The Effect of Liability and Patch Release on Software Security: The Monopoly Case

Article

Kim, Byung Cho; Chen, Pei-Yu; Mukhopadhyay, Tridas

Virginia Polytechnic Institute & State University; Pennsylvania Commonwealth System of Higher Education (PCSHE); Temple University; Carnegie Mellon University

PRODUCTION AND OPERATIONS MANAGEMENT

1059-1478

10.1111/j.1937-5956.2010.01189.x

2011

603-617

An abundance of flawed software has been identified as the main cause of the poor security of computer networks because major viruses and worms exploit the vulnerabilities of such software. As an incentive mechanism for software security quality improvement, software liability has been intensely discussed among both academics and practitioners for a long time. An alternative approach to managing software security is patch release, which has been widely adopted in practice. In this paper, we examine these two different ways of mitigating customer risk in the software market: liability and patch release. We study the impact of both mechanisms on a monopolistic software vendor's decision on security quality. We find the conditions under which each mechanism is effective in terms of improving security quality and increasing social surplus. The heterogeneous nature of loss is identified to be a key factor for the effectiveness of the liability mechanism. On the other hand, patch release can be effective and welfare-enhancing regardless of the nature of loss as long as customers incur low patching cost, and/or the vendor incurs low patch development cost. We also examine the impact of customer misperception of the outcome from vulnerable software on the effectiveness of liability.

访问原文