Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis

Software vulnerabilities have become a serious concern because unpatched software runs the risk of being exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of software vendors' patch release behavior and test it using a data set compiled from the National Vulnerability Database, United States Computer Emergency Readiness Team, and vendor Web sites. This model helps to understand how factors specific to vulnerabilities, patches, software vendors, and software affect the patch release behavior of software vendors based on their cost structure. This study also analyzes the impact of the presence of multiple vendors and type of vendor on the patch release behavior of software vendors. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type (new release versus update) and type of vendor (open source versus proprietary) are found. Our results illustrate that when there are legislative pressures, vendors react faster in patching vulnerabilities. Thus, appropriate regulations can be an important policy tool to influence vendor behavior toward socially desirable security outcomes.

[1]  James A. Hendler,et al.  Information accountability , 2008, CACM.

[2]  Eric S. Raymond,et al.  The cathedral and the bazaar - musings on Linux and Open Source by an accidental revolutionary , 2001 .

[3]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[4]  Gordon B. Davis,et al.  Software Development Practices, Software Complexity, and Software Maintenance Performance: a Field Study , 1998 .

[5]  Joachim Biskup Security in Computing Systems - Challenges, Approaches and Solutions , 2008 .

[6]  Tomi Männistö,et al.  Improving CVSS-based vulnerability prioritization and response with context information , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[7]  Siv Hilde Houmb,et al.  Estimating Impact and Frequency of Risks to Safety and Mission Critical Systems Using CVSS , 2008 .

[8]  M. Eric Johnson,et al.  Information Risk of Inadvertent Disclosure: An Analysis of File-Sharing Risk in the Financial Supply Chain , 2008, J. Manag. Inf. Syst..

[9]  Paul H. Cheney,et al.  The Effects of Information Technology Project Complexity on Group Interaction , 2004, J. Manag. Inf. Syst..

[10]  D. Wood Corporate Social Performance Revisited , 1991 .

[11]  Kar Yan Tam,et al.  The Impact of Open Source Software on the Strategic Choices of Firms Developing Proprietary Software , 2008, J. Manag. Inf. Syst..

[12]  Ravi Sen,et al.  A Strategic Analysis of Competition Between Open Source and Proprietary Software , 2007, J. Manag. Inf. Syst..

[13]  Qiu-Hong Wang,et al.  The Deterrent and Displacement Effects of Information Security Enforcement:  International Evidence , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[14]  David P. Baron,et al.  Private Politics, Corporate Social Responsibility, and Integrated Strategy , 2001 .

[15]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[16]  Paul D. Allison,et al.  Survival analysis using sas®: a practical guide , 1995 .

[17]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[18]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[19]  Eugene F. Brigham,et al.  Financial Management; Theory and Practice (Book and diskette package) , 1998 .

[20]  David W. Hosmer,et al.  Applied Survival Analysis: Regression Modeling of Time-to-Event Data , 2008 .

[21]  Eric S. Raymond,et al.  The Cathedral and the Bazaar , 2000 .

[22]  Mohamed E. Fayad Software Maintenance , 2005, IEEE Softw..

[23]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[24]  Xiang Liu,et al.  Design Architecture, Developer Networks and Performance of Open Source Software Projects , 2007, ICIS.

[25]  Rahul Telang,et al.  Competition and patching of security vulnerabilities: An empirical analysis , 2010, Inf. Econ. Policy.

[26]  James D. Herbsleb,et al.  Team Knowledge and Coordination in Geographically Distributed Software Development , 2007, J. Manag. Inf. Syst..

[27]  Taghi M. Khoshgoftaar,et al.  Classification-tree models of software-quality over multiple releases , 2000, IEEE Trans. Reliab..

[28]  Mayuram S. Krishnan,et al.  Evaluating the cost of software quality , 1998, CACM.

[29]  Rahul Telang,et al.  Sell First, Fix Later: Impact of Patching on Software Quality , 2004 .

[30]  Brian Fitzgerald,et al.  Understanding open source software development , 2002 .

[31]  P. Allison Survival analysis using the SAS system : a practical guide , 1995 .

[32]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[33]  Chris F. Kemerer,et al.  Software complexity and software maintenance: A survey of empirical research , 1995, Ann. Softw. Eng..

[34]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[35]  L. Sproull,et al.  Coordinating Expertise in Software Development Teams , 2000 .

[36]  L. J. Wei,et al.  The Robust Inference for the Cox Proportional Hazards Model , 1989 .

[37]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[38]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[39]  D. Cox Regression Models and Life-Tables , 1972 .

[40]  E. F. Brigham,et al.  Financial Management: Theory and Practice , 1990 .

[41]  Sanjay Anand Information Security Implications of Sarbanes-Oxley , 2008, Inf. Secur. J. A Glob. Perspect..

[42]  Karen Scarfone,et al.  Improving the Common Vulnerability Scoring System , 2007, IET Inf. Secur..

[43]  J. Concato,et al.  Importance of events per independent variable in proportional hazards regression analysis. II. Accuracy and precision of regression estimates. , 1995, Journal of clinical epidemiology.

[44]  Rajiv D. Banker,et al.  Understanding the Impact of Collaboration Software on Product Design and Development , 2006, Inf. Syst. Res..

[45]  Rajiv D. Banker,et al.  The Moderating Effects of Structure on Volatility and Complexity in Software Enhancement , 2000, Inf. Syst. Res..

[46]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[47]  Rahul Telang,et al.  Research Note - Sell First, Fix Later: Impact of Patching on Software Quality , 2006, Manag. Sci..

[48]  Weidong Xia,et al.  Complexity of Information Systems Development Projects: Conceptualization and Measurement Development , 2005, J. Manag. Inf. Syst..

[49]  Dirk Van den Poel,et al.  Customer attrition analysis for financial services using proportional hazard models , 2004, Eur. J. Oper. Res..

[50]  A. Carroll A Three-Dimensional Conceptual Model of Corporate Performance , 1979 .

[51]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.