Network Security: Vulnerabilities and Disclosure Policy

34 Pages Posted: 19 May 2008

See all articles by Jay Pil Choi

Jay Pil Choi

Michigan State University - Department of Economics; CESifo (Center for Economic Studies and Ifo Institute)

Chaim Fershtman

Tel Aviv University - Eitan Berglas School of Economics; Tinbergen Institute

Neil Gandal

Berglas School of Economics, Tel Aviv University; Centre for Economic Policy Research (CEPR)

Multiple version iconThere are 2 versions of this paper

Date Written: February 2007

Abstract

Software security is a major concern for vendors, consumers, and regulators since attackers that exploit vulnerabilities can cause substantial damages. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only the consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper develops a setting that examines the economic incentives facing software vendors and users when software is subject to vulnerabilities. We consider a firm that sells software which is subject to potential security breaches. The firm needs to set the price of the software and state whether it intends to disclose vulnerabilities and issue updates. Consumers differ in their value of the software and the potential damage that hackers may inflict and need to decide whether to purchase the software as well as whether to install updates. Prices, market shares, and profits depend on the disclosure policy of the firm. The paper analyzes the market outcome and derives the conditions under which a firm would disclose vulnerabilities. It then examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities. The paper discusses the incentives to invest in product security by investigating how a decline in the number of vulnerabilities and an increase in the probability that the firm will identify vulnerabilities ex-post (before hackers) affect disclosure policy, price and profits.

Keywords: Disclosure policy, Internet security, software vulnerabilities

JEL Classification: L100, L630

Suggested Citation

Choi, Jay Pil and Fershtman, Chaim and Gandal, Neil, Network Security: Vulnerabilities and Disclosure Policy (February 2007). CEPR Discussion Paper No. DP6134. Available at SSRN: https://ssrn.com/abstract=1133779

Jay Pil Choi (Contact Author)

Michigan State University - Department of Economics ( email )

101 Marshall Hall
East Lansing, MI 48824
United States
517-353-7281 (Phone)

CESifo (Center for Economic Studies and Ifo Institute)

Poschinger Str. 5
Munich, DE-81679
Germany

HOME PAGE: http://www.CESifo.de

Chaim Fershtman

Tel Aviv University - Eitan Berglas School of Economics ( email )

P.O. Box 39040
Ramat Aviv, Tel Aviv, 69978
Israel
+972 3 640 7167 (Phone)
+972 3 640 9908 (Fax)

Tinbergen Institute ( email )

Burg. Oudlaan 50
Rotterdam, 3062 PA
Netherlands

Neil Gandal

Berglas School of Economics, Tel Aviv University ( email )

Tel Aviv University
Tel Aviv 69978
Israel
+972 3 640 9907 (Phone)
+972 3 640 9908 (Fax)

HOME PAGE: http://www.neilgandal.com/

Centre for Economic Policy Research (CEPR)

London
United Kingdom

Register to save articles to
your library

Register

Paper statistics

Downloads
9
Abstract Views
1,019
PlumX Metrics