Network Software Security and User Incentives

References

• Anderson R. J. Why information security is hard—An economic perspective. Proc. 17th Ann. Comput. Security Appl. Conf. (2001) (IEEE Computer Society, Los Alamitos, CA) 358–365Google Scholar
• Anderson R. M., May R. M.Infectious Diseases of Humans: Dynamics and Control (1991) (Oxford University Press, Oxford, UK) Crossref, Google Scholar
• Arora A., Telang R., Xu H. Optimal policy for software vulnerability disclosure. (2005) . Working paper, Carnegie Mellon University, Pittsburgh, PAGoogle Scholar
• Bailey N. T.The Mathematical Theory of Infectious Diseases and Its Applications (1975) (Oxford University Press, Oxford, UK) Google Scholar
• Bentley A. Developing a patch and vulnerability management strategy. SC Magazine (2005) . Retrieved March 2006, http://www.scmagazine.comGoogle Scholar
• Bloor B. The patch problem: It’s costing your business real dollars. Baroudi Bloor (2003) . http://www.baroudi.com/pdfs/patch.pdfGoogle Scholar
• Bragg R. The perils of patching. (2004) February). http://www.redmondmag.comGoogle Scholar
• Brito D. L., Sheshinski E., Intriligator M. D. Externalities and compulsory vaccinations. J. Public Econom. (1991) 45(1):69–90Crossref, Google Scholar
• Cavusoglu H., Cavusoglu H., Zhang J. Security patch management: Share the burden or share the damage. (2005) . Working paper, University of British Columbia, Vancouver, CanadaGoogle Scholar
• CERT CERT/CC Statistics 1988–2003. CERT Coordination Center (2004) . Retrieved August 2004, http://www.cert.org/statsGoogle Scholar
• Choi J. P., Fershtman C., Gandal N. Internet security, vulnerability disclosure, and software provision. Fourth Workshop on the Economics of Information Security (2005) (Harvard University, Cambridge, MA) Google Scholar
• The cost impact of major virus attacks since 1995Computer Economics (2004) FebruaryGoogle Scholar
• D’Amico A. D. What does a computer security breach really cost? (2000) . Secure Decisions, Applied Visions Inc., Northport, NYGoogle Scholar
• Davidson M. A. Automatic software patching: Boon or bane? (2004) June). http://www.globeandmail.comGoogle Scholar
• Francis P. J. Dynamic epidemiology and the market for vaccinations. J. Public Econom. (1997) 63(3):383–406Crossref, Google Scholar
• Garg A. The cost of information security breaches. CrossCurrents (2003) (Ernst & Young, New York) Google Scholar
• Geer D. E. The economics of shared risk at the national scale. Third Annual Workshop on Economics and Information Security (2004) . University of Minnesota, Minneapolis, MN. Available at http://www.dtc.umn.edu/weis2004/weis-geer.pdfGoogle Scholar
• Geoffard P.-Y., Philipson T. Rational epidemics and their public control. Internat. Econom. Rev. (1996) 37(3):603–624Crossref, Google Scholar
• Gersovitz M. Births, recoveries, vaccinations and externalities. Economics for an Imperfect World: Essays in Honor of Joseph E. Stiglitz (2003) (MIT Press, Cambridge, MA) 469–483Google Scholar
• Gersovitz M., Hammer J. S. The economical control of infectious diseases. Econom. J. (2004) 114(492):1–27Google Scholar
• Gersovitz M., Hammer J. S. Tax/subsidy policies toward vector-borne infectious disease. J. Public Econom. (2005) 89(4):647–674Crossref, Google Scholar
• Goldman S. M., Lightwood J. Cost optimization in the SIS model of infectious disease with treatment. Topics Econom. Anal. Policy (2002) 2(1):1–22Google Scholar
• World internet usage and population statisticsInternet World Stats (2004) . Retrieved March 2004, http://www.internetworldstats.com/stats.htmGoogle Scholar
• Jaisingh J., Li Q. The optimal time to disclose software vulnerability: Incentive and commitment. (2005) . Working paper, Hong Kong University of Science and Technology, Hong KongGoogle Scholar
