Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions
Terrence August and Tunay Tunca
Information Systems Research, March, 2008, 19(1), 48-70
For years, Microsoft has been dealing with two major problems related to their network software products: excessive security risk and piracy. Microsoft has struggled with a decision on whether to permit pirates of their software products to have access to security patches. Unlike the software itself, security patches are difficult to pirate since they arrive weekly to monthly and their value lies in being deployed before attacks. Many users will not rely on non-trustworthy sources to obtain high frequency patches, therefore Microsoft can strategically use a restrictive patch policy to place software pirates in a compromised security setting; this can provide additional economic incentives for conversion into legitimate users. On the other hand, such a restriction would significantly compromise the security of the network by creating a large population of "unpatched hosts" on the Internet which are susceptible to "infection" and can spread malicious code such as worms and viruses. Under the high security risks faced today, such a policy reduces the security of the entire Internet, including the systems of legitimate users. As a result, in addition to facing public pressure for selfish behavior, the value of Microsoft's product is reduced, which also ultimately hurts the company.
These observations motivate a formal study of the economics of a vendor's security patch restriction policy decision. In this paper, we aim to provide insights into the economics of a vendor's patch release policy under software piracy in connection with current empirical observations and the ongoing debate. Building on the model given in August and Tunca (2006), we explore the implications of the two alternative policies: (i) restricting the security patches only to legitimate users or (ii) providing access to security patches to all users without checking the legitimacy of their copies of the software. Our analysis has two main purposes. First, we identify the conditions under which each policy will be optimal for a software vendor. Second, we explore the implications of patch restrictions on security of a software product, piracy enforcement and social welfare.
Exploring the optimal patch restriction policy for the vendor, we find that when software is highly risky or the population's tendency for piracy is high, it is optimal for the vendor to impose security patch restrictions on unlicensed users, while if the patching costs are sufficiently low, the profit maximizing policy for the vendor is to allow all users, licensed or unlicensed, to apply security patches. When the population's tendency for piracy is low, the optimality of patch restrictions is contingent upon the piracy enforcement level. If the piracy enforcement level is high, a software vendor should restrict security patches only to licensed users. However, when government enforcement of software piracy law is weak, then a profit-maximizing software vendor such as Microsoft should select a permissive policy for security patches. If Microsoft intended to use a restrictive policy, then, since enforcement is low, it would need to reduce prices to engender pirate conversion. However, price optimality calls for Microsoft to maintain a higher price level which provides very little conversion incentive under a restrictive policy. In this case, many pirates remain in the population as unpatched users which leads to increased security risk on the network. Therefore, under these conditions, choosing a permissive approach enhances security and increases the value of the software in the economy. Furthermore, these market conditions are typical of the U.S. which had a piracy rate of around 20% in 2008, much smaller in comparison to several countries with rates exceeding 90%. An important implication from this work is that, in the face of low piracy rates and weak enforcement, Microsoft should continue to exercise permissive patch policies within the U.S. This work also provides government with recommendations on how to use piracy enforcement appropriately.
Next, in the presence of software security patch restrictions, a vendor may prefer a less secure product and hence can have reduced incentives to invest in improving software security. As a result, social welfare can suffer significantly. In addition, contrary to what one may expect, we show that an increased piracy enforcement level does not always increase vendor profits. Further, we show that for certain piracy enforcement levels, governments can, in fact, increase social surplus generated by the software product by increasing piracy enforcement, thereby inducing the vendor lower his price strategically to target pirates' incentives to convert into purchasers under high security risk. Finally, we show that contrary to some arguments made in the software community, policies that restrict unlicensed users from patching can increase social welfare. In fact, we demonstrate that having the government impose laws to ensure such restrictions can sometimes be necessary to maximize the surplus generated by the software.