Presentation is loading. Please wait.

Presentation is loading. Please wait.

Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca.

Published byAntonia O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca."— Presentation transcript:

1 Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca

2 Motivation Internet Server Software Market

3 Motivation Code Red and the Problem  Code Red / Code Red II  Worm that attacks web servers running IIS  Installs back door and propagates 100 times over per infection  Distributed Denial of Service (DDoS) attack on www1.whitehouse.gov  Patch issued by Microsoft on June 18, 2001  Code Red worm strikes on July 19, 2001  $2.75 Billion in damages

4 WormDate Vulnerability Notice Estimated Cost ($) Code Red7.19.20011 month2.75 Billion Slammer1.25.20036 months1.5 Billion Blaster8.11.20031 month750 Million Sasser5.1.20042 weeks14.8 Billion Zotob8.13.20054 days$98K/company (on average) Motivation

5 US-CERT Coordination Center

6 Motivation Microsoft (Windows Genuine Advantage) Apr-04 May-04 Late May-04 Jul-04Sept-04 Feb-05 May-05 Mike Nash (VP, Security Business and Technology Unit) and Barry Goffe (Product Mgr) on record: pirates can obtain security patches Microsoft issues statement saying that only paid customers will have access to Service Pack 2 for XP Microsoft loosens restrictions, only checking for two counterfeit keys for SP2 update Trial stage Windows Genuine Advantage followed by pilot phase for 20 countries. Microsoft claims that for WGA, security patches will be exempt. Permit Pirates SP2 Restrict Pirates SP2 Permit Pirates SP2 Restrict Pirates WGA Permit Pirates WGA

7 Motivation

8 Two Options  Make security patches available to all users  Network is more secure  Sasser worm: $14.8B  Slammer worm: $1.5B  Network effects  Restrict security patches only to legitimate users  Network is less secure  Curb piracy

9 Motivation Piracy in the Software Industry  Business Software Alliance (BSA) and International Data Corporation (IDC)  Piracy rates  35% in 2004  Exceeds 75% in 24 countries  Economic Losses (globally)  $59B spent on packaged software  $90B+ installed

10 Motivation Research Questions  Under high network security risk, should a software vendor make security patches readily available to all users?  Why might a vendor such as Microsoft allow pirates to patch security vulnerabilities?  Can piracy lead to less secure software products?  Are the arguments made by the security community that software vendors should “do the right thing” valid?

11 Literature Review Economics of Info. Security and Piracy Information Security Interdependent Security e.g., Kunreuther et al. (2002), Kunreuther and Heal (2003, 2005), Varian (2004), August and Tunca (2006) Quantification of Losses e.g., Moore and Shannon (2002), Cavusoglu (2004) Worm Spread Dynamics e.g., Weaver et al (2003) Piracy e.g., Peitz and Waelbroeck (2003)

12 Model Key Observations  Software patching is costly  Losses from security breaches are positively correlated with valuations  Piracy tendencies vary across users

13 Model Timeline t = 0t = 1t = 3t = 2 Vendor sets price and policy Consumers make usage decisions Vendor releases security patches / Consumers make patching decisions Worm attack realizes on network

14 Model Consumer Model  Consumer valuation space:  Consumer heterogeneity in regard to piracy:  Consumer action space:

15  Effective cost of patching:  Loss from attack:  Expected cost of piracy: Model Costs and Losses

16 Consumer Market Structure Consumer’s Problem   

17 Consumer Market Structure Equilibrium Characteristics  There is always a group of consumers who use but do not patch  There is always a population of users whose valuations are higher than the price but end up not purchasing the software  Users impose negative externalities on:  Other users  The software vendor

18  Pricing to deter piracy:  Two regions – August and Tunca (2006) Consumer Market Structure Pricing and Piracy Region 2: High price Region 1: Low price

19 Consumer Market Structure Threshold Characterization

20 Consumer Market Structure Pricing and Piracy  Two policies which the firm can enforce:  Permissive policy:  “Let” the pirates patch  Restrictive policy:  Do “not let” the pirates patch

21 Consumer Market Structure Let the Pirates Patch:  Unpatched population:

22 Consumer Market Structure Let the Pirates Patch:  Four possible equilibrium market structures Increasing security risk

23 Consumer Market Structure Don’t Let the Pirates Patch:  Unpatched population:

24 Consumer Market Structure Don’t Let the Pirates Patch:  Six possible equilibrium market structures Increasing security risk

