Security Patch Management: Share the Burden or Share the Damage?

Hasan Cavusoglu
Hasan Cavusoglu
[email protected]
Sauder School of Business, University of British Columbia, Vancouver, British Columbia V6T 1Z2, Canada
Search for more papers by this author
,
Huseyin Cavusoglu
Huseyin Cavusoglu
[email protected]
School of Management, University of Texas at Dallas, Richardson, Texas 75083
Search for more papers by this author
,
Jun Zhang
Jun Zhang
[email protected]
School of Management, University of Texas at Dallas, Richardson, Texas 75083
Search for more papers by this author

Hasan Cavusoglu

[email protected]

Sauder School of Business, University of British Columbia, Vancouver, British Columbia V6T 1Z2, Canada

Search for more papers by this author

Huseyin Cavusoglu

[email protected]

School of Management, University of Texas at Dallas, Richardson, Texas 75083

Search for more papers by this author

Jun Zhang

[email protected]

School of Management, University of Texas at Dallas, Richardson, Texas 75083

Search for more papers by this author

Published Online:1 Apr 2008https://doi.org/10.1287/mnsc.1070.0794

References

Anderson R. Why information security is hard: An economic perspective. Proc. 17th Annual Comput. Security Appl. Conf. (2001) (IEEE Computer Society, Washington, D.C.) 358–365Crossref, Google Scholar
Arora A., Krishnan R., Telang R., Yang Y. An empirical analysis of vendor response to disclosure policy. Fourth Workshop Econom. Inform. Security Proc. (2005) BostonGoogle Scholar
August T., Tunca T. I. Network software security and user incentives. Management Sci. (2006) 52(11):1703–1720Link, Google Scholar
August T., Tunca T. I. Let the pirates patch? An economic analysis of network software security patch restrictions. Inform. Systems Res. (2008) . ForthcomingLink, Google Scholar
Beattie S., Arnold S., Cowan C., Wagle P., Wright C., Shostack A. Timing the application of security patches for optimal uptime. Proc. LISA '02: Sixteenth Systems Admin. Conf. (2002) Berkeley, CA:233–242Google Scholar
Bernstein F., Federgruen A. A general equilibrium model for industries with price and service competition. Oper. Res. (2004) 52(6):868–886Link, Google Scholar
Bloor B. The patch problem. (2003) . White paper. http://www.baroudi.comGoogle Scholar
Cachon G. P., Zipkin P. H. Competitive and cooperative inventory policies in a two-stage supply chain. Management Sci. (1999) 45(7):936–953Link, Google Scholar
Cavusoglu H., Cavusoglu H., Raghunathan S. Economics of IT security management: Four improvements to current security practices. Comm. AIS (2004a) 14:65–75Google Scholar
Cavusoglu H., Cavusoglu H., Raghunathan S. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. (2007) 33(3):171–185Crossref, Google Scholar
Cavusoglu H., Mishra B., Raghunathan S. The effect of Internet security breach announcements on market value: Capital market reaction for breached firms and Internet security developers. Internat. J. Electronic Commerce (2004b) 9(4):69–105Google Scholar
CERT CERT/CC statistics 1988–2007. (2007) . http://www.cert.org/stats/Google Scholar
Dacey R. F. Effective patch management is critical to mitigating software vulnerabilities. (2003) . GAO-03-1138T. United States General Accounting Office, Washington, D.C.Google Scholar
Davidson M. A. Automatic patching—Boon or bane? Sec. Bus. Quart. (2003) 3(2):1–4Google Scholar
Donner M. Patch management—Bits, bad guys, and bucks! Sec. Bus. Quart. (2003) 3(2):1–4Google Scholar
Farber D. Should Microsoft pay for your security patch costs? TechUpdate (2003) January 30). http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2909857,00.htmlGoogle Scholar
Fisher D. Contracts getting tough on security. eWeek (2002) April 15):1–2Google Scholar
Fisher D. Third-party Microsoft patches could get new life. (2006) . SearchSecurity.com (August 1)Google Scholar
Foley J., Hulme G. V. Get ready to patch. InformationWeek (2004) August 30):18–21Google Scholar
Fontana J. Patching: Process matters. NetworkWorld (2003) 20(48):50–52Google Scholar
