IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v21y2010i1p115-132.html
   My bibliography  Save this article

An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Author

Listed:
  • Ashish Arora

    (H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213)

  • Ramayya Krishnan

    (H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213)

  • Rahul Telang

    (H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213)

  • Yubao Yang

    (H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213)

Abstract

A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.

Suggested Citation

  • Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    • Handle: RePEc:inm:orisre:v:21:y:2010:i:1:p:115-132
    DOI: 10.1287/isre.1080.0226
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.1080.0226
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.1080.0226?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Ashish Arora & Jonathan P. Caulkins & Rahul Telang, 2006. "Research Note--Sell First, Fix Later: Impact of Patching on Software Quality," Management Science, INFORMS, vol. 52(3), pages 465-471, March.
    2. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    3. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    4. Belzil, Christian, 1995. "Unemployment Insurance and Unemployment over Time: An Analysis with Event History Data," The Review of Economics and Statistics, MIT Press, vol. 77(1), pages 113-126, February.
    5. Rajiv D. Banker & Gordon B. Davis & Sandra A. Slaughter, 1998. "Software Development Practices, Software Complexity, and Software Maintenance Performance: A Field Study," Management Science, INFORMS, vol. 44(4), pages 433-450, April.
    6. Fershtman, Chaim & Gandal, Neil & Choi, Jay Pil, 2005. "Internet Security, Vulnerability Disclosure and Software Provision," CEPR Discussion Papers 5269, C.E.P.R. Discussion Papers.
    7. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    8. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    9. James Vaupel & Kenneth Manton & Eric Stallard, 1979. "The impact of heterogeneity in individual frailty on the dynamics of mortality," Demography, Springer;Population Association of America (PAA), vol. 16(3), pages 439-454, August.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    2. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    3. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    4. Zaiyan Wei & Mingfeng Lin, 2017. "Market Mechanisms in Online Peer-to-Peer Lending," Management Science, INFORMS, vol. 63(12), pages 4236-4257, December.
    5. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    6. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    7. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    8. Orcun Temizkan & Sungjune Park & Cem Saydam, 2017. "Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities," Information Systems Research, INFORMS, vol. 28(4), pages 828-849, December.
    9. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    2. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    3. Vidyanand Choudhary & Zhe (James) Zhang, 2015. "Research Note—Patching the Cloud: The Impact of SaaS on Patching Strategy and the Timing of Software Release," Information Systems Research, INFORMS, vol. 26(4), pages 845-858, December.
    4. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    5. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    6. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    7. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    8. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    9. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    10. Macnish, Kevin & van der Ham, Jeroen, 2020. "Ethics in cybersecurity research and practice," Technology in Society, Elsevier, vol. 63(C).
    11. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    12. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    13. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    14. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    15. Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.
    16. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    17. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    18. Anshul Tickoo & P. K. Kapur & A. K. Shrivastava & Sunil K. Khatri, 2016. "Testing effort based modeling to determine optimal release and patching time of software," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 427-434, December.
    19. Pu Li & H. Raghav Rao, 2007. "An examination of private intermediaries’ roles in software vulnerabilities disclosure," Information Systems Frontiers, Springer, vol. 9(5), pages 531-539, November.
    20. Ioannidis, Christos & Pym, David & Williams, Julian & Gheyas, Iffat, 2019. "Resilience in information stewardship," European Journal of Operational Research, Elsevier, vol. 274(2), pages 638-653.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:21:y:2010:i:1:p:115-132. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.