Cloud Implications on Software Network Structure and Security Risks

References

• Anderson R (2001) Why information security is hard—An economic perspective. Proc. 17th Annual Comput. Security Appl. Conf. (IEEE Computer Soc., Washington, DC), 358–365.Crossref, Google Scholar
• Anderson R, Moore T (2006) The economics of information security. Science 314(5799):610–613.Crossref, Google Scholar
• Arora A, Telang R, Xu H (2008) Optimal policy for software vulnerability disclosure. Management Sci. 54(4):642–656.Link, Google Scholar
• August T, Tunca TI (2006) Network software security and user incentives. Management Sci. 52(11):1703–1720.Link, Google Scholar
• August T, Tunca TI (2008) Let the pirates patch? An economic analysis of software security patch restrictions. Inform. Systems Res. 19(1):48–70.Link, Google Scholar
• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Sci. 57(5):934–959.Link, Google Scholar
• Bain C, Faatz DB, Fayad A, Williams D (2002) Diversity as a defense strategy in information systems. Does evidence from previous events support such an approach? Proc. IFIP TC11/WG11.5 Fourth Working Conf. Integrity, Internal Control Security Inform. Systems: Connecting Governance Tech. (Kluwer, B.V., Deventer, The Netherlands), 77–94.Crossref, Google Scholar
• Beil D, Wan Z (2009) RFQ auctions with supplier qualification screening. Oper. Res. 57(4):934–949.Link, Google Scholar
• Bhargava HK, Choudhary V (2001) Information goods and vertical differentiation. J. Management Inform. Systems 18(2):89–106.Crossref, Google Scholar
• Bhargava HK, Choudhary V (2008) Research note: When is versioning optimal for information goods? Management Sci. 54(5):1029–1035.Link, Google Scholar
• Biddick M (2010) Why you need a SaaS strategy. InformationWeek (January). http://www.informationweek.com/cloud/software-as-a-service/why-you-need-a-saas-strategy/d/ d-id/1086146?Google Scholar
• Bloor B (2003) The patch problem: It’s costing your business real dollars. White paper, Baroudi Bloor, Arlington, MA. http://www.netsense.info/downloads/ PatchProblemReport_BaroudiBloor.pdf.Google Scholar
• Boulton C (2013) American airlines outage likely caused by software quality issues. Wall Street Journal (April). http://blogs.wsj.com/cio/2013/04/17/ american-airlines-outage-likely-caused-by-software-quality-issues/.Google Scholar
• Branscombe M (2012) Salesforce talks security: From passwords to animatronic ponies. ZDNet (September). http://www.zdnet.com/salesforce-talks-security-from -passwords-to-animatronic-ponies-7000004454/.Google Scholar
• Cavusoglu H, Cavusoglu H, Raghunathan S (2007) Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. 33(3):171–185.Crossref, Google Scholar
• Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: Share the burden or share the damage? Management Sci. 54(4):657–670.Link, Google Scholar
• Charney S (2012) Trustworthy computing next. White paper, Microsoft. http:// www.microsoft.com/en-us/download/confirmation.aspx?id=29084.Google Scholar
• Chellappa RK, Jia J (2011) Competition and versioning. Working paper, Emory University and Hong Kong University of Science and Technology.Google Scholar
• Chellappa RK, Mehra A (2013) Versioning 2.0: A product line and pricing model for information goods under usage constraints and with R&D costs. Working paper, Emory University and Indian School of Business.Google Scholar
• Chen P-Y, Kataria G, Krishnan R (2011) Correlated failures, diversification, and information security risk management. MIS Quart. 35(2):397–422.Crossref, Google Scholar
• Choi JP, Fershtman C, Gandal N (2010) Network security: Vulnerabilities and disclosure policy. J. Indust. Econom. 58(4):868–894.Crossref, Google Scholar
• Choudhary V (2007) Comparison of software quality under perpetual licensing and software as a service. J. Management Inform. Systems 24(2):141–165.Crossref, Google Scholar