Fudenberg D., Tirole J.Game Theory (1991) (MIT Press, Boston) Google Scholar
Havana T. Communication in the software vulnerability reporting process. (2003) . M.A. thesis, The University of Oulu, Oulu, FinlandGoogle Scholar
Kannan K., Telang R. Market for vulnerabilities? Think again. Management Sci. (2004) 51(5):726–740Link, Google Scholar
Kim B. C., Chen P., Mukhopadhyay T. An economic analysis of software market with risk sharing contract. Fourth Workshop Econom. Inform. Security Proc. (2005) BostonGoogle Scholar
Laakso M., Takanen A., Roning J. The vulnerability process: A tiger team approach to resolving vulnerability cases. Proc. 11th FIRST Conf. Computer Security Incident Handling and Response (1999) Brisbane, AustraliaGoogle Scholar
Levi M., Nault B. Converting technology to mitigate environmental damage. Management Sci. (2004) 50(8):1015–1030Link, Google Scholar
McGhie L. Software patch management—The new frontier. Sec. Bus. Quart. (2003) 3(2):1–4Google Scholar
Microsoft Security tools. (2005) . Microsoft TechNet. http://www.microsoft.com/technet/securityGoogle Scholar
Naraine R. Security patch deluge: A double-edged sword. eWeek (2005) July 14). http://www.eweek.com/c/a/Security/Security-Patch-Deluge-A-DoubleEdged-Sword/Google Scholar
NetSupport Solutions Beating hackers to the patch. (2003) . http://www.secinf.netGoogle Scholar
Nizovtsev D., Thursby M. Economic analysis of incentives to disclose software vulnerabilities. Fourth Workshop Econom. Inform. Security Proc. (2005) BostonGoogle Scholar
Ozment A. Bug auctions: Vulnerability markets reconsidered. Third Workshop Econom. Inform. Security Proc. (2004) MinneapolisGoogle Scholar
Pruitt S. Software users hit a rough patch. PC World (2003) November 10). http://www.pcworld.com/article/id,113296-page,1/article.htmlGoogle Scholar
Rescorla E. Is finding security holes a good idea? Third Workshop Econom. Inform. Security Proc. (2004) MinneapolisGoogle Scholar
Schechter S. How to buy better testing: Using competition to get the most security and robustness for your dollar. Proc. Infrastructure Security Conf. (2002) Bristol, UK:78–87Crossref, Google Scholar
Schneier B. Information security: How liable should vendors be? ComputerWorld (2004) October 28). http://www.computerworld.com/securitytopics/security/story/0,,96948,00.html?SKC=security-96948Google Scholar
Schneier B. Quickest patch ever. Wired (2006) September 7). http://www.wired.com/politics/security/commentary/securitymatters/2006/09/71738Google Scholar
Shipley G. Painless (well, almost) patch management procedures. Network Comput. (2004) April 1). http://www.networkcomputing.com/showitem.jhtml?docid=1506f1Google Scholar
Shostack A. Quantifying patch management. Sec. Bus. Quart. (2003) 3(2):1–4Google Scholar
Travis L. Patch management is about process, not just technology. AMR Res. (2003) December 2). http://www.amrresearch.com/Content/View.asp?pmillid=16832Google Scholar
Ulfelder S. Practical patch management. NetworkWorld Fusion (2002) October 21). http://www.networkworld.com/supp/security2/patch.htmlGoogle Scholar
Zhang F. Competition, cooperation and information sharing in a two-echelon assembly system. Manufacturing Service Oper. Management (2006) 8(3):273–291Link, Google Scholar

Volume 54, Issue 4

April 2008

Pages iv-862

Article Information

Supplemental Material

Metrics

Information

Received:January 10, 2005
Published Online:April 01, 2008

Cite as

Hasan Cavusoglu, Huseyin Cavusoglu, Jun Zhang, (2008) Security Patch Management: Share the Burden or Share the Damage?. Management Science 54(4):657-670.

https://doi.org/10.1287/mnsc.1070.0794

Keywords

PDF download

Available Issues

Available Issues

Available Issues

Available Issues

Available Issues

Available Issues

Available Issues

Available Issues

Available Issues

Security Patch Management: Share the Burden or Share the Damage?

References

Volume 54, Issue 4

Article Information

Supplemental Material

Metrics

Information

Cite as

Keywords

Sign Up for INFORMS Publications Updates and News