Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Proceedings of the 2003 ACM workshop on Rapid malcode
IEEE Security and Privacy
Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge
IEEE Transactions on Software Engineering
Secure or insure?: a game-theoretic analysis of information security games
Proceedings of the 17th international conference on World Wide Web
Security and insurance management in networks with heterogeneous agents
Proceedings of the 9th ACM conference on Electronic commerce
An economic mechanism for better Internet security
Decision Support Systems
Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers
Journal of Management Information Systems
Uncertainty in the weakest-link security game
GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
An Economic Analysis of the Software Market with a Risk-Sharing Mechanism
International Journal of Electronic Commerce
Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers
Journal of Management Information Systems
Information Systems Research
Knowledge sharing and investment decisions in information security
Decision Support Systems
A learning-based approach to reactive security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Are markets for vulnerabilities effective?
MIS Quarterly
Revisiting the incentive to tolerate illegal distribution of software products
Decision Support Systems
Effects of Piracy on Quality of Information Goods
Management Science
Hacker Behavior, Network Effects, and the Security Software Market
Journal of Management Information Systems
Game theory meets network security and privacy
ACM Computing Surveys (CSUR)
Modifying smartphone user locking behavior
Proceedings of the Ninth Symposium on Usable Privacy and Security
Hi-index | 0.01 |
We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) consumer self-patching (where no external incentives are provided for patching or purchasing); (ii) mandatory patching; (iii) patching rebate; and (iv) usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare-maximizing social planner and a profit-maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self-patching is best. We also show that when a rebate is effective, the profit-maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare-maximizing rebates are also increasing in patching costs, but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs, and security risk are low, in which case a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs, but can decrease in the security risk for high-risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security.