Network Software Security and User Incentives

Management Science, Vol. 52, No. 11, pp. 1703-1720, November 2006

Posted: 14 Nov 2010 Last revised: 7 Sep 2014

See all articles by Terrence August

Terrence August

University of California, San Diego (UCSD) - Rady School of Management

Tunay I. Tunca

University of Maryland - Robert H. Smith School of Business

Date Written: October 1, 2004

Abstract

We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) Consumer self patching (where no external incentives are provided for patching or purchasing); (ii) Mandatory patching; (iii) Patching rebate; and (iv) Usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare maximizing social planner and a profit maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self patching is best. We also show that when a rebate is effective, the profit maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare maximizing rebates are also increasing in patching costs but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs and security risk are low, in which case, a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs but can decrease in the security risk for high risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security.

Keywords: information systems, IT policy and management, network economics, economics of IS, security

Suggested Citation

August, Terrence and Tunca, Tunay I., Network Software Security and User Incentives (October 1, 2004). Management Science, Vol. 52, No. 11, pp. 1703-1720, November 2006. Available at SSRN: https://ssrn.com/abstract=1708220

Terrence August (Contact Author)

University of California, San Diego (UCSD) - Rady School of Management ( email )

9500 Gilman Drive
Rady School of Management
La Jolla, CA 92093
United States

HOME PAGE: http://management.ucsd.edu/faculty/directory/august/

Tunay I. Tunca

University of Maryland - Robert H. Smith School of Business ( email )

College Park, MD 20742-1815
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Abstract Views
361
PlumX Metrics