Advanced Search
MyIDEAS: Login to save this paper or follow this series

Network Security: Vulnerabilities and Disclosure Policy

Contents:

Author Info

  • Choi, Jay-Pil
  • Fershtman, Chaim
  • Gandal, Neil

Abstract

Software security is a major concern for vendors, consumers, and regulators since attackers that exploit vulnerabilities can cause substantial damages. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only the consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper develops a setting that examines the economic incentives facing software vendors and users when software is subject to vulnerabilities. We consider a firm that sells software which is subject to potential security breaches. The firm needs to set the price of the software and state whether it intends to disclose vulnerabilities and issue updates. Consumers differ in their value of the software and the potential damage that hackers may inflict and need to decide whether to purchase the software as well as whether to install updates. Prices, market shares, and profits depend on the disclosure policy of the firm. The paper analyzes the market outcome and derives the conditions under which a firm would disclose vulnerabilities. It then examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities. The paper discusses the incentives to invest in product security by investigating how a decline in the number of vulnerabilities and an increase in the probability that the firm will identify vulnerabilities ex-post (before hackers) affect disclosure policy, price and profits.

Download Info

If you experience problems downloading a file, check if you have the proper application to view it first. In case of further problems read the IDEAS help page. Note that these files are not on the IDEAS site. Please be patient as the files may be large.
File URL: http://www.cepr.org/pubs/dps/DP6134.asp
Download Restriction: CEPR Discussion Papers are free to download for our researchers, subscribers and members. If you fall into one of these categories but have trouble downloading our papers, please contact us at subscribers@cepr.org

As the access to this document is restricted, you may want to look for a different version under "Related research" (further below) or search for a different version of it.

Bibliographic Info

Paper provided by C.E.P.R. Discussion Papers in its series CEPR Discussion Papers with number 6134.

as in new window
Length:
Date of creation: Feb 2007
Date of revision:
Handle: RePEc:cpr:ceprdp:6134

Contact details of provider:
Postal: Centre for Economic Policy Research, 77 Bastwick Street, London EC1V 3PZ.
Phone: 44 - 20 - 7183 8801
Fax: 44 - 20 - 7183 8820

Order Information:
Email:

Related research

Keywords: disclosure policy; Internet security; software vulnerabilities;

Other versions of this item:

Find related papers by JEL classification:

This paper has been announced in the following NEP Reports:

References

No references listed on IDEAS
You can help add them by filling out this form.

Citations

Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
as in new window

Cited by:
  1. Taylor J. Canann, 2013. "Software Vulnerability Analysis in Cyber Security: A Network Structure Approach," BYU Macroeconomics and Computational Laboratory Working Paper Series 2013-05, Brigham Young University, Department of Economics, BYU Macroeconomics and Computational Laboratory.
  2. Chaim FERSHTMAN & Neil GANDAL, 2012. "Migration to the Cloud Ecosystem: Ushering in a New Generation of Platform Competition," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(85), pages 109-123, 1st quart.

Lists

This item is not listed on Wikipedia, on a reading list or among the top items on IDEAS.

Statistics

Access and download statistics

Corrections

When requesting a correction, please mention this item's handle: RePEc:cpr:ceprdp:6134. See general information about how to correct material in RePEc.

For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: ().

If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

If references are entirely missing, you can add them using this form.

If the full references list an item that is present in RePEc, but the system did not link to it, you can help with this form.

If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your profile, as there may be some citations waiting for confirmation.

Please note that corrections may take a couple of weeks to filter through the various RePEc services.