Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments
In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of zero-day attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a zero-day attack is low, or patching costs are small and zero-day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the zero-day attack probability is high but can increase both vendor investment in security and social welfare when zero-day attack likelihood is sufficiently low. When the zero-day attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low zero-day attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if zero-day attack likelihood is sufficiently low. However, if zero-day attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. This paper was accepted by Sandra Slaughter, information systems.
Volume (Year): 57 (2011)
Issue (Month): 5 (May)
|Contact details of provider:|| Postal: 7240 Parkway Drive, Suite 300, Hanover, MD 21076 USA|
Web page: http://www.informs.org/
More information through EDIRC
References listed on IDEAS
Please report citation or reference errors to , or , if you are the registered author of the cited work, log in to your RePEc Author Service profile, click on "citations" and make appropriate adjustments.:
- Hugo A. Hopenhayn & Galina Vereshchagina, 2003.
"Risk Taking by Entrepreneurs,"
RCER Working Papers
500, University of Rochester - Center for Economic Research (RCER).
- Li, Lode & McKelvey, Richard D. & Page, Talbot., 1985.
"Optimal Research for Cournot Oligopolists,"
563, California Institute of Technology, Division of the Humanities and Social Sciences.
- Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
- Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
- Kolstad, Charles D & Ulen, Thomas S & Johnson, Gary V, 1990. "Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements?," American Economic Review, American Economic Association, vol. 80(4), pages 888-901, September.
- Muller, Holger M., 2000. "Asymptotic Efficiency in Dynamic Principal-Agent Problems," Journal of Economic Theory, Elsevier, vol. 91(2), pages 292-301, April.
- MacLeod, W Bentley & Malcomson, James M, 1993. "Investments, Holdup, and the Form of Market Contracts," American Economic Review, American Economic Association, vol. 83(4), pages 811-37, September.
- Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
- Polinsky, A Mitchell, 1980. "Strict Liability vs. Negligence in a Market Setting," American Economic Review, American Economic Association, vol. 70(2), pages 363-67, May.
- Walter Y. Oi, 1973. "The Economics of Product Safety," Bell Journal of Economics, The RAND Corporation, vol. 4(1), pages 3-28, Spring.
- Zhixi Wan & Damian R. Beil, 2009. "RFQ Auctions with Supplier Qualification Screening," Post-Print hal-00471441, HAL.
- Jay Pil Choi & Chaim Fershtman & Neil Gandal, 2010.
"Network Security: Vulnerabilities And Disclosure Policy,"
Journal of Industrial Economics,
Wiley Blackwell, vol. 58(4), pages 868-894, December.
- Choi, Jay-Pil & Fershtman, Chaim & Gandal, Neil, 2007. "Network Security: Vulnerabilities and Disclosure Policy," CEPR Discussion Papers 6134, C.E.P.R. Discussion Papers.
- Rubinstein, Ariel, 1979. "Equilibrium in supergames with the overtaking criterion," Journal of Economic Theory, Elsevier, vol. 21(1), pages 1-9, August.
- Michael Spence, 1977. "Consumer Misperceptions, Product Failure and Producer Liability," Review of Economic Studies, Oxford University Press, vol. 44(3), pages 561-572.
- Fudenberg, Drew & Maskin, Eric, 1986. "The Folk Theorem in Repeated Games with Discounting or with Incomplete Information," Econometrica, Econometric Society, vol. 54(3), pages 533-54, May.
- Jeroen M. Swinkels & Wolfgang Pesendorfer, 2000.
"Efficiency and Information Aggregation in Auctions,"
American Economic Review,
American Economic Association, vol. 90(3), pages 499-525, June.
- Wolfgang Pesendorfer & Jeroen M. Swinkels, 1996. "Efficiency and Information Aggregation in Auctions," Discussion Papers 1168, Northwestern University, Center for Mathematical Studies in Economics and Management Science.
- Jean-Jacques Laffont & Jean Tirole, 1993. "A Theory of Incentives in Procurement and Regulation," MIT Press Books, The MIT Press, edition 1, volume 1, number 0262121743, June.
- Steven Shavell, 1982. "On Liability and Insurance," Bell Journal of Economics, The RAND Corporation, vol. 13(1), pages 120-132, Spring.
When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:57:y:2011:i:5:p:934-959. See general information about how to correct material in RePEc.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: (Mirko Janc)
If references are entirely missing, you can add them using this form.