Economic Analaysis of Incentives to Disclose Software Vulnerabilities

Loading...
Thumbnail Image

Authors

Thursby, Marie
Nizovtsev, Dmitri

Issue Date

2005-04-1

Type

Working paper

Language

en_US

Keywords

Computer software , Economic analysis

Research Projects

Organizational Units

Journal Issue

Alternative Title

Abstract

This paper addresses the ongoing debate about the practice of disclosing information about software vulnerabilities through an open public forum. Using game-theoretic approach, we show that such practice may be an equilibrium strategy in a game played by rational loss-minimizing agents. We find that under certain parameters public disclosure of vulnerabilities is desirable from the social welfare standpoint. The presence of an opportunity to disclose allows individual software users to reduce their expected loss from attacks and by doing so improves social welfare. We analyze the effect of several product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare and compare several public policy alternatives in terms of their efficacy in reducing the overall social welfare loss from attacks. Our results suggest that designing an incentive system that would induce vendors to release fixes sooner and improve the quality of their products should be among the priorities for any policymaking agency concerned with information security. Doing so would reduce individual incentives to disclose vulnerabilities, thus further reducing the potential damage from any given vulnerability. Our preliminary analysis of information-sharing coalitions suggests that such entities have a positive effect only under a fairly restrictive set of conditions.

Description

Citation

Publisher

Washburn University. School of Business

Rights

Journal

Volume

Issue

PubMed ID

DOI

ISSN

EISSN