Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis

Authors:
Orcun Temizkan;Ram Kumar;Sungjune Park;Chandrasekar Subramaniam
Affiliations:
Belk College of Business Administration, University of North Carolina-Charlotte;Belk College of Business Administration, University of North Carolina-Charlotte;Belk College of Business Administration, University of North Carolina-Charlotte;Belk College of Business Administration, University of North Carolina-Charlotte
Venue:
Journal of Management Information Systems
Year:
2012

Citing 31
Cited 1

Evaluating the cost of software quality

Communications of the ACM
Software Development Practices, Software Complexity, and Software Maintenance Performance: a Field Study

Management Science
Understanding open source software development

Understanding open source software development
Applied Survival Analysis: Regression Modeling of Time to Event Data

Applied Survival Analysis: Regression Modeling of Time to Event Data
Security in Computing

Security in Computing
The Cathedral and the Bazaar

The Cathedral and the Bazaar
Windows of Vulnerability: A Case Study Analysis

Computer
The Moderating Effects of Structure on Volatility and Complexity in Software Enhancement

Information Systems Research
Coordinating Expertise in Software Development Teams

Management Science
Basic Concepts and Taxonomy of Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing
Timing the Application of Security Patches for Optimal Uptime

LISA '02 Proceedings of the 16th USENIX conference on System administration
Common Vulnerability Scoring System

IEEE Security and Privacy
Does information security attack frequency increase with vulnerability disclosure? An empirical analysis

Information Systems Frontiers
Understanding the Impact of Collaboration Software on Product Design and Development

Information Systems Research
Research NoteSell First, Fix Later: Impact of Patching on Software Quality

Management Science
Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge

IEEE Transactions on Software Engineering
The Effects of Information Technology Project Complexity on Group Interaction

Journal of Management Information Systems
Complexity of Information Systems Development Projects: Conceptualization and Measurement Development

Journal of Management Information Systems
Information accountability

Communications of the ACM - Organic user interfaces
Survival analysis using sas®: a practical guide

Survival analysis using sas®: a practical guide
Information Security Implications of Sarbanes-Oxley

Information Security Journal: A Global Perspective
Team Knowledge and Coordination in Geographically Distributed Software Development

Journal of Management Information Systems
A Strategic Analysis of Competition Between Open Source and Proprietary Software

Journal of Management Information Systems
Market Reactions to Information Security Breach Announcements: An Empirical Analysis

International Journal of Electronic Commerce
Information Risk of Inadvertent Disclosure: An Analysis of File-Sharing Risk in the Financial Supply Chain

Journal of Management Information Systems
The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence

Journal of Management Information Systems
Optimal Policy for Software Vulnerability Disclosure

Management Science
Choice and Chance: A Conceptual Model of Paths to Information Security Compromise

Information Systems Research
The Impact of Open Source Software on the Strategic Choices of Firms Developing Proprietary Software

Journal of Management Information Systems
Improving CVSS-based vulnerability prioritization and response with context information

ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Information Systems Research

The importance of the CobiT framework IT processes for effective internal control over financial reporting in organizations: An international survey

Information and Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

Software vulnerabilities have become a serious concern because unpatched software runs the risk of being exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of software vendors' patch release behavior and test it using a data set compiled from the National Vulnerability Database, United States Computer Emergency Readiness Team, and vendor Web sites. This model helps to understand how factors specific to vulnerabilities, patches, software vendors, and software affect the patch release behavior of software vendors based on their cost structure. This study also analyzes the impact of the presence of multiple vendors and type of vendor on the patch release behavior of software vendors. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type new release versus update and type of vendor open source versus proprietary are found. Our results illustrate that when there are legislative pressures, vendors react faster in patching vulnerabilities. Thus, appropriate regulations can be an important policy tool to influence vendor behavior toward socially desirable security outcomes.