Network Security: Vulnerabilities and Disclosure Policy

This file is part of IDEAS, which uses RePEc data

Network Security: Vulnerabilities and Disclosure Policy

Author Info

Choi, Jay-Pil
Fershtman, Chaim
Gandal, Neil

Additional information is available for the following registered author(s):

Abstract

Software security is a major concern for vendors, consumers, and regulators since attackers that exploit vulnerabilities can cause substantial damages. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only the consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper develops a setting that examines the economic incentives facing software vendors and users when software is subject to vulnerabilities. We consider a firm that sells software which is subject to potential security breaches. The firm needs to set the price of the software and state whether it intends to disclose vulnerabilities and issue updates. Consumers differ in their value of the software and the potential damage that hackers may inflict and need to decide whether to purchase the software as well as whether to install updates. Prices, market shares, and profits depend on the disclosure policy of the firm. The paper analyzes the market outcome and derives the conditions under which a firm would disclose vulnerabilities. It then examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities. The paper discusses the incentives to invest in product security by investigating how a decline in the number of vulnerabilities and an increase in the probability that the firm will identify vulnerabilities ex-post (before hackers) affect disclosure policy, price and profits.

Download Info
To download:

If you experience problems downloading a file, check if you have the proper application to view it first. Information about this may be contained in the File-Format links below. In case of further problems read the IDEAS help page. Note that these files are not on the IDEAS site. Please be patient as the files may be large.

As the access to this document is restricted, you may want to look for a different version under "Related research" (further below) or search for a different version of it.

Publisher Info
Paper provided by C.E.P.R. Discussion Papers in its series CEPR Discussion Papers with number 6134.

Download reference. The following formats are available: HTML (with abstract), plain text (with abstract), BibTeX, RIS (EndNote, RefMan, ProCite), ReDIF
Length:
Date of creation: Feb 2007
Date of revision:
Handle: RePEc:cpr:ceprdp:6134

Contact details of provider:
Postal: Centre for Economic Policy Research, 53--56 Great Sutton Street, London EC1V 0DG
Phone: 44 - 20 - 7183 8801
Fax: 44 - 20 - 7183 8820

Order Information:
Email:

For technical questions regarding this item, or to correct its listing, contact: ().

Find related papers by JEL classification:
L10 - Industrial Organization - - Market Structure, Firm Strategy, and Market Performance - - - General
L63 - Industrial Organization - - Industry Studies: Manufacturing - - - Microelectronics; Computers; Communications Equipment

This paper has been announced in the following NEP Reports:

NEP-ALL-2007-02-24 (All new papers)
NEP-MIC-2007-02-24 (Microeconomics)

Statistics

Access and download statistics

Did you know? RePEc encourages publishers to make their bibliographic data freely available to the public.

This page was last updated on 2009-10-29.

This information is provided to you by IDEAS at the Department of Economics, College of Liberal Arts and Sciences, University of Connecticut using RePEc data on a server sponsored by the Society for Economic Dynamics.