Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca Motivation Internet Server Software Market Motivation Code Red and the Problem Code Red / Code Red II Worm that attacks web servers running IIS Installs back door and propagates 100 times over per infection Distributed Denial of Service (DDoS) attack on www1.whitehouse.gov Patch issued by Microsoft on June 18, 2001 Code Red worm strikes on July 19, 2001 $2.75 Billion in damages Motivation Worm Date Vulnerability Notice Estimated Cost ($) Code Red 7.19.2001 1 month 2.75 Billion Slammer 1.25.2003 6 months 1.5 Billion Blaster 8.11.2003 1 month 750 Million Sasser 5.1.2004 2 weeks 14.8 Billion Zotob 8.13.2005 4 days $98K/company (on average) Motivation US-CERT Coordination Center CERT Reported Incidents 160 Number of Incidents (Thousands) 140 120 100 80 60 40 20 0 1988 1993 1998 Year 2003 Motivation Microsoft (Windows Genuine Advantage) Permit Pirates SP2 Microsoft Microsoft issues statement Trial stage Windows Microsoft loosens Mike Nash (VP, Security Business and claims that saying that only paidAdvantage Genuine restrictions, only WGA, Technology Unit) and Goffeby customers will Barry have access to for followed pilot checking for two security (Product on record: can Service Pack keys 2pirates for XP phase for Permit 20 Restrict Mgr) Permit Restrict counterfeit for patches Pirates Pirates patches Pirates Pirates will obtain security countries. SP2 update SP2 SP2 WGA WGA be exempt. Apr-04 May-04 Late May-04 Jul-04 Sept-04 Feb-05 May-05 Motivation Motivation Two Options Make security patches available to all users Network is more secure Sasser worm: $14.8B Slammer worm: $1.5B Network effects Restrict security patches only to legitimate users Network is less secure Curb piracy Motivation Piracy in the Software Industry Business Software Alliance (BSA) and International Data Corporation (IDC) Piracy rates 35% in 2004 Exceeds 75% in 24 countries Economic Losses (globally) $59B spent on packaged software $90B+ installed Motivation Research Questions Under high network security risk, should a software vendor make security patches readily available to all users? Why might a vendor such as Microsoft allow pirates to patch security vulnerabilities? Can piracy lead to less secure software products? Are the arguments made by the security community that software vendors should “do the right thing” valid? Literature Review Economics of Info. Security and Piracy Information Security Piracy • Interdependent Security e.g., Peitz and Waelbroeck (2003) e.g., Kunreuther et al. (2002), Kunreuther and Heal (2003, 2005), Varian (2004), August and Tunca (2006) • Quantification of Losses e.g., Moore and Shannon (2002), Cavusoglu (2004) • Worm Spread Dynamics e.g., Weaver et al (2003) Model Key Observations Software patching is costly Losses from security breaches are positively correlated with valuations Piracy tendencies vary across users Model Timeline Vendor sets price and policy t=0 Consumers make usage decisions t=1 Vendor releases security patches / Consumers make patching decisions t=2 Worm attack realizes on network t=3 Model Consumer Model Consumer valuation space: Consumer heterogeneity in regard to piracy: Consumer action space: Model Costs and Losses Effective cost of patching: Loss from attack: Expected cost of piracy: Consumer Market Structure Consumer’s Problem Consumer Market Structure Equilibrium Characteristics There is always a group of consumers who use but do not patch There is always a population of users whose valuations are higher than the price but end up not purchasing the software Users impose negative externalities on: Other users The software vendor Consumer Market Structure Pricing and Piracy Pricing to deter piracy: Two regions – August and Tunca (2006) Region 1: •Low price 1 0 Region 2: •High price 1 0 Consumer Market Structure Threshold Characterization Consumer Market Structure Pricing and Piracy