• Joyce E. More regulation for the software industry? Enterprise IT Planet (2005) February). http://www.enterpriseitplanet.com/security/news/article.php/3483876Google Scholar
• Kessing S., Nuscheler R. Monopoly pricing with negative network effects: The case of vaccines. (2003) . Working paper, Social Science Research Center, Berlin, GermanyGoogle Scholar
• Kremer M. Integrating behavioral choice into epidemiological models of AIDS. Quart. J. Econom. (1996) 111(2):549–573Crossref, Google Scholar
• Krim J. U.S. goals solicited on software security. WashingtonPost.com. (2004) Google Scholar
• Kunreuther H., Heal G. M. Interdependent security: The case of identical agents. (2002) . Working paper, Columbia University, New YorkGoogle Scholar
• Kunreuther H., Heal G. M., Orszag P. R. Interdependent security: Implications for homeland security policy and other areas. (2002) . Policy Brief 108, The Brookings Institution, Washington, D.CGoogle Scholar
• Lemos R. Squashing the next worm. CNET News (2003) AugustGoogle Scholar
• Lemos R. Witty worm proves patching “not viable”. CNET News (2004) MarchGoogle Scholar
• Lemos R. Patching takes over IT for a day. Techworld (2005) JanuaryGoogle Scholar
• Leung L. EPA offers incentives to firms that adopt telecommuting in five U.S. metros. Online Insider (2001) May). http://www.conway.com/ssinsider/incentive/ti0105.htmGoogle Scholar
• Maguire J. Who’s patching open source? Enterprise Linux IT. (2004) JanuaryGoogle Scholar
• Messmer E. Can software patching be automated? Network World Fusion (2004a) May). http://www.nwfusion.com/weblogs/security/005182.htmlGoogle Scholar
• Messmer E. Sasser worm exposes patching failures. Network World Fusion (2004b) May). http://www.nwfusion.com/news/2004/0510sasser.htmlGoogle Scholar
• Middleton J. U.S. government calls for enforced patches. VNUnet (2001) December). http://www.vnunet.com/Google Scholar
• Mimoso M. Regulation, bad software, new threats fodder for Congress. Search Security (2003) September). http://www.searchsecurity.com/Google Scholar
• Moore D., Shannon C., Brown J. Code-red: A case study on the spread and victims of an Internet worm. Proc. Second ACM SIGCOMM Internet Measurement Workshop (2002) (Marseille, France)273–284Crossref, Google Scholar
• Moore D., Paxson V., Savage S., Shannon C., Staniford S., Weaver N. The spread of the Sapphire/Slammmer worm. (2003) . Working paper, Berkeley, CAGoogle Scholar
• MS-Support IIS problems after applying a security patch. (2004) . Microsoft CorporationGoogle Scholar
• Nicastro F. Network security tactics. Step-by-step guide: How to deploy a successful patch. Searchsecurity (2005) September). http://www.searchsecurity.techtarget.com/Google Scholar
• Schweitzer D. Emerging technology: Patch me if you can! Network-Magazine (2003) August). http://www.network-magazine.com/Google Scholar
• Shannon C., Moore D. The spread of the witty worm. IEEE Security Privacy (2004) 2(4):46–50Crossref, Google Scholar
• Sullivan B. “Sasser” infections begin to subside. MSNBC (2004) May). http://www.msnbc.msn.com/id/4890780/Google Scholar
• Symantec Automating patch management. (2004) . Symantec Corporation, Cupertino, CAGoogle Scholar
• Timms S., Potter C., Beard A. Information security breaches survey 2004. (2004) . UK Department of Trade and Industry, London, UKGoogle Scholar
• US-CERT US-CERT vulnerability notes database. (2004) . U.S. Department of Homeland Security, Washington, D.C., http://www.kb.cert.org/vuls/Google Scholar
• Varian H. System reliability and free riding. (2004) . Working paper, University of California, Berkeley, CAGoogle Scholar
• Weaver N., Paxson V., Staniford S., Cunningham R. A taxonomy of computer worms. Proc. 2003 ACM Workshop Rapid Malcode (2003) (ACM, Washington, D.C.)11–18Google Scholar
• Williams M. Attack takes down Yahoo for three hours. IDG News Service (2000) FebruaryGoogle Scholar