Security Patch Management: Share the Burden or Share the Damage?

Cavusoglu, Hasan; Cavusoglu, Huseyin; Zhang, Jun

doi:10.1287/mnsc.1070.0794

Cited by 124 publications

(79 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our results in this paper would be quite robust to imperfect debugging, provided that debugging is mostly effective. Second, we take a simpler view that patches are released as soon as the vendor has a patch available; in reality, when patches are released (either willingly or by threat of disclosure) and when they are applied (if ever) by users is a complex topic in its own right and extensively studied in the vulnerability disclosure literature (see August and Tunca 2006, Cavusoglu et al 2007, Arora et al 2008, Cavusoglu et al 2008. One possible future extension could be to explore this link between vulnerability disclosure 26 and a vendor's product release time and pricing.…”

Section: Discussionmentioning

confidence: 99%

The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing

August

Niculescu

2011

SSRN Journal

View full text Add to dashboard Cite

Software producers are making greater use of customer error reporting to discover defects and improve the quality of their products. We study how software development differences among producers (e.g., varying levels of process maturity) and software class and functionality differences (e.g., operating system versus productivity software) affect how these producers coordinate software release timing and pricing to optimally harness error reporting contributions from users. In settings where prices are fixed, we characterize the optimal release time and demonstrate why in some cases it can actually be preferable to delay release when customer error reporting rates increase. The manner in which a firm's optimal release time responds to increases in software functionality critically hinges on whether the added functionality enhances or dilutes user error reporting; in both cases, the effect of added functionality on release timing can go in either direction, depending on both firm and product market characteristics. For example, when processing costs are relatively large compared to goodwill costs, firms with lower process maturity will release earlier when per module error reporting contributions become diluted and release later when these contributions become enhanced. We also examine how a firm adapts price with changes in error reporting levels and software functionality, and finally provide implications of how beta testing influences release timing.

show abstract

Section: Discussionmentioning

confidence: 99%

The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing

August

Niculescu

2011

SSRN Journal

View full text Add to dashboard Cite

show abstract

“…Cavusoglu, et al [18,19] use a game-theoretic model to study interactions between a vendor releasing patches and an organization deploying the patches across its environment. They examine the cost/benefit consequences of the time-driven release policies adopted by a vendor and similar policies for patch deployment adopted by an organization, and explore situations in which the socially optimal patch management can be achieved.…”

Section: Related Workmentioning

confidence: 99%

Optimizing Network Patching Policy Decisions

Beres

Griffin

2012

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. Patch management of networks is essential to mitigate the risks from the exploitation of vulnerabilities through malware and other attacks, but by setting too rigorous a patching policy for network devices the IT security team can also create burdens for IT operations or disruptions to the business. Different patch deployment timelines could be adopted with the aim of reducing this operational cost, but care must be taken not to substantially increase the risk of emergency disruption from potential exploits and attacks. In this paper we explore how the IT security policy choices regarding patching timelines can be made in terms of economically-based decisions, in which the aim is to minimize the expected overall costs to the organization from patching-related activity. We introduce a simple cost function that takes into account costs incurred from disruption caused by planned patching and from expected disruption caused by emergency patching. To explore the outcomes under different patching policies we apply a systems modelling approach and Monte Carlo style simulations. The results from the simulations show disruptions caused for a range of patch deployment timelines. These results together with the cost function are then used to identify the optimal patching timelines under different threat environment conditions and taking into account the organization's risk tolerance.

show abstract

“…Arora, Caulkins and Telang (2005) develop an analytical model where the possibility of patching a software product after it has been released creates incentives for the vendors to rush to the market with buggier products, especially in larger markets. Cavusoglu et al (2005) present a model of risk sharing between the vendor and software users where the risk arises due to vulnerabilities. These papers do not deal with the issue of disclosure directly.…”

Section: Prior Literaturementioning

confidence: 99%

Optimal Policy for Software Vulnerability Disclosure

2008

View full text Add to dashboard Cite

Software vulnerabilities represent a serious threat to cyber security, most cyber-attacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus CERT/CC and similar bodies acting in the public interest can use disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of disclosure. We formulate a model involving a social planner who sets the disclosure policy and a vendor who decides on the patch release. We show that the vendor typically release the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly and sometimes the patch release time coincides with disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always results in a better patch quality. Another extension allows for some fraction of users to use "work-arounds". We show that the possibility of work-arounds can provide the social planner more leverage and hence the social planner shrinks the protected period. Interestingly, possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who can use the work-arounds on the users who can not. (2005) and seminar participants at Stanford University, for their valuable feedback. We also thank the DE, the AE, and two anonymous reviewers for many valuable suggestions, and Ed Barr for suggesting many improvements in the writing. This research was partially supported through a grant from Cylab, Carnegie Mellon University. Rahul Telang acknowledges the generous support of National Science Foundation through the CAREER award CNS -0546009."First, the Nation needs a better-defined approach to the disclosure of vulnerabilities. The issue is complex because exposing vulnerabilities both helps speed the development of solutions and also creates opportunities for would be attackers."

show abstract

Security Patch Management: Share the Burden or Share the Damage?

Cited by 124 publications

References 15 publications

The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing

The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing

Optimizing Network Patching Policy Decisions

Optimal Policy for Software Vulnerability Disclosure

Contact Info

Product

Resources

About