Economic and Policy Implications of Restricted Patch Distribution
成果类型:
Article
署名作者:
Kannan, Karthik; Rahman, Mohammad S.; Tawarmalani, Mohit
署名单位:
Purdue University System; Purdue University
刊物名称:
MANAGEMENT SCIENCE
ISSN/ISSBN:
0025-1909
DOI:
10.1287/mnsc.2015.2309
发表日期:
2016
页码:
3161-3182
关键词:
information security
patch distribution
countervailing incentive
public policy
摘要:
In this paper, we study how restricting the availability of patches to legal users impacts the vendor's profits, market share, software maintenance decisions, and welfare outcomes. Prior work on this topic assumes that the hacker's effort is independent of the vendor's decision to release the patch freely or not. Clearly, if the patch is not available to everyone, the hacker finds it easier to exploit the vulnerability in the product and, as a result, is likely to alter his effort. To understand the role of a strategic hacker, we build a game-theoretic model, where the hacker's decision is endogenous. With this model, we find that the hacker's effort may, on the one hand, decrease the utility that the vendor can extract from the consumers but, on the other hand, may help differentiate the legal version of the product from the pirated version. A vendor can strategically exploit the hacker's behavior in its pricing and software maintenance decisions. The endogeneity of the hacker's actions drives several of our findings that have interesting policy implications. For example, the vendor may increase the price and reduce market share to exploit the differentiation. In such a case, there may be more pirates in the restricted-patch case than when the patch is freely available, a result that runs counter to typical arguments provided for restricting patches.
来源URL: