Please enable JavaScript.
Coggle requires JavaScript to display documents.
Patching (Mechanisms (Distributed along a line, 0, Vb, Vp, 1 (When…
Patching
Mechanisms
-
-
-
-
Distributed along a line, 0, Vb, Vp, 1
When mandatory patching, true cost becomes p+Cp, and the B, NP population is obliterated. Their utility makes them not buy anymore. sales drop, prodits drop.
When patching rebate, the higher the rebate, the more left Vp moves. This increases the security of the user population, and increases prices charged by the vendor, and their profits
If tax is used, prices go down for the vendor, and effective price (P+Cp) goes up for the consumer. Demand drops, prices drop, and so the vendor is less profitable.
The functional form for price p decreases in security risk, and in patching cost Cp
Venfor profits Pi = P(1-Vb), where Vb can be derived in terms of p
Timeline: Vendor sets price, then consumers buy, then if patch is available, consumers decide whether to patch, unpatched users incur costs if struck by worm
Free-riding
Findings
Social optimum
-
Best effort and total effort: only the agent with the highest benefit-cost ratio exerts all the effort.
In the case of weakest-link, system reliability is dependent on the agent with the lowest cost-benefit ratio
In the case of total effort, system reliability is dependent on the agent with the highest benefit-cost ratio
Social payoff P(F(x1,x2))-c1x1-c2x2
Payoff to agent i = MB = MC ; payoff = P(F(x1,x2) -cxi
-
Group effort types
Maximum effort - F(x1,x2) = x1+ x2
Minimum effort - F(x1,x2) = min(x1,x2)
Sum of effort - F(x1,x2) = max(x1,x2)
Background
Mounting avoidable losses, due to patches not being applied
-
-
Problems with not patching - own risk, others risk. This in turn affects purchase decisions.
Cavusoglu et Al 2008
-
Research Question
Should vendors share the cost of patching, or share the liability of not patching?
-
Methodology
Time based: Every Tv, vendor releases a patch. Every Tf, firm updates.
There is a cost to the firm if the patch is breach happens prior to patch release, which is lower than cost if breach happens post release.
Cost includes: Patching cost + damage in pre-period, damage in post period
Objective: Minimize total cost for social planner, decentralized
August, Dao, Kim 2018
Background
-
Pricing patching rights means that users will be auto-patched if they do not pay for the right to patch.
Vendors care about security, because these create dis-incentives for software usage and purchase.
2006 paper finds that rebates help improve security, but if patching costs are large, rebates are not enough to incentivize lower valuation customers to patch
So, PPR solves this problem by letting lower valuation customers get auto-patched
RQ
Impact of optimally priced patching rights on security, vendor profitability, and overall value to economy
-
Methodology
(no buy), (B,AP), (B,NP), (B,P)
Find the indifferent customers in terms of prices, and patching costs. Now, compare profits and percentage of unpatched population with status quo.
Related Concepts
Externalities, gains go elsewhere
Hayek - self determined decisions, collocating info and decision rights. Consumers making risk-compatible decisions means mandatory patching will now work.
Network effects - numbers game. The more unpatched users there are, the more the risk for everyone
Arora et Al 2008
Research Question
Ying and Yang - forcing disclosure of vulnerabilities increases risks of attacks, but also make the vendor deliver patches more expeditiously
-
Findings
-
-
when vendor internalizes even a small portion of customer losses, it is more responsive
Methodology
-
Stage 1: CERT chooses protected period T ; Stage 2: vendor chooses when to release, tao
Timeline: 0, x: Vulnerability disclosed to CERT, T: Protected Period, tao: When the vendor releases the patch
-