Market Segmentation and Software Security: Pricing Patching Rights

References

• Adams WJ, Yellen JL (1976) Commodity bundling and the burden of monopoly. Quart. J. Econom. 90(3):475–498.Crossref, Google Scholar
• Arora A, Telang R, Xu H (2008) Optimal policy for software vulnerability disclosure. Management Sci. 54(4):642–656.Link, Google Scholar
• August T, Tunca TI (2006) Network software security and user incentives. Management Sci. 52(11):1703–1720.Link, Google Scholar
• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Sci. 57(5):934–959.Link, Google Scholar
• August T, August R, Shin H (2014) Designing user incentives for cybersecurity. Comm. ACM 57(11):43–46.Crossref, Google Scholar
• August T, Dao D, Shin H (2015) Optimal timing of sequential distribution: The impact of congestion externalities and day-and-date strategies. Marketing Sci. 34(5):755–774.Link, Google Scholar
• August T, Niculescu MF, Shin H (2014) Cloud implications on software network structure and security risks. Inform. Systems Res. 25(3):489–510.Link, Google Scholar
• Bakos Y, Brynjolfsson E (1999) Bundling information goods: Pricing, profits, and efficiency. Management Sci. 45(12):1613–1630.Link, Google Scholar
• Beattie S, Arnold S, Cowan C, Wagle P, Wright C, Shostack A (2002) Timing the application of security patches for optimal uptime. Proc. 16th USENIX Conf. System Admin. (USENIX Association, Berkeley, CA), 233–242.Google Scholar
• Beres Y, Griffin J (2009) Optimizing network patching policy decisions. Technical Report HPL-2009-153, Hewlett-Packard Laboratories, Palo Alto, CA.Google Scholar
• Berr J (2017) “Wannacry” ransomware attack losses could reach $4 billion. CBS News (May 16), https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/.Google Scholar
• Bhargava HK (2013) Mixed bundling of two independently valued goods. Management Sci. 59(9):2170–2185.Link, Google Scholar
• Bhargava HK, Choudhary V (2001) Information goods and vertical differentiation. J. Management Inform. Systems 18(2):89–106.Crossref, Google Scholar
• Bhargava HK, Choudhary V (2008) Research note: When is versioning optimal for information goods? Management Sci. 54(5):1029–1035.Link, Google Scholar
• Bloor B (2003) The patch problem: It’s costing your business real dollars. Accessed November 7, 2018, http://www.netsense.info/downloads/PatchProblemReport_BaroudiBloor.pdf.Google Scholar
• Brito DL, Sheshinski E, Intriligator MD (1991) Externalities and compulsory vaccinations. J. Public Econom. 45(1):69–90.Crossref, Google Scholar
• Canadian Cyber Incident Response Centre (2014) Top 4 strategies to mitigate targeted cyber intrusions. Accessed November 7, 2018, http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/tp-strtgs-eng.aspx.Google Scholar
• Cavusoglu H, Cavusoglu H, Raghunathan S (2007) Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. 33(3):171–185.Crossref, Google Scholar
• Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: Share the burden or share the damage? Management Sci. 54(4):657–670.Link, Google Scholar
• Chen F (2001) Market segmentation, advanced demand information, and supply chain performance. Manufacturing Service Oper. Management 3(1):53–67.Link, Google Scholar
• Choi JP, Fershtman C, Gandal N (2010) Network security: Vulnerabilities and disclosure policy. J. Indust. Econom. 58(4):868–894.Crossref, Google Scholar
• Cormen TH, Leiserson CE, Rivest RL, Stein C (2009) Introduction to Algorithms, 3rd ed. (MIT Press, Cambridge, MA).Google Scholar
• Debo LG, Toktay LB, Wassenhove LNV (2005) Market segmentation and product technology selection for remanufacturable products. Management Sci. 51(8):1193–1205.Link, Google Scholar
• Desai PS (2001) Quality segmentation in spatial markets: When does cannibalization affect product line design? Marketing Sci. 20(3):265–283.Link, Google Scholar
• Dey D, Lahiri A, Zhang G (2015) Optimal policies for security patch management. J. Comput. 27(3):462–477.Abstract, Google Scholar
• Eckalbar JC (2010) Closed-form solutions to bundling problems. J. Econom. Management Strategy 19(2):513–544.Crossref, Google Scholar
• Fitzgerald D (2015) Level 3 tries to waylay hackers. Wall Street Journal (May 29), https://www.wsj.com/articles/level-3-tries-to-waylay-hackers-1432891803.Google Scholar
• Forbath T, Kalaher P, O’Grady T (2005) The total cost of security patch management. White paper, Wipro Technologies, Ltd., Bangalore, India.Google Scholar
• Gabszewicz JJ, Shaked A, Sutton J, Thisse J-F (1986) Segmenting the market: The monopolist’s optimal product mix. J. Econom. Theory 39(2):273–289.Crossref, Google Scholar
• Greenberg A (2015) Hackers remotely kill a Jeep on the highway—With me in it. Wired (July 21), https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.Google Scholar
• Greenberg A (2017) The Wannacry ransomware hackers made some real amateur mistakes. Wired (May 15), https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/.Google Scholar
• Gupta A, Zhdanov D (2012) Growth and sustainability of managed security services networks: An economic perspective. MIS Quart. 36(4):1109–1130.Crossref, Google Scholar
• Hick M (2012) Apple acknowledges Flashback malware with update. Huffington Post UK (November 6), https://www.huffingtonpost.co.uk/2012/04/11/apple-acknowledges-flashback-malware_n_1417037.html.Google Scholar
• Higgins S (2017) Ethereum client update issue costs cryptocurrency exchange $14 million. Accessed November 7, 2018, https://www.coindesk.com/ethereum-client-exchange-14-million/.Google Scholar
• HP Security Research (2015). HP cyber risk report 2015. Accessed March 1, 2016, http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/.Google Scholar
• Ingram M (2015) Mobile botnets are costing advertisers $1 billion in ad fraud, study shows. Fortune (July 23), http://fortune.com/2015/07/23/mobile-ad-fraud/.Google Scholar
• Johnson JP, Myatt DP (2003) Multiproduct quality competition: Fighting brands and product line pruning. Amer. Econom. Rev. 93(3):748–774.Crossref, Google Scholar
• Kannan K, Rahman MS, Tawarmalani M (2016) Economic and policy implications of restricted patch distribution. Management Sci. 62(11):3161–3182.Link, Google Scholar
• Krill P (2015) Oracle to end publicly available security fixes for Java 7 this month. InfoWorld (April 15), https://www.infoworld.com/article/2909685/application-development/oracle-cutting-publicly-available-security-fixes-for-java-7-this-month.html.Google Scholar
• Laffont J-J, Tirole J (1988) The dynamics of incentive contracts. Econometrica 56(5):1153–1175.Crossref, Google Scholar
• Lahiri A (2012) Revisiting the incentive to tolerate illegal distribution of software products. Decision Support Systems 53(2):357–367.Crossref, Google Scholar
• Levchenko K, Pitsillidis A, Chachra N, Enright B, Félegyházi M, Grier C, Halvorson T, et al.. (2011) Click trajectories: End-to-end analysis of the spam value chain. Proc. 2011 IEEE Symp. Security Privacy (IEEE Computer Society, Washington, DC), 431–446.Crossref, Google Scholar
• Li L, McKelvey RD, Page T (1987) Optimal research for Cournot oligopolists. J. Econom. Theory 42(1):140–166.Crossref, Google Scholar
• Lohr S, Alderman L (2017) The fallout from a global cyberattack: ‘A battle we‘re fighting every day’. New York Times (May 15), https://www.nytimes.com/2017/05/15/world/asia/china-cyberattack-hack-ransomware.html.Google Scholar
• MacLeod WB, Malcomson JM (1993) Investments, holdup, and the form of market contracts. Amer. Econom. Rev. 83(4):811–837.Google Scholar
• Maskin E, Riley J (1984) Monopoly with incomplete information. RAND J. Econom. 15(2):171–196.Crossref, Google Scholar
• McAfee RP, McMillan J, Whinston MD (1989) Multiproduct monopoly, commodity bundling, and correlation of values. Quart. J. Econom. 104(2):371–383.Crossref, Google Scholar
