IDEAS home Printed from
   My bibliography  Save this article

Network Software Security and User Incentives


  • Terrence August

    () (Graduate School of Business, Stanford University, 518 Memorial Way, Stanford, California 94305-5015)

  • Tunay I. Tunca

    () (Graduate School of Business, Stanford University, 518 Memorial Way, Stanford, California 94305-5015)


We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) consumer self-patching (where no external incentives are provided for patching or purchasing); (ii) mandatory patching; (iii) patching rebate; and (iv) usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare-maximizing social planner and a profit-maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self-patching is best. We also show that when a rebate is effective, the profit-maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare-maximizing rebates are also increasing in patching costs, but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs, and security risk are low, in which case a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs, but can decrease in the security risk for high-risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security.

Suggested Citation

  • Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
  • Handle: RePEc:inm:ormnsc:v:52:y:2006:i:11:p:1703-1720

    Download full text from publisher

    File URL:
    Download Restriction: no

    References listed on IDEAS

    1. Goldman Steven Marc & Lightwood James, 2002. "Cost Optimization in the SIS Model of Infectious Disease with Treatment," The B.E. Journal of Economic Analysis & Policy, De Gruyter, vol. 2(1), pages 1-24, April.
    2. Mark Gersovitz & Jeffrey S. Hammer, 2004. "The Economical Control of Infectious Diseases," Economic Journal, Royal Economic Society, vol. 114(492), pages 1-27, January.
    3. Gersovitz, Mark & Hammer, Jeffrey S., 2005. "Tax/subsidy policies toward vector-borne infectious diseases," Journal of Public Economics, Elsevier, vol. 89(4), pages 647-674, April.
    4. Geoffard, Pierre-Yves & Philipson, Tomas, 1996. "Rational Epidemics and Their Public Control," International Economic Review, Department of Economics, University of Pennsylvania and Osaka University Institute of Social and Economic Research Association, vol. 37(3), pages 603-624, August.
    5. Michael Kremer, 1996. "Integrating Behavioral Choice into Epidemiological Models of AIDS," The Quarterly Journal of Economics, Oxford University Press, vol. 111(2), pages 549-573.
    6. Kessing, Sebastian G. & Nuscheler, Robert, 2006. "Monopoly pricing with negative network effects: The case of vaccines," European Economic Review, Elsevier, vol. 50(4), pages 1061-1069, May.
    7. Francis, Peter J., 1997. "Dynamic epidemiology and the market for vaccinations," Journal of Public Economics, Elsevier, vol. 63(3), pages 383-406, February.
    8. Howard Kunreuther & Geoffrey Heal, 2002. "Interdependent Security: The Case of Identical Agents," NBER Working Papers 8871, National Bureau of Economic Research, Inc.
    9. Michael Kremer, 1996. "Integrating Behavioral Choice into Epidemiological Models of the AIDS Epidemic," NBER Working Papers 5428, National Bureau of Economic Research, Inc.
    10. Brito, Dagobert L. & Sheshinski, Eytan & Intriligator, Michael D., 1991. "Externalities and compulsary vaccinations," Journal of Public Economics, Elsevier, vol. 45(1), pages 69-90, June.
    Full references (including those not matched with items on IDEAS)


    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.

    Cited by:

    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Lam, W., 2015. "Attack-Deterring and Damage-Control Investments in Cybersecurity," CORE Discussion Papers 2015023, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    3. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    4. Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
    5. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    6. Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.


    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:52:y:2006:i:11:p:1703-1720. See general information about how to correct material in RePEc.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: (Mirko Janc). General contact details of provider: .

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service hosted by the Research Division of the Federal Reserve Bank of St. Louis . RePEc uses bibliographic data supplied by the respective publishers.