Researchers: Rahul Telang, Ashish Arora
The Economic Incentive to Improve Software Security
A key component of understanding the economic incentives for software vendors to invest in developing more secure software products is the users’ willingness to pay for more security. A key hurdle to greater security is that there is little quantifiable evidence on how more secure software would fare in the market place. The proposed research is the first step to developing an empirically grounded framework for analyzing this problem.
The problem is compounded by the fact that observed number of disclosed vulnerabilities which is a potential measure for software quality is significantly affected by installed base. In short, we may expect to see significant network externalities. Thus, a large number of disclosed vulnerabilities need not be due to poor quality but due to large installed base of the firm as well.
This research has two components. The first will be to model such usage externalities and empirically estimate the impact of such externalities on vendor’s incentive to invest in secure software. The second model builds the demand function for the software product based on quality attributes, installed base, and vulnerabilities observed and estimate the quality premium.
Task 1: A model for Usage Externalities in Software (Yubao Yang –-Arora-Telang)
The key elements of the model are the vendors (who can invest in security of their software), the users (whose computer networks and information assets are at risk due to vulnerabilities being exploited), and of course, the attackers who find and exploit vulnerabilities. Attackers have more incentives to find and attack those products which have larger installed base. As more vulnerabilities are reported, users’ willingness to pay for the product reduces which clearly affects vendor’s willingness to spend on security.
Supervised by Professors Arora and Telang, PhD candidate, Yubao Yang will first analyze the theory model of monopoly and then duopoly market to understand how usage externalities affect vendor’s willingness to invest in quality. This model will formally examine the tradeoff inherent in any decision, along with the associated incentives. For instance, higher marker share generates more revenues but imposes higher usage externalities as well. Once the theory model is analyzed, using the data on vulnerabilities reported (which will be collected from public sources) and installed base (which is available to us from a research firm), an empirical model will be tested to understand whether such externalities play any role in vendor’s decision making. The results will provide greater insights into understanding vendor’s incentives to invest in quality while untangling usage externalities.
Task 2: Estimating the User willingness to pay for quality (Anand Nandkumar –Arora-Telang)
This project will estimate how increase in the number of vulnerabilities disclosed affects the market share of a product. Supervised by Professors Arora and Telang, PhD candidate Anand Nandkumar will link the data on vulnerability information (collected in part through task 1) disclosed in various sources such as ICAT, CERT and Bugtraq, and link it to individual product information. He will further link the individual product to a detailed database of software installations. This database (the Hart/Hankes database) provides data on software installations in over 10,000 established throughout the economy over time, and provides additional detail on the establishments, such as size, industry, and hardware in use at the establishment.
Once the data have been developed, the research involves statistical analysis relating how the number of vulnerabilities disclosed affects the demand for the product (and hence, market share), after controlling for other factors such as the size and industry of the user.