• Microsoft (2017a) New ransomware, old techniques: Petya adds worm capabilities. Microsoft Malware Protection Blog (June 27), https://blogs.technet.microsoft.com/mmpc/2017/06/27/newransomware-old-techniques-petya-adds-worm-capabilities/.Google Scholar
• Microsoft (2017b) Wannacrypt ransomware worm targets out-of-date systems. Microsoft Malware Protection Blog (May 12), https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/.Google Scholar
• Miller PD (2006) Applied Asymptotic Analysis, Graduate Studies in Mathematics, vol. 75 (American Mathematical Society, Providence, RI).Crossref, Google Scholar
• Moorthy KS (1984) Market segmentation, self-selection, and product line design. Marketing Sci. 3(4):288–307.Link, Google Scholar
• Moorthy KS, Png I (1992) Market segmentation, cannibalization, and the timing of product introductions. Management Sci. 38(3):345–359.Link, Google Scholar
• Muller HM (2000) Asymptotic efficiency in dynamic principal-agent problems. J. Econom. Theory 91(2):292–301.Crossref, Google Scholar
• Mussa M, Rosen S (1978) Monopoly and product quality. J. Econom. Theory 18(2):301–317.Crossref, Google Scholar
• Netessine S, Taylor TA (2007) Product line design and production technology. Marketing Sci. 26(1):101–117.Link, Google Scholar
• OPSWAT (2014) Antivirus and operating system report. Accessed March 1, 2016, https://www.opswat.com/resources/reports/antivirus-october-2014.Google Scholar
• Pei PP-E, Simchi-Levi D, Tunca TI (2011) Sourcing flexibility, spot trading, and procurement contract structure. Oper. Res. 59(3):578–601.Link, Google Scholar
• Pesendorfer W, Swinkels JM (2000) Efficiency and information aggregation in auctions. Amer. Econom. Rev. 90(3):499–525.Crossref, Google Scholar
• Png IP, Wang Q (2009) Information security: Facilitating user precautions vis-à-vis enforcement against attackers. J. Management Inform. Systems 26(2):97–121.Crossref, Google Scholar
• Prasad A, Venkatesh R, Mahajan V (2010) Optimal bundling of technological products with network externality. Management Sci. 56(12):2224–2236.Link, Google Scholar
• Ransbotham S, Mitra S, Ramsey J (2012) Are markets for vulnerabilities effective? MIS Quart. 36(1):43–64.Crossref, Google Scholar
• Sarkar D, LeBlanc B (2018) Announcing Windows 10 insider preview build 17134 for fast. Windows Blog (April 16), https://blogs.windows.com/windowsexperience/2018/04/16/announcing-windows-10-insider-preview-build-17134-for-fast/.Google Scholar
• Schmalensee R (1984) Gaussian demand and commodity bundling. J. Bus. 57(1):S211–S230.Crossref, Google Scholar
• Stremersch S, Tellis GJ (2002) Strategic bundling of products and prices: A new synthesis for marketing. J. Marketing 66(1):55–72.Crossref, Google Scholar
• Thomson I (2017) Notpetya ransomware attack cost us $300m shipping giant Maersk. The Register (August 16), https://www.theregister.co.uk/2017/08/16/notpetya_ransomware_attack_cost_us_300m_says_shipping_giant_maersk/.Google Scholar
• Tunca TI, Zenios SA (2006) Supply auctions and relational contracts for procurement. Manufacturing Service Oper. Management 8(1):43–67.Link, Google Scholar
• US-CERT (2015) Top 30 targeted high risk vulnerabilities. US-CERT Alert (TA15–119A). Accessed November 7, 2018, https://www.us-cert.gov/ncas/alerts/TA15-119A.Google Scholar
• Venkatesh R, Kamakura WA (2003) Optimal bundling and pricing under a monopoly: Contrasting complements and substitutes from independently valued products. J. Bus. 76(2):211–231.Crossref, Google Scholar
• Villas-Boas JM (2004) Communication strategies and product line design. Marketing Sci. 23(3):304–316.Link, Google Scholar
• Villas-Boas JM (2009) Product variety and endogenous pricing with evaluation costs. Management Sci. 55(8):1338–1346.Link, Google Scholar
• Westervelt R (2014) Microsoft fixes faulty windows security patch that was causing blue screen of death for some. Accessed November 7, 2018, http://www.crn.com/news/security/300073858/microsoft-fixes-faulty-windows-security-patch-that-was-causing-blue-screen-of-death-for-some.htm.Google Scholar