systems Research
RFQ Auctions with Supplier Qualification Screening
Operations Research
An Economic Analysis of the Software Market with a Risk-Sharing Mechanism
International Journal of Electronic Commerce
Are markets for vulnerabilities effective?
MIS Quarterly
Security aspects of cyber-physical device safety in assistive environments
Proceedings of the 4th International Conference on PErvasive Technologies Related to Assistive Environments
Modeling internet security investments: tackling topological information uncertainty
GameSec'11 Proceedings of the Second international conference on Decision and Game Theory for Security
Hi-index | 0.01 |
In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of zero-day attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a zero-day attack is low, or patching costs are small and zero-day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the zero-day attack probability is high but can increase both vendor investment in security and social welfare when zero-day attack likelihood is sufficiently low. When the zero-day attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low zero-day attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if zero-day attack likelihood is sufficiently low. However, if zero-day attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. This paper was accepted by Sandra Slaughter, information systems.