25 Vendor Profit Maximization Profit Functions and the Vendor’s Problem:

26  When to restrict security patches?  When to let pirates patch? Results Optimal Policy Decision for the Vendor

27 Results Proposition 1: When to be restrictive  When the effective security risk is high, a software vendor can strictly increase his profit by restricting pirates from receiving security patches.  Common perception  Reduce the risk on the network  A more secure product benefits all users

28 Results Don’t let them patch when… LetDo not Let

29 Results Proposition 2: When to be permissive  When the patching cost is not too high and the effective security risk is below a threshold value, a software vendor should permit pirates with access to security patches.  Contrast  Strong incentives to patch  Vendor wants to price high  Not willing to provide incentives for conversion  Increased usage due to reduction in negative network effects

30 Results Let them patch when… Let Do not Let

31 Results Proposition 3  When the potential for piracy in a market is high, a software vendor should enforce a restrictive policy.  Candidates: Vietnam, Ukraine, China, …  Small size of low piracy tendency (Type L) population  When the potential for piracy in a market is high, a software vendor prefers a less secure product to a more secure product.

32 Lack of Incentives for Secure Software Results

33 Proposition 4  When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. High Security Risk Low Piracy Enforcement Low High Results Increasing

34 Results

35 Proposition 4  When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. High Security Risk Low Piracy Enforcement Low High Results Increasing Decreasing

36 Results

37

38

39

40

41 Proposition 5  When the patching cost and the effective security risk is low, social welfare can increase under a restrictive policy. Security patch restrictions can be welfare superior to a permissive approach

42 Let the Pirates Patch? Results

43 Concluding Remarks Summary  Model of network software security with piracy  Role of incentives in setting security patch restriction policies  Explain patch restrictions under high security risk  Microsoft’s permissive policy  Security risk can be strategically used by vendors as a tool to convert pirates into legitimate users  Security patch restrictions do not necessarily reduce welfare

Download ppt "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca."

Similar presentations

A Local Mean Field Analysis of Security Investments in Networks Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) NetEcon 2008.

A Local Mean Field Analysis of Security Investments in Networks Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) NetEcon 2008.
Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.

Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.
Risk Models and Controlled Mitigation of IT Security R. Ann Miura-Ko Stanford University February 27, 2009.

Risk Models and Controlled Mitigation of IT Security R. Ann Miura-Ko Stanford University February 27, 2009.
IPv6 Deployment CANTO Nate Davis, Chief Operating Officer 13 August 2014.

IPv6 Deployment CANTO Nate Davis, Chief Operating Officer 13 August 2014.
What is Digital Piracy? Digital piracy is a form of online piracy and includes the unauthorized online distribution of electronic copies of copyrighted.

What is Digital Piracy? Digital piracy is a form of online piracy and includes the unauthorized online distribution of electronic copies of copyrighted.
Software Piracy. The Impact of Software Piracy By: Andy Ajello.

Software Piracy. The Impact of Software Piracy By: Andy Ajello.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Chapter 6 Entrepreneurship and Business Planning.

Chapter 6 Entrepreneurship and Business Planning.
Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.

Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.
Software Asset Management The New Competitive Advantage.

Software Asset Management The New Competitive Advantage.
DO AMERICANS CONSUME TOO LITTLE NATURAL GAS?An Empirical Test of Marginal Cost Pricing. By Lucas W. Davis and Erich Muehlegger. Key words :Efficient pricing,

DO AMERICANS CONSUME TOO LITTLE NATURAL GAS?An Empirical Test of Marginal Cost Pricing. By Lucas W. Davis and Erich Muehlegger. Key words :Efficient pricing,
The Gov't Should Filter P2P Music Movies Software.

The Gov't Should Filter P2P Music Movies Software.
Adware, Shareware, and Consumer Privacy by Nataly Gantman, Tel Aviv University Yossi Spiegel, Tel Aviv University NET institute conference April 1, 2005.

Adware, Shareware, and Consumer Privacy by Nataly Gantman, Tel Aviv University Yossi Spiegel, Tel Aviv University NET institute conference April 1, 2005.
1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.

1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Cloud Implications on Software Network Structure and Security Risks Terrence August Rady School of Management, UC San Diego Joint with Marius Florin Niculescu.

Cloud Implications on Software Network Structure and Security Risks Terrence August Rady School of Management, UC San Diego Joint with Marius Florin Niculescu.
Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.

Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Similar presentations

Ads by Google