Documents disponibles écrits par cet auteur

Who should be responsible for software security? / Terrence August in Management science, Vol. 57 N° 5 (Mai 2011) 

Public ISBD [article]  in Management science > Vol. 57 N° 5 (Mai 2011) . - pp. 934-959 Titre : Who should be responsible for software security? : A comparative analysis of liability policies in network environments Type de document : texte imprimé Auteurs : Terrence August, Auteur ; Tunay I. Tunca, Auteur Année de publication : 2011 Article en page(s) : pp. 934-959 Note générale : Management Langues : Anglais (eng) Mots-clés : IT  policy  and  management  Economics  of  IS  Network  economics  Enabling  technologies  Software  Liability  Zero-day Index. décimale : 658 Organisation des entreprises. Techniques du commerce Résumé : In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of zero-day attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a zero-day attack is low, or patching costs are small and zero-day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the zero-day attack probability is high but can increase both vendor investment in security and social welfare when zero-day attack likelihood is sufficiently low. When the zero-day attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low zero-day attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if zero-day attack likelihood is sufficiently low. However, if zero-day attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. DEWEY : 658 ISSN : 0025-1909 En ligne : http://mansci.journal.informs.org/cgi/content/abstract/57/5/934 [article] Who should be responsible for software security? : A comparative analysis of liability policies in network environments [texte imprimé] / Terrence August, Auteur ; Tunay I. Tunca, Auteur . - 2011 . - pp. 934-959. Management Langues : Anglais (eng) in Management science > Vol. 57 N° 5 (Mai 2011) . - pp. 934-959 Mots-clés : IT  policy  and  management  Economics  of  IS  Network  economics  Enabling  technologies  Software  Liability  Zero-day Index. décimale : 658 Organisation des entreprises. Techniques du commerce Résumé : In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of zero-day attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a zero-day attack is low, or patching costs are small and zero-day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the zero-day attack probability is high but can increase both vendor investment in security and social welfare when zero-day attack likelihood is sufficiently low. When the zero-day attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low zero-day attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if zero-day attack likelihood is sufficiently low. However, if zero-day attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. DEWEY : 658 ISSN : 0025-1909 En ligne : http://mansci.journal.informs.org/cgi/content/abstract/57/5/934