Competition and patching of security vulnerabilities: An empirical analysis

We empirically estimate the effect of competition on vendor patching of software defects by exploiting variation in number of vendors that share a common flaw or common vulnerabilities. We distinguish between two effects: the direct competition effect when vendors in the same market share a vulnerability, and the indirect effect, which operates through non-rivals that operate in different markets but nonetheless share the same vulnerability. Using time to patch as our measure of quality, we find empirical support for both direct and indirect effects of competition. Our results show that ex-post product quality in software markets is not only conditioned by rivals that operate in the same product market, but by also non-rivals that share the same common flaw.

[1]  Chaim Fershtman,et al.  Internet Security, Vulnerability Disclosure and Software Provision , 2005, WEIS.

[2]  Dmitri Nizovtsev,et al.  To Disclose or Not? An Analysis of Software User Behavior , 2006 .

[3]  Janet S. Netz,et al.  Why do all the flights leave at 8 am?: Competition and departure-time differentiation in airline markets , 1999 .

[4]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[5]  A. Cohen,et al.  Competition, Product Differentiation and Quality Provision: An Empirical Equilibrium Analysis of Bank Branching Decisions , 2004 .

[6]  D. Levhari,et al.  Market Structure, Quality and Durability , 1973 .

[7]  Grady Booch,et al.  Reusing Open-Source Software and Practices: The Impact of Open-Source on Commercial Vendors , 2002, ICSR.

[8]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[9]  Jeffrey M. Wooldridge,et al.  Solutions Manual and Supplementary Materials for Econometric Analysis of Cross Section and Panel Data , 2003 .

[10]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[11]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[12]  Rahul Telang,et al.  Research Note - Sell First, Fix Later: Impact of Patching on Software Quality , 2006, Manag. Sci..

[13]  Jason L. Dedrick,et al.  Innovation and Control in Standards Architectures: The Rise and Fall of Japan's PC-98 , 2000, Inf. Syst. Res..

[14]  A. Spence Monopoly, Quality, and Regulation , 1975 .

[15]  Avinash Dixit,et al.  Quality and Quantity Competition , 1977 .

[16]  Shane Greenstein,et al.  How Did Location Affect Adoptions of the Commercial Internet , 2005 .

[17]  Avi Goldfarb,et al.  How did location affect adoption of the commercial Internet? Global village vs. urban leadership , 2005 .

[18]  Rahul Telang,et al.  Sell First, Fix Later: Impact of Patching on Software Quality , 2004 .

[19]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[20]  Timothy F. Bresnahan,et al.  Economic and Technical Drivers of Technology Choices: Browsers , 2010 .

[21]  Jeffrey S. Poulin,et al.  The Business Case for Software Reuse , 1993, IBM Syst. J..

[22]  C. Hoxby Does Competition Among Public Schools Benefit Students and Taxpayers? , 1994 .

[23]  Gordon B. Davis,et al.  Software Development Practices, Software Complexity, and Software Maintenance Performance: a Field Study , 1998 .

[24]  Mayuram S. Krishnan,et al.  Effects of Process Maturity on Quality, Cycle Time, and Effort in Software Product Development , 2000 .

[25]  Robert J. Kauffman,et al.  Reuse and Productivity in Integrated Computer-Aided Software Engineering: An Empirical Study , 1991, MIS Q..

[26]  Avrom Sherr,et al.  The impact of competition on pricing and quality of legal services , 1989 .

[27]  P. Swan Durability of Consumption Goods , 1970 .

[28]  Kai Lung Hui,et al.  Overcoming Online Information Privacy Concerns: An Information-Processing Theory Approach , 2007, J. Manag. Inf. Syst..

[29]  Pu Li,et al.  An examination of private intermediaries’ roles in software vulnerabilities disclosure , 2007, Inf. Syst. Frontiers.

[30]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[31]  Timothy F. Bresnahan,et al.  Economic and Technical Drivers of Technology Choice: Browsers , 2003 .

[32]  Manish Agrawal,et al.  Software Effort, Quality, and Cycle Time: A Study of CMM Level 5 Projects , 2007, IEEE Transactions on Software Engineering.

[33]  Catherine Tucker,et al.  Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records , 2009, Manag. Sci..

[34]  Dmitri Nizovtsev,et al.  To Disclose or Not? An Analysis of Software User Behavior , 2006, Inf. Econ. Policy.

[35]  Esther Gal-Or,et al.  Quality and Quantity Competition , 1983 .

[36]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[37]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[38]  B. Dean THE BUSINESS CASE , 1998 .

[39]  David Dranove,et al.  Recent Theory and Evidence on Competition in Hospital Markets , 1994 .

[40]  Ravindra R. Ranade,et al.  On Durability of Consumer Goods , 2000 .

[41]  Richard Schmalensee,et al.  Market Structure, Durability, and Quality: A Selective Survey , 1979 .

[42]  Tobias Kretschmer,et al.  Competing Technologies in the Database Management Systems Market , 2005 .

[43]  A. Adam Whatever happened to information systems ethics? Caught between the devil and the deep blue sea , 2004 .

[44]  TuckerCatherine,et al.  Privacy Protection and Technology Diffusion , 2009 .

[45]  Timothy F. Bresnahan,et al.  Technological Competition and the Structure of the Computer Industry , 2003 .

[46]  B. Baltagi,et al.  Econometric Analysis of Panel Data , 2020, Springer Texts in Business and Economics.

[47]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[48]  Michael J. Mazzeo Competition and Service Quality in the U.S. Airline Industry , 2003 .