• Chow R, Golle P, Jakobsson M, Shi E, Staddon J, Masuoka R, Molina J (2009) Controlling data in the cloud: Outsourcing computation without outsourcing control. Proc. 2009 ACM Workshop Cloud Comput. Security, CCSW'09 (ACM, New York), 85–90.Crossref, Google Scholar
• Claburn T (2009) Government embraces cloud computing, launches app store. InformationWeek (September). http://www.informationweek.com/cloud/government-embraces-cloud -computing-launches-app-store/d/d-id/1083137?Google Scholar
• Cox B, Evans D, Filipi A, Rowanhill J, Hu W, Davidson J, Knight J, Nguyen-Tuong A, Hiser J (2006) N-variant systems: A secretless framework for security through diversity. Proc. 15th Conf. USENIX Security Sympos., USENIX-SS'06, Vol. 15 (USENIX Association, Berkeley, CA).Google Scholar
• Dey D, Lahiri A, Zhang G (2012) Hacker behavior, network effects, and the security software market. J. Management Inform. Systems 29(2):77–108.Crossref, Google Scholar
• El Akkad O (2011) Microsoft wants you to rent an Office in the cloud. Globe and Mail (June). http://www.theglobeandmail.com/technology/tech-news/microsoft-wants-you-to -rent-an-office-in-the-cloud/article584830.Google Scholar
• Farber D (2007) SAP’s challenge to NetSuite, Workday and salesforce.com. ZDNet (September). http://www.zdnet.com/blog/btl/saps-challenge-to-netsuite-workday-and-salesforce-com/6327.Google Scholar
• Forrest S, Somayaji A, Ackley D (1997) Building diverse computer systems. Proc. 6th Workshop Hot Topics Operating Systems (HotOS-VI), HOTOS'97 (IEEE Computer Soc., Washington, DC), 67–72.Crossref, Google Scholar
• Gherbi A, Charpentier R, Couture M (2011) Software diversity for future systems security. CrossTalk 25(5):10–13.Google Scholar
• Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. Syst. Secur. 5(November):438–457.Crossref, Google Scholar
• Greenemeier L, Hoover JN (2007) How does the hacker economy work? InformationWeek (February). http://www.informationweek.com/how-does-the-hacker-economy-work/d/d-id/1051843?Google Scholar
• Grossklags J, Christin N, Chuang J (2008) Secure or insure?: A game-theoretic analysis of information security games. Proc. 17th Internat. Conf. World Wide Web, WWW'08 (ACM, New York), 209–218.Crossref, Google Scholar
• Heal G, Kunreuther H (2007) Modeling interdependent risks. Risk Anal. 27(3):621–634.Crossref, Google Scholar
• Huang K-W, Sundararajan A (2005) Pricing models for on-demand computing. Working paper, National University of Singapore and New York University. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1281329.Crossref, Google Scholar
• Hui KL, Hui W, Yue T (2013) Information security outsourcing with system interdependency and mandatory security requirement. J. Management Inform. Systems 29(3):117–156.Crossref, Google Scholar
• IBM (2008) IBM Internet security systems X-Force 2008 mid-year trend statistics. IBM Global Tech. Services. https://www-935.ibm.com/services/us/iss/xforce/ midyearreport/xforce-midyear-report-2008.pdf.Google Scholar
• Jing B (2007) Network externalities and market segmentation in a monopoly. Econom. Lett. 95(1):7–13.Crossref, Google Scholar
• Johnson JP, Myatt DP (2003) Multiproduct quality competition: Fighting brands and product line pruning. Amer. Econom. Rev. 93(3):748–774.Crossref, Google Scholar
• Johnson ME (2008) Managing Information Risk and the Economics of Security, 1st ed. (Springer, New York).Crossref, Google Scholar
• Jones R, Mendelson H (2011) Information goods vs. industrial goods: Cost structure and competition. Management Sci. 57(1):164–176.Link, Google Scholar
• Judge P (2002) Microsoft security push cost $100 m for .Net server alone. ZDNet (July). http://www.zdnet.com/microsoft-security-push-cost-100m-for-net-server-alone-3002118314/.Google Scholar
• Kannan K, Telang R (2005) Market for software vulnerabilities? Think again. Management Sci. 51(5):726–740.Link, Google Scholar
• Kannan K, Rahman MS, Tawarmalani M (2013) Economic and policy implications of restricted patch distribution. Working paper, Purdue University and University of Calgary.Google Scholar
• Kash W (2013) Software patches eat government IT’s lunch. InformationWeek (September). http://www.darkreading.com/risk-management/software-patches-eat-government-its-lunch/d/d-id/1111379.Google Scholar
• Keizer G (2004) Sasser worm impacted businesses around the world. Network Comput. (May). http://www.networkcomputing.com/careers-and-certifications/sasser-worm-impacted -businesses-around-the-world/d/d-id/1208406?Google Scholar
• Keizer G (2008) Windows users indifferent to Microsoft patch alarm, says researcher. Computerworld (December). http://www.computerworld.com/s/article/9122599/Windows _users_indifferent_to_Microsoft_patch_alarm_says_researchers.Google Scholar
• Kim BC, Chen P-Y, Mukhopadhyay T (2010) An economic analysis of the software market with a risk-sharing contract. Internat. J. Electronic Commerce 14(2):7–39.Crossref, Google Scholar
• Kim BC, Chen P-Y, Mukhopadhyay T (2011) The effect of liability and patch release on software security: The monopoly case. Production Oper. Management 20(4):603–617.Crossref, Google Scholar
• Kundra V (2011) Tight budget? Look to the “cloud.” New York Times (August). http://www.nytimes.com/2011/08/31/opinion/tight-budget-look-to-the-cloud.html?_r=0.Google Scholar
• Kunreuther H, Heal G (2003) Interdependent security. J. Risk Uncertainty 26(2–3):231–249.Crossref, Google Scholar
• Laffont J-J, Tirole J (1988) The dynamics of incentive contracts. Econometrica 56(5):1153–1175.Crossref, Google Scholar
• Lahiri A (2012) Revisiting the incentive to tolerate illegal distribution of software products. Decision Support Systems 53(2):357–367.Crossref, Google Scholar
• Lala JH, Schneider FB (2009) IT monoculture security risks and defenses. IEEE Security Privacy 7(1):12–13.Crossref, Google Scholar
• Lee CH, Geng X, Raghunathan S (2013) Contracting information security in the presence of double moral hazard. Inform. Systems Res. 24(2):295–311.Link, Google Scholar
• Lee M (2014) Microsoft closes Office 365 admin access vulnerability. ZDNet (January). http:// www.zdnet.com/microsoft-closes-office-365-admin-access-vulnerability-7000025369/.Google Scholar
• Lemos R (2003) Slammer report: More headaches. ZDNet (February). http://www.zdnet.com/ news/slammer-report-more-headaches/127449.Google Scholar
• Lemos R (2004) MSBlast epidemic far larger than believed. CNET News.com (April). http:// news.cnet.com/MSBlast-epidemic-far-larger-than-believed/2100-7349_3-5184439.html.Google Scholar
• Lewis JA, Baker S (2013) The economic impact of cybercrime and cyber espionage. Report, Center for Strategic and International Studies, Washington, DC.Google Scholar
• Li L, McKelvey RD, Page T (1987) Optimal research for Cournot oligopolists. J. Econom. Theory 42(1):140–166.Crossref, Google Scholar
• Liran N (2013) Severe Office 365 token disclosure vulnerability—Research and analysis. Adallom. https://www.adallom.com/blog/severe-office-365-token-disclosure-vulnerability-research-and-analysis/.Google Scholar
• Ma D, Seidmann A (2014) Analyzing software-as-a-service with per-transaction charges. Working paper, Singapore Management University and University of Rochester.Google Scholar
• MacLeod WB, Malcomson JM (1993) Investments, holdup, and the form of market contracts. Amer. Econom. Rev. 83(4):811–837.Google Scholar
• Markoff J (2009) Defying experts, rogue computer code still lurks. New York Times (August). http://www.nytimes.com/2009/08/27/technology/27compute.html.Google Scholar
• McBride S (2005) Zero day attack imminent. Computerworld (February). http://www.computerworld.com.au/article/1535/zero_day_attack_imminent/.Google Scholar
