Tunay I. Tunca

Network Software Security and User Incentives

We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) consumer self-patching (where no external incentives are provided for patching or purchasing); (ii) mandatory patching; (iii) patching rebate; and (iv) usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare-maximizing social planner and a profit-maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self-patching is best. We also show that when a rebate is effective, the profit-maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare-maximizing rebates are also increasing in patching costs, but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs, and security risk are low, in which case a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs, but can decrease in the security risk for high-risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security.

Supply Auctions and Relational Contracts for Procurement

We examine the competition between procurement auctions and long-term relational contracts that emerges from the increased usage of electronic marketplaces. Procurement auctions create supply chain efficiencies by selecting the least costly bidder, and long-term relational contracts ensure the quality of the procured products or services when these have nonverifiable attributes. The following two-layer supply chain model is analyzed: Suppliers of an industrial part with nonverifiable quality trade with several manufacturers that utilize that part in the production of an end product. A price-based reverse auction is used for the procurement of low-quality parts, and a relational long-term contract is used for high-quality parts. A formal model of the competition between the two procurement models identifies conditions under which the two coexist, and conditions under which one will push the other out of the market. Market and product parameters that increase the relative economic appeal of the relational contract are determined. It is demonstrated that the competition from the auction market can either facilitate or undermine the relational contract compared with a benchmark case of a monopolist supplier. This implies that competition between the two procurement models plays an important role in the supply of high-quality products.

Strategic Spot Trading in Supply Chains

In a variety of industries ranging from agriculture to electronics and oil, procurement takes place through a combination of bilateral fixed-price contracts and open market trading among supply chain participants, which allows them to improve supply chain performance by utilizing new demand and cost information. The strategic behavior of the participants in these markets interacts with the way fixed-price contracts are formulated and significantly affects supply chain efficiency. In this paper, we develop a strategic model that allows endogenous price formation in an industrial spot market where supply chain participants have private information. Utilizing the model, we analyze the equilibrium of a dynamic game between a single supplier and multiple manufacturers who first contract with the supplier at a fixed price and then trade on a spot market. We study how such trading affects supply chain performance and show that it does not eliminate fixed-price contracting even though the fixed price is determined under inferior information. We find that it reduces prices, increases the quantities produced, and improves supply chain profits and consumer surplus. However, depending on the information structure of the supply chain, spot trading may make either the supplier or the manufacturers worse off. Our results show how the informational regime affects the profitability of supply chain participants and the allocation of quantities between the procurement venues. We show that beyond a threshold level, the effect of increasing supply uncertainty, or decreasing either the demand uncertainty or the information asymmetry among the manufacturers, is to increase the percentage procured on the spot market as well as the overall quantity procured and sold, and to decrease prices. As the number of manufacturers increases, procurement shifts from fixed-price contracting to spot trading and in the limit, the supply chain is both fully coordinated and informationally efficient. We also show that in many cases, the supplier may gain strategic advantage by sharing some of her cost information with the manufacturers.

Multiple Sourcing and Procurement Process Selection with Bidding Events

We examine the procurement process selection problem of a large industrial buyer who employs reverse auctions for awarding procurement contracts. We contrast two classes of commonly used strategies under multiple sourcing; namely, single-stage reverse auctions, and two-stage processes where price-quantity adjustments between the buyer and the suppliers follow a first-stage reverse auction. Deriving bounds of efficiency for these two classes of procurement processes under convex supplier production costs, we present insights on the conditions under which each class is preferable for the buyer. Considering the effect of contracting and processing costs, a single-stage process is likely to be preferable to a two-stage process when the number of bidding suppliers is high, especially when capacity is rigid. A two-stage process with one information transfer in the second stage may be the preferred procurement mode when production is highly scalable, i.e., when the marginal production cost increase with increased production is small. When the number of suppliers is low, the effect of a decrease in production scalability depends on the current scalability level. For high scalability levels, a decrease in production scalability may decrease the efficiency of both single-stage and simple two-stage processes, whereas for low scalability levels, it tends to increase efficiency for both of these process classes. A decrease in production costs makes employing simple processes more attractive when production is highly scalable or when supplier capacity is rigid. For intermediate production scalability, however, a cost decrease may make employing two-stage processes with multiple information transfers in the second round preferable for the buyer.

Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions

We study the question of whether a software vendor should allow users of unlicensed (pirated) copies of a software product to apply security patches. We present a joint model of network software security and software piracy and contrast two policies that a software vendor can enforce: (i) restriction of security patches only to legitimate users or (ii) provision of access to security patches to all users whether their copies are licensed or not. We find that when the software security risk is high and the piracy enforcement level is low, or when tendency for piracy in the consumer population is high, it is optimal for the vendor to restrict unlicensed users from applying security patches. When piracy tendency in the consumer population is low, applying software security patch restrictions is optimal for the vendor only when the piracy enforcement level is high. If patching costs are sufficiently low, however, an unrestricted patch release policy maximizes vendor profits. We also show that the vendor can use security patch restrictions as a substitute to investment in software security, and this effect can significantly reduce welfare. Furthermore, in certain cases, increased piracy enforcement levels can actually hurt vendor profits. We also show that governments can increase social surplus and intellectual property protection simultaneously by increasing piracy enforcement and utilizing the strategic interaction of piracy patch restrictions and network security. Finally, we demonstrate that, although unrestricted patching can maximize welfare when the piracy enforcement level is low, contrary to what one might expect, when the piracy enforcement level is high, restricting security patches only to licensed users can be socially optimal.

Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments

In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of zero-day attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a zero-day attack is low, or patching costs are small and zero-day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the zero-day attack probability is high but can increase both vendor investment in security and social welfare when zero-day attack likelihood is sufficiently low. When the zero-day attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low zero-day attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if zero-day attack likelihood is sufficiently low. However, if zero-day attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. This paper was accepted by Sandra Slaughter, information systems.

An Empirical Analysis of Price, Quality, and Incumbency in Procurement Auctions

The use of multiattribute auctions for procurement of products and services when both price and quality matter is becoming more frequent. Such auctions often employ scoring rules and are open ended in winner determination. Yet there is a significant gap in the literature on the efficiency of these procurement mechanisms. In this paper, providing a theoretical model and utilizing data from legal service procurement auctions, we study how open-ended scoring auctions can be used effectively in procurement and demonstrate the roles supplier quality and incumbency play in this process. We demonstrate that open-ended auctions can generate substantial savings to a buyer without compromising quality. We study the underlying mechanism and show how the auction format can work to achieve such performance. We find that the buyers revealed preferences significantly differ from her stated preferences. Finally, we contribute to the understanding of the role of incumbency in procurement auctions by providing evidence that what may be perceived as incumbency bias can in fact be a revelation of preference for quality.

Fighting Fire with Fire: Commercial Piracy and the Role of File Sharing on Copyright Protection Policy for Digital Goods

In recent years, with the emergence and growth of illegal file sharing on the Internet, individual piracy of digital goods, i.e., consumers making illegal copies on their own rather than relying on purchasing copies from commercial pirates, has stirred substantial controversy. Threatened by this growth, the information goods industry took legal action by suing the file sharing peer-to-peer networks and the consumers who illegally share copyrighted material on these networks. In this paper we demonstrate that each one of these two actions aimed to fight individual piracy can backfire by providing strategic disadvantage to legal publishers of information goods. In particular, we show that in the presence of commercial piracy (i) a higher population of consumers who are capable of individual piracy can increase a legal publishers profits; and (ii) a higher detection and prosecution rate for individual piracy can reduce a legal publishers profits. Both effects can be observed in markets where commercial piracy is suppressed because the legal publisher can be coerced to take a price cut to minimize the loss of market share. The latter effect can also be observed in markets with active commercial piracy presence because the legal publisher can be forced to raise prices and concede market share to piracy. Our results suggest that information goods producers may be better off by considering their copyright protection policies concerning individual piracy from a more strategic point of view.

Feasting on Leftovers: Strategic Use of Shortages in Price Competition Among Differentiated Products

Two single-product firms with different quality levels and fixed limited capacities engage in sequential price competition in an essentially deterministic model where customers have heterogeneous valuations for both products. We develop conditions under which the leader (she) can take strategic advantage of her limited capacity by pricing relatively low, purposefully creating shortages and leaving some leftovers for the follower (him) to feast on, avoiding direct competition. The extent to which the leader benefits in this Leftovers Equilibrium depends on operational variables such as the capacity levels of the two firms and the sequence in which customers arrive at the market. We spell out the details for three different known arrival sequences within a specific subset of plausible fixed-capacity levels. The followers strategic shadow price can be positive even when not all his capacity is used, and the leaders can be negative when all her capacity is used. We illustrate that Leftovers Equilibria can arise when some of our assumptions are relaxed.

Business-To-Business Electronic Markets: Does Trading on New Information Create Value, and for Whom?

This paper studies the impact of a Business-to-Business electronic market on an environment where manufacturers used fixed-term contracts to purchase materials from suppliers. We focus on the effects of private information and consider the interaction between fixed-term contracting and the electronic market. We study the effects of the electronic market on the participants using four factors: changes in industry structure, information effects, volatility and price flexibility. We find that the effects of Business-to-Business electronic markets on industry performance are subtle, and that it can make the supply chain as a whole less profitable, with the benefits accruing largely to consumers.