Terrence August

Network Software Security and User Incentives

We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) consumer self-patching (where no external incentives are provided for patching or purchasing); (ii) mandatory patching; (iii) patching rebate; and (iv) usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare-maximizing social planner and a profit-maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self-patching is best. We also show that when a rebate is effective, the profit-maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare-maximizing rebates are also increasing in patching costs, but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs, and security risk are low, in which case a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs, but can decrease in the security risk for high-risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security.

Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions

We study the question of whether a software vendor should allow users of unlicensed (pirated) copies of a software product to apply security patches. We present a joint model of network software security and software piracy and contrast two policies that a software vendor can enforce: (i) restriction of security patches only to legitimate users or (ii) provision of access to security patches to all users whether their copies are licensed or not. We find that when the software security risk is high and the piracy enforcement level is low, or when tendency for piracy in the consumer population is high, it is optimal for the vendor to restrict unlicensed users from applying security patches. When piracy tendency in the consumer population is low, applying software security patch restrictions is optimal for the vendor only when the piracy enforcement level is high. If patching costs are sufficiently low, however, an unrestricted patch release policy maximizes vendor profits. We also show that the vendor can use security patch restrictions as a substitute to investment in software security, and this effect can significantly reduce welfare. Furthermore, in certain cases, increased piracy enforcement levels can actually hurt vendor profits. We also show that governments can increase social surplus and intellectual property protection simultaneously by increasing piracy enforcement and utilizing the strategic interaction of piracy patch restrictions and network security. Finally, we demonstrate that, although unrestricted patching can maximize welfare when the piracy enforcement level is low, contrary to what one might expect, when the piracy enforcement level is high, restricting security patches only to licensed users can be socially optimal.

Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments

In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of zero-day attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a zero-day attack is low, or patching costs are small and zero-day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the zero-day attack probability is high but can increase both vendor investment in security and social welfare when zero-day attack likelihood is sufficiently low. When the zero-day attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low zero-day attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if zero-day attack likelihood is sufficiently low. However, if zero-day attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. This paper was accepted by Sandra Slaughter, information systems.

Cloud Implications on Software Network Structure and Security Risks

By software vendors offering, via the cloud, software-as-a-service SaaS versions of traditionally on-premises application software, security risks associated with usage become more diversified. This can greatly increase the value associated with the software. In an environment where negative security externalities are present and users make complex consumption and patching decisions, we construct a model that clarifies whether and how SaaS versions should be offered by vendors. We find that the existence of version-specific security externalities is sufficient to warrant a versioned outcome, which has been shown to be suboptimal in the absence of security risks. In high security-loss environments, we find that SaaS should be geared to the middle tier of the consumer market if patching costs and the quality of the SaaS offering are high, and geared to the lower tier otherwise. In the former case, when security risk associated with each version is endogenously determined by consumption choices, strategic interactions between the vendor and consumers may cause a higher tier consumer segment to prefer a lower inherent quality product. Relative to on-premises benchmarks, we find that software diversification leads to lower average security losses for users when patching costs are high. However, when patching costs are low, surprisingly, average security losses can increase as a result of SaaS offerings and lead to lower consumer surplus. We also investigate the vendors security investment decision and establish that, as the market becomes riskier, the vendor tends to increase investments in an on-premises version and decrease investments in a SaaS version. On the other hand, in low security-loss environments, we find that SaaS is optimally targeted to a lower tier of the consumer market, average security losses decrease, and consumer surplus increases as a result. Security investments increase for both software versions as risk increases in these environments.

Designing user incentives for cybersecurity

How to encourage better user security practices and behavior

The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing

Software producers are making greater use of customer error reporting to discover defects and improve the quality of their products. We study how software development differences among producers e.g., varying levels of process maturity and software class and functionality differences e.g., operating system versus productivity software affect how these producers coordinate software release timing and pricing to optimally harness error reporting contributions from users. In settings where prices are fixed, we characterize the optimal release time and demonstrate why in some cases it can actually be preferable to delay release when customer error reporting rates increase. The manner in which a firms optimal release time responds to increases in software functionality critically hinges on whether the added functionality enhances or dilutes user error reporting; in both cases, the effect of added functionality on release timing can go in either direction, depending on both firm and product market characteristics. For example, when processing costs are relatively large compared with goodwill costs, firms with lower process maturity will release earlier when per-module error reporting contributions become diluted and release later when these contributions become enhanced. We also examine how a firm adapts price with changes in error reporting levels and software functionality, and finally, we provide implications of how beta testing influences release timing. This paper was accepted by Lorin Hitt, information systems.

Optimal Timing of Sequential Distribution: The Impact of Congestion Externalities and Day-and-Date Strategies

The window between a films theatrical and video releases has been steadily declining with some studios now testing day-and-date strategies i.e., when a film is released across multiple channels at once. We present a model of consumer choice that examines trade-offs between substitutable products theatrical and video forms, the possibility of purchasing both alternatives, a congestion externality affecting consumption at theaters with heterogeneous consumer groups, and a decay in the quality of the content over time. Our model permits a normative study of the impact of shorter release windows zero-three months for which there is a scarcity of relevant data. We characterize the market conditions under which a studio makes video release time and price selections indicative of direct-to-video, day-and-date, and delayed video release tactics. During seasons of peak congestion, we establish that day-and-date strategies are optimal for high-quality films with high content durability i.e., films whose content tends to lead consumers to purchase both alternatives whereas prices are set to perfectly segment the consumer market for films with low content durability. We find that lower congestion effects provide studios with incentives to delay release and price the video to induce multiple purchasing behavior for films with higher content durability. However, an increase in congestion effects can, in certain cases, actually lead to higher studio profitability. We also show that, at the lower range of quality, an increase in movie quality should often be accompanied by a later video release time. Surprisingly, however, we observe the opposite result at the upper range of movie quality: an increase in quality can justify an earlier release of the video.

Licensing and Competition for Services in Open Source Software

Open source software is becoming increasingly prominent, and the economic structure of open-source development is changing. In recent years, firms motivated by revenues from software services markets have become the primary contributors to open-source development. In this paper we study the role of services in open source software development and explore the choice between open source and proprietary software. Specifically, our economic model jointly analyzes the investment and pricing decisions of the originators of software and of subsequent open-source contributors. We find that if a contributor is efficient in software development, the originator should adopt an open-source strategy, allowing the contributor to offer higher total quality and capture the higher end of the market while the originator focuses on providing software services to lower end consumers. Conversely, if the contributor is not efficient in development, the originator should adopt a proprietary software development strategy, gaining revenue from software sales and squeezing the contributor out of the services market. In certain cases an increase in originator development efficiency can result in increased contributor profits. Finally, we find that, somewhat counterintuitively, an increase in contributor development efficiency can reduce overall social welfare.

Generating Value Through Open Source: Software Service Market Regulation and Licensing Policy

In the software industry, commercial open-source software vendors have recognized that providing services to help businesses derive greater value in the implementation of open source–based systems can be a profitable business model. Moreover, society may greatly benefit when software originators choose an open-source development strategy as their products become widely available, readily customizable, and open to community contributions. In this study, we present an economic model to study how software licensing attributes affect a software originator’s decisions, aiming to provide policy makers with insights into how welfare-improving, open-source outcomes can be incentivized. We show that when a competing contributor is apt at reaping the benefits of software development investment, a less restrictive open source license (e.g., Berkeley Software Distribution, or BSD style) can improve welfare. On the other hand, when the originator is better at leveraging investment and service costs are high, a more re...