• Mell P, Grance T (2011) The NIST definition of cloud computing. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.Google Scholar
• Messmer E (2013) Identity-theft vulnerability fixed in Microsoft Office 365, says security firm. NetworkWorld (December). http://www.networkworld.com/article/2172555/network-security/identity-theft-vulnerability-fixed-in-microsoft-office-365–says-security-firm.html.Google Scholar
• Microsoft (2013) Security in Office 365. White paper, http://www.microsoft.com/en-us/download/details.aspx?id=26552.Google Scholar
• Moore D, Shannon C, Brown J (2002) Code-Red: A case study on the spread and victims of an Internet worm. Proc. Second ACM SIGCOMM Internet Measurement Workshop, Marseille, France, 273–284.Crossref, Google Scholar
• Muller HM (2000) Asymptotic efficiency in dynamic principal-agent problems. J. Econom. Theory 91(2):292–301.Crossref, Google Scholar
• Neti S, Somayaji A, Locasto ME (2012) Software diversity: Security, entropy and game theory. Proc. 7th USENIX Conf. Hot Topics Security, HotSec'12 (USENIX Association, Bellevue, WA), 5.Google Scholar
• Niculescu MF, Wu DJ (2014) Economics of free under perpetual licensing: Implications for the software industry. Inform. Systems Res. 25(1):173–199.Link, Google Scholar
• Nochenson A, Grossklags J, Heimann CFL (2014) How loss profiles reveal behavioral biases in interdependent security decisions. Internat. J. Internet Tech. Secured Trans. Forthcoming.Crossref, Google Scholar
• O’Neill S (2011) Survey: Value of the cloud, telecommuting overstated. CIO (September). http://www.cio.com/article/2404707/cloud-computing/survey–value-of-the-cloud –telecommuting-overstated.html.Google Scholar
• Pesendorfer W, Swinkels JM (2000) Efficiency and information aggregation in auctions. Amer. Econom. Rev. 90(3):499–525.Crossref, Google Scholar
• Png IPL, Wang Q-H (2009) Information security: Facilitating user precautions vis-à-vis enforcement against attackers. J. Management Inform. Systems 26(2):97–121.Crossref, Google Scholar
• Ransbotham S, Mitra S, Ramsey J (2012) Are markets for vulnerabilities effective? MIS Quart. 36(1):43–64.Crossref, Google Scholar
• Robertson J (2014) Heartbleed fixes taking longer as websites plug gaps. Bloomberg.com (April). http://www.bloomberg.com/news/2014-04-14/heartbleed-fixes-taking-longer-as-websites -plug-gaps.html.Google Scholar
• Roy D (2011) Data on sale. CIO.in 6(10):60–61.Google Scholar
• Schneider FB, Birman KP (2009) The monoculture risk put into context. IEEE Security Privacy 7(1):14–17.Crossref, Google Scholar
• Vereshchagina G, Hopenhayn HA (2009) Risk taking by entrepreneurs. Amer. Econom. Rev. 99(5):1808–1830.Crossref, Google Scholar
• Villeneuve N (2011) Trends in targeted attacks. White paper. Trend Micro (October). http:// www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/ wp_trends-in-targeted-attacks.pdf.Google Scholar
• Weatherwax E, Knight J, Nguyen-Tuong A (2009) A model of secretless security in N-variant systems. Proc. 39th Annual IEEE/IFIP Internat. Conf. Dependable Systems Networks, DSN'09 (IEEE Computer Soc., Washington, DC).Google Scholar
• Wei X, Nault BR (2011) Vertically differentiated information goods: Monopoly power through versioning. Working paper, Fudan University and University of Calgary.Google Scholar
• Wei X, Nault BR (2014) Monopoly versioning of information goods when consumers have group tastes. Production Oper. Management. 23(6):1067–1081.Crossref, Google Scholar
• Xu J, Kalbarczyk Z, Iyer RK (2003) Transparent runtime randomization for security. Proc. 22nd Sympos. Reliable Distributed Systems (SRDS 2003), SRDS 03 (IEEE Computer Soc., Washington, DC), 260–269.Google Scholar
• Zhang JJ, Seidmann A (2010) Perpetual versus subscription licensing under quality uncertainty and network externality effects. J. Management Inform. Systems 27(1):39–68.Crossref, Google Scholar