1 / 43

Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions

Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions. Terrence August *Joint work with Tunay I. Tunca. Motivation. Internet Server Software Market. Motivation. Code Red and the Problem. Code Red / Code Red II Worm that attacks web servers running IIS

gersemi
Download Presentation

Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca

  2. Motivation Internet Server Software Market

  3. Motivation Code Red and the Problem • Code Red / Code Red II • Worm that attacks web servers running IIS • Installs back door and propagates 100 times over per infection • Distributed Denial of Service (DDoS) attack on www1.whitehouse.gov • Patch issued by Microsoft on June 18, 2001 • Code Red worm strikes on July 19, 2001 • $2.75 Billion in damages

  4. Motivation

  5. Motivation US-CERT Coordination Center

  6. Motivation Microsoft (Windows Genuine Advantage) Microsoft claims that for WGA, security patches will be exempt. Microsoft issues statement saying that only paid customers will have access to Service Pack 2 for XP Trial stage Windows Genuine Advantage followed by pilot phase for 20 countries. Microsoft loosens restrictions, only checking for two counterfeit keys for SP2 update Mike Nash (VP, Security Business and Technology Unit) and Barry Goffe (Product Mgr) on record: pirates can obtain security patches Permit Pirates SP2 Restrict Pirates SP2 Permit Pirates SP2 Restrict Pirates WGA Permit Pirates WGA Apr-04May-04 LateMay-04 Jul-04 Sept-04Feb-05 May-05

  7. Motivation

  8. Motivation Two Options • Make security patches available to all users • Network is more secure • Sasser worm: $14.8B • Slammer worm: $1.5B • Network effects • Restrict security patches only to legitimate users • Network is less secure • Curb piracy

  9. Motivation Piracy in the Software Industry • Business Software Alliance (BSA) and International Data Corporation (IDC) • Piracy rates • 35% in 2004 • Exceeds 75% in 24 countries • Economic Losses (globally) • $59B spent on packaged software • $90B+ installed

  10. Motivation Research Questions • Under high network security risk, should a software vendor make security patches readily available to all users? • Why might a vendor such as Microsoft allow pirates to patch security vulnerabilities? • Can piracy lead to less secure software products? • Are the arguments made by the security community that software vendors should “do the right thing” valid?

  11. Literature Review Economics of Info. Security and Piracy Piracy e.g., Peitz and Waelbroeck (2003) • Information Security • Interdependent Securitye.g., Kunreuther et al. (2002), Kunreuther and Heal (2003, 2005), Varian (2004), August and Tunca (2006) • Quantification of Lossese.g., Moore and Shannon (2002), Cavusoglu (2004) • Worm Spread Dynamicse.g., Weaver et al (2003)

  12. Model Key Observations • Software patching is costly • Losses from security breaches are positively correlated with valuations • Piracy tendencies vary across users

  13. Model Timeline Vendor releases security patches / Consumers make patching decisions Worm attack realizes on network Vendor sets price and policy Consumers make usage decisions t = 0 t = 1 t = 2 t = 3

  14. Model Consumer Model • Consumer valuation space: • Consumer heterogeneity in regard to piracy: • Consumer action space:

  15. Model Costs and Losses • Effective cost of patching: • Loss from attack: • Expected cost of piracy:

  16. Consumer Market Structure Consumer’s Problem

  17. Consumer Market Structure Equilibrium Characteristics • There is always a group of consumers who use but do not patch • There is always a population of users whose valuations are higher than the price but end up not purchasing the software • Users impose negative externalities on: • Other users • The software vendor

  18. Consumer Market Structure • Region 2: • High price • Region 1: • Low price Pricing and Piracy • Pricing to deter piracy: • Two regions – August and Tunca (2006)

  19. Consumer Market Structure Threshold Characterization

  20. Consumer Market Structure Pricing and Piracy • Two policies which the firm can enforce: • Permissive policy: • “Let” the pirates patch • Restrictive policy: • Do “not let” the pirates patch

  21. Consumer Market Structure Let the Pirates Patch: • Unpatched population:

  22. Consumer Market Structure Increasing security risk Let the Pirates Patch: • Four possible equilibrium market structures

  23. Consumer Market Structure Don’t Let the Pirates Patch: • Unpatched population:

  24. Consumer Market Structure Increasing security risk Don’t Let the Pirates Patch: • Six possible equilibrium market structures

  25. Vendor Profit Maximization Profit Functions and the Vendor’s Problem:

  26. Results Optimal Policy Decision for the Vendor • When to restrict security patches? • When to let pirates patch?

  27. Results Proposition 1: When to be restrictive • When the effective security risk is high, a software vendor can strictly increase his profit by restricting pirates from receiving security patches. • Common perception • Reduce the risk on the network • A more secure product benefits all users

  28. Results Let Do not Let Don’t let them patch when…

  29. Results Proposition 2: When to be permissive • When the patching cost is not too high and the effective security risk is below a threshold value, a software vendor should permit pirates with access to security patches. • Contrast • Strong incentives to patch • Vendor wants to price high • Not willing to provide incentives for conversion • Increased usage due to reduction in negative network effects

  30. Results Do not Let Let Let them patch when…

  31. Results Proposition 3 • When the potential for piracy in a market is high, a software vendor should enforce a restrictive policy. • Candidates: Vietnam, Ukraine, China, … • Small size of low piracy tendency (Type L) population • When the potential for piracy in a market is high, a software vendor prefers a less secure product to a more secure product.

  32. Results Lack of Incentives for Secure Software

  33. Results Proposition 4 • When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. Security Risk Low High Low Increasing Piracy Enforcement Increasing High

  34. Results

  35. Results Proposition 4 • When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. Security Risk Low High Low Increasing Decreasing Piracy Enforcement Increasing Increasing High

  36. Results

  37. Results

  38. Results

  39. Results

  40. Results

  41. Results Proposition 5 Security patch restrictions can be welfare superior to a permissive approach • When the patching cost and the effective security risk is low, social welfare can increase under a restrictive policy.

  42. Results Let the Pirates Patch?

  43. Concluding Remarks Summary • Model of network software security with piracy • Role of incentives in setting security patch restriction policies • Explain patch restrictions under high security risk • Microsoft’s permissive policy • Security risk can be strategically used by vendors as a tool to convert pirates into legitimate users • Security patch restrictions do not necessarily reduce welfare

More Related