To Disclose or Not? An Analysis of Software User Behavior

Nizovtsev, Dmitri; Thursby, Marie C.

doi:10.2139/ssrn.899863

Download This Paper

Open PDF in Browser

Add Paper to My Library

To Disclose or Not? An Analysis of Software User Behavior

32 Pages Posted: 2 May 2006

See all articles by Dmitri Nizovtsev

Dmitri Nizovtsev

Washburn University - School of Business

Marie C. Thursby

Georgia Institute of Technology - Strategic Management Area; National Bureau of Economic Research (NBER)

Date Written: April 30, 2006

Abstract

This paper addresses the ongoing debate over disclosing information about software vulnerabilities through an open public forum. Using a game-theoretic approach, we show that full public disclosure may be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full public disclosure of vulnerabilities is desirable from a social welfare standpoint. We analyze the effect of several vendor and product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare. We also examine models in which users may spend effort to develop a fix or threaten vendors to disclose after a grace period. We show that to the extent that users are able to develop fixes for discovered vulnerabilities without inordinate effort, welfare is further improved. This is more likely the more familiar users are with the details of software providing an argument for "open source" software.

Keywords: economics of information security, software vulnerabilities, vulnerability disclosure, patching

JEL Classification: A12, C72, D81, L15

Suggested Citation: Suggested Citation

Nizovtsev, Dmitri and Thursby, Marie C., To Disclose or Not? An Analysis of Software User Behavior (April 30, 2006). Available at SSRN: https://ssrn.com/abstract=899863 or http://dx.doi.org/10.2139/ssrn.899863