Evaluating the cost of software quality
Communications of the ACM
Understanding open source software development
Understanding open source software development
Applied Survival Analysis: Regression Modeling of Time to Event Data
Applied Survival Analysis: Regression Modeling of Time to Event Data
Security in Computing
The Cathedral and the Bazaar
The Moderating Effects of Structure on Volatility and Complexity in Software Enhancement
Information Systems Research
Coordinating Expertise in Software Development Teams
Management Science
Basic Concepts and Taxonomy of Dependable and Secure Computing
IEEE Transactions on Dependable and Secure Computing
Timing the Application of Security Patches for Optimal Uptime
LISA '02 Proceedings of the 16th USENIX conference on System administration
Common Vulnerability Scoring System
IEEE Security and Privacy
Information Systems Frontiers
Understanding the Impact of Collaboration Software on Product Design and Development
Information Systems Research
Research NoteSell First, Fix Later: Impact of Patching on Software Quality
Management Science
Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge
IEEE Transactions on Software Engineering
The Effects of Information Technology Project Complexity on Group Interaction
Journal of Management Information Systems
Journal of Management Information Systems
Communications of the ACM - Organic user interfaces
Survival analysis using sas®: a practical guide
Survival analysis using sas®: a practical guide
Information Security Implications of Sarbanes-Oxley
Information Security Journal: A Global Perspective
Team Knowledge and Coordination in Geographically Distributed Software Development
Journal of Management Information Systems
A Strategic Analysis of Competition Between Open Source and Proprietary Software
Journal of Management Information Systems
Market Reactions to Information Security Breach Announcements: An Empirical Analysis
International Journal of Electronic Commerce
Journal of Management Information Systems
The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence
Journal of Management Information Systems
Optimal Policy for Software Vulnerability Disclosure
Management Science
Choice and Chance: A Conceptual Model of Paths to Information Security Compromise
Information Systems Research
The Impact of Open Source Software on the Strategic Choices of Firms Developing Proprietary Software
Journal of Management Information Systems
Improving CVSS-based vulnerability prioritization and response with context information
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Information Systems Research
Hi-index | 0.00 |
Software vulnerabilities have become a serious concern because unpatched software runs the risk of being exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of software vendors' patch release behavior and test it using a data set compiled from the National Vulnerability Database, United States Computer Emergency Readiness Team, and vendor Web sites. This model helps to understand how factors specific to vulnerabilities, patches, software vendors, and software affect the patch release behavior of software vendors based on their cost structure. This study also analyzes the impact of the presence of multiple vendors and type of vendor on the patch release behavior of software vendors. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type new release versus update and type of vendor open source versus proprietary are found. Our results illustrate that when there are legislative pressures, vendors react faster in patching vulnerabilities. Thus, appropriate regulations can be an important policy tool to influence vendor behavior toward socially desirable security outcomes.