Two policies which the firm can enforce: Permissive policy: “Let” the pirates patch Restrictive policy: Do “not let” the pirates patch Consumer Market Structure Let the Pirates Patch: Unpatched population: Consumer Market Structure Let the Pirates Patch: Four possible equilibrium market structures Increasing security risk Consumer Market Structure Don’t Let the Pirates Patch: Unpatched population: Consumer Market Structure Don’t Let the Pirates Patch: Six possible equilibrium market structures Increasing security risk Vendor Profit Maximization Profit Functions and the Vendor’s Problem: Results Optimal Policy Decision for the Vendor When to restrict security patches? When to let pirates patch? Results Proposition 1: When to be restrictive When the effective security risk is high, a software vendor can strictly increase his profit by restricting pirates from receiving security patches. Common perception Reduce the risk on the network A more secure product benefits all users Results Don’t let them patch when… Let Do not Let Results Proposition 2: When to be permissive When the patching cost is not too high and the effective security risk is below a threshold value, a software vendor should permit pirates with access to security patches. Contrast Strong incentives to patch Vendor wants to price high Not willing to provide incentives for conversion Increased usage due to reduction in negative network effects Results Let them patch when… Do not Let Let Results Proposition 3 When the potential for piracy in a market is high, a software vendor should enforce a restrictive policy. Candidates: Vietnam, Ukraine, China, … Small size of low piracy tendency (Type L) population When the potential for piracy in a market is high, a software vendor prefers a less secure product to a more secure product. Results Lack of Incentives for Secure Software Results Proposition 4 When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. Security Risk Low High Piracy Enforcement Low Increasing High Increasing Results Increasing Returns to Enforcement 0.22 0.21 0.2 0.19 *(p*) 0.18 I I' 0.17 II III 0.16 0.15 0.14 0.13 0.12 0 0.1 0.2 0.3 c d d 0.4 0.5 Results Proposition 4 When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. Security Risk Low High Piracy Enforcement Low Increasing Decreasing High Increasing Increasing Results Increasing Returns Decreasing ReturnstotoEnforcement Enforcement 0.206 0.22 0.204 0.21 0.202 0.2 0.2 0.19 (p*) **(p*) 0.198 0.18 I I' 0.196 0.17 II III II III 0.194 0.16 0.192 0.15 0.21 0.2 0.19 0.18 *(p*) 0.19 0.14 0.188 0.13 0.186 0.12 Increasing Returns to Enforcement 0.22 I I' 0.17 II III 0.16 0 0.1 0.2 0.3 c d d 0.15 0.4 0.5 0.14 0.13 0.12 0 0.1 0.2 0.3 c d d 0.4 0.5 Results Increasing Returns to Enforcement 0.22 0.21 0.2 0.19 *(p*) 0.18 I I' 0.17 II III 0.16 0.15 0.14 0.13 0.12 0 0.1 0.2 0.3 c d d 0.4 0.5 Results Impact of Piracy Enforcement on Social Welfare 0.4 0.38 I W *(p*) 0.36 II III 0.34 0.32 I' 0.3 0 0.1 0.2 0.3 c d d 0.4 0.5 Results Decreasing Returns to Enforcement 0.206 0.204 0.202 0.2 II 0.196 III *(p*) 0.198 0.194 0.192 0.19 0.188 0.186 0 0.1 0.2 0.3 c d d 0.4 0.5 Results Impact of Piracy Enforcement on Social Welfare 0.36 0.35 W *(p*) 0.34 II 0.33 III 0.32 0.31 0.3 0 0.1 0.2 0.3 c d d 0.4 0.5 Results Proposition 5 Security patch restrictions can be welfare superior to a permissive approach When the patching cost and the effective security risk is low, social welfare can increase under a restrictive policy. Results Let the Pirates Patch? Concluding Remarks Summary Model of network software security with piracy Role of incentives in setting security patch restriction policies Explain patch restrictions under high security risk Microsoft’s permissive policy Security risk can be strategically used by vendors as a tool to convert pirates into legitimate users Security patch restrictions do not necessarily reduce welfare
© Copyright 2026 Paperzz