Terrence August and Tunay Tunca
Management Science, November, 2006, 52(11), 1703-1720
Because of network effects, the actions that each user takes in the face of a potential security threat can have important consequences on other users, and mechanisms to induce the right incentives for patching, both from the point of view of a profit maximizing vendor and a social welfare maximizing planner need to be considered. In this paper, we present a model of a market for a software product with a potential security vulnerability to compare mechanisms aimed to mitigate the security problem by utilizing user incentives. The consumers who choose to purchase or use the software face a decision whether to undergo patching costs to maintain the security of their software. If they patch their systems, they avoid the risk of being hit by worms and do not cause negative externalities on the other users. However, if they avoid patching, they not only risk being hit but also increase the risk faced by other users. The equilibrium patching decisions of the users depend on the cost of patching and the overall riskiness of the software. This, in turn, determines the equilibrium purchasing decisions of the consumers. We consider two different cases: (a) Proprietary software that is offered by a vendor who produces and sells copies of it for profit (e.g., Microsoft IIS); (b) Freeware, which is available to users at no charge and often distributed by open source development projects (e.g., Apache HTTP Server). For both cases, we examine four candidate policies: (i) Consumer self patching, where users make their own decisions on patching (i.e., the status quo); (ii) Mandatory patching, where users, by agreement, are required to patch when one is available; (iii) Patching rebate, where users are compensated by the vendor when a patch is available and they actually patch; and (iv) Usage tax, where a social planner imposes a tax on the usage of the software in order to control the negative network externalities caused by low valuation users who are not reliable patchers.
For proprietary software, contractually mandating patching can substantially reduce the vendor profit and hence is not an appealing policy for a software vendor to apply. Although mandating patching can improve expected social welfare, for most cases it will reduce the welfare by inducing the vendor to price at levels that move the network away from the overall socially optimal security level. We also find that if the risk that the users are facing is small compared to the patching costs, patching rebates cannot increase the vendor's expected profit, since it will cost the vendor too much to induce a desired level of patching behavior. On the other hand, if the security risk is high, the vendor can increase his profits through rebates by inducing increased security and consequently increased value of his product. Similarly, by inducing efficient patching behavior, rebates can be an effective tool for a social welfare maximizing planner when the security risk and patching costs are high. However, by significantly reducing the usage, taxes are not helpful for increasing either vendor profits or social welfare even though they may increase the security of the product. We also show that the optimal patching rebate and the corresponding vendor price tend to increase in patching costs but decrease in the effective riskiness of the software. However, when the patching costs are high, the optimal planner determined rebate increases with the security risk to reduce the high network externalities that arise from poor user patching behavior. These results are summarized in Table 1. Panel A gives the policy recommendations, and Panel B gives the comparative statics results for the optimal vendor price, rebates and tax. When software is freeware, we demonstrate that mandating patching reduces welfare by forcing consumers to make socially inefficient decisions. However, our conclusions about the impact of the rebates and taxes change significantly. Unlike proprietary software, patching rebates have only limited effectiveness for freeware, since they often induce users to patch in cases where doing so is socially inefficient. However, taxes can be effective since they eliminate low valuation users who do not patch and cause negative security externalities on other users. When the security risk or patching costs are low, unlike the case of proprietary software where self patching is preferable, for freeware, an intervention by a social planner through rebates and taxes increases social welfare. When both software riskiness and the patching costs are low, rebates are preferable while for high patching costs or security risk, a tax policy can significantly increase social welfare and be preferred. The optimal tax and rebate tend to increase with the security risk and the patching costs except when the security risk is high, in which case further usage should be encouraged by lowering the tax. These results are again summarized in Table 1.