Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions

Information Systems Research, March, Vol. 19, No. 1, pp. 48-70, 2008

Posted: 14 Nov 2010

See all articles by Terrence August

Terrence August

University of California, San Diego (UCSD) - Rady School of Management

Tunay I. Tunca

University of Maryland - Robert H. Smith School of Business

Date Written: May 2006

Abstract

We study the question of whether a software vendor should allow users of unlicensed (pirated) copies of a software product to apply security patches. We present a joint model of network software security and software piracy and contrast two policies that a software vendor can enforce: (i) restriction of security patches only to legitimate users or (ii) provision of access to security patches to all users whether their copies are licensed or not. We find that when the software security risk is high and the piracy enforcement level is low, or when tendency for piracy in the consumer population is high, it is optimal for the vendor to restrict unlicensed users from applying security patches. When piracy tendency in the consumer population is low, applying software security patch restrictions is optimal for the vendor only when the piracy enforcement level is high. If patching costs are sufficiently low, however, an unrestricted patch release policy maximizes vendor profits. We also show that the vendor can use security patch restrictions as a substitute to investment in software security, and this effect can significantly reduce welfare. Furthermore, in certain cases, increased piracy enforcement levels can actually hurt vendor profits. We also show that governments can increase social surplus and intellectual property protection simultaneously by increasing piracy enforcement and utilizing the strategic interaction of piracy patch restrictions and network security. Finally, we demonstrate that, although unrestricted patching can maximize welfare when the piracy enforcement level is low, contrary to what one might expect, when the piracy enforcement level is high, restricting security patches only to licensed users can be socially optimal.

Keywords: IT security, software piracy, IT policy and management, network economics, economics of IS

Suggested Citation

August, Terrence and Tunca, Tunay I., Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions (May 2006). Information Systems Research, March, Vol. 19, No. 1, pp. 48-70, 2008. Available at SSRN: https://ssrn.com/abstract=1708236

Terrence August (Contact Author)

University of California, San Diego (UCSD) - Rady School of Management ( email )

9500 Gilman Drive
Rady School of Management
La Jolla, CA 92093
United States

HOME PAGE: http://management.ucsd.edu/faculty/directory/august/

Tunay I. Tunca

University of Maryland - Robert H. Smith School of Business ( email )

College Park, MD 20742-1815
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Abstract Views
258
PlumX Metrics