To Disclose or Not? An Analysis of Software User Behavior

Loading...
Thumbnail Image

Authors

Nizovtsev, Dmitri; Thursby, Marie

Issue Date

Type

Article

Language

Eng

Keywords

Economics of information security , Software vulnerabilities , Vulnerability disclosure

Research Projects

Organizational Units

Journal Issue

Alternative Title

Abstract

This paper addresses the ongoing debate over disclosing information about software vulnerabilities through an open forum. Using a game-theoretic approach, we show that full public disclosure may be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full public disclosure of vulnerabilities is desirable from a social welfare standpoint. We analyze the effect of several vendor and product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare. We also examine models in which users spend effort to develop a fix or threaten vendors to disclose after a grace period. We show that to the extent that users are able to develop fixes for discovered vulnerabilities without inordinate effort, welfare is further improved. This is more likely the more familiar users are with the details of software providing an argument for "open source" software.

Description

Citation

Publisher

Washburn University, School of Business

Rights

Journal

Volume

Issue

PubMed ID

DOI

ISSN

EISSN

Collections