let the pirates patch? an economic analysis of software security patch restrictions terrence august...
TRANSCRIPT
Let the Pirates Patch? An Economic Analysis of
Software Security Patch Restrictions
Terrence August
*Joint work with Tunay I. Tunca
Motivation
Internet Server Software Market
Motivation
Code Red and the Problem
Code Red / Code Red II Worm that attacks web servers running IIS Installs back door and propagates 100 times over per infection Distributed Denial of Service (DDoS) attack on www1.whitehouse.gov
Patch issued by Microsoft on June 18, 2001 Code Red worm strikes on July 19, 2001 $2.75 Billion in damages
Worm DateVulnerabilit
yNotice
Estimated Cost ($)
Code Red 7.19.2001 1 month 2.75 Billion
Slammer 1.25.2003 6 months 1.5 Billion
Blaster 8.11.2003 1 month 750 Million
Sasser 5.1.2004 2 weeks 14.8 Billion
Zotob 8.13.2005 4 days $98K/company (on
average)
Motivation
Motivation
US-CERT Coordination Center
CERT Reported Incidents
0
20
40
60
80
100
120
140
160
1988 1993 1998 2003
Year
Nu
mb
er o
f In
cid
ents
(T
ho
usa
nd
s)
Motivation
Microsoft (Windows Genuine Advantage)
Apr-04May-04
LateMay-04
Jul-04 Sept-04Feb-05
May-05
Mike Nash (VP, Security Business and Technology Unit) and Barry Goffe (Product Mgr) on record: pirates can obtain
security patches
Microsoft issues statement saying that only paid customers will have access to
Service Pack 2 for XP
Microsoft loosens
restrictions, only checking for two counterfeit keys for SP2 update
Trial stage Windows Genuine
Advantage followed by pilot
phase for 20 countries.
Microsoft claims that for WGA, security patches will be
exempt.
Permit
Pirates
SP2
RestrictPirates
SP2
Permit
Pirates
SP2
RestrictPiratesWGA
Permit
Pirates
WGA
Motivation
Motivation
Two Options
Make security patches available to all users
Network is more secure Sasser worm: $14.8B Slammer worm: $1.5B
Network effects
Restrict security patches only to legitimate users
Network is less secure Curb piracy
Motivation
Piracy in the Software Industry
Business Software Alliance (BSA) and International Data Corporation (IDC)
Piracy rates 35% in 2004 Exceeds 75% in 24 countries
Economic Losses (globally) $59B spent on packaged software $90B+ installed
Motivation
Research Questions
Under high network security risk, should a software vendor make security patches readily available to all users?
Why might a vendor such as Microsoft allow pirates to patch security vulnerabilities?
Can piracy lead to less secure software products?
Are the arguments made by the security community that software vendors should “do the right thing” valid?
Literature Review
Economics of Info. Security and PiracyInformation Security
• Interdependent Securitye.g., Kunreuther et al. (2002), Kunreuther and Heal (2003, 2005), Varian (2004), August and Tunca (2006)
• Quantification of Lossese.g., Moore and Shannon (2002), Cavusoglu (2004)
• Worm Spread Dynamicse.g., Weaver et al (2003)
Piracy
e.g., Peitz and Waelbroeck (2003)
Model
Key Observations
Software patching is costly
Losses from security breaches are positively correlated with valuations
Piracy tendencies vary across users
Model
Timeline
t = 0 t = 1 t = 3t = 2
Vendor sets price and policy
Consumers make usage decisions
Vendor releases security patches / Consumers make patching decisions
Worm attack realizes on network
Model
Consumer Model Consumer valuation space:
Consumer heterogeneity in regard to piracy:
Consumer action space:
Effective cost of patching:
Loss from attack:
Expected cost of piracy:
Model
Costs and Losses
Consumer Market Structure
Consumer’s Problem
Consumer Market Structure
Equilibrium Characteristics
There is always a group of consumers who use but do not patch
There is always a population of users whose valuations are higher than the price but end up not purchasing the software
Users impose negative externalities on: Other users The software vendor
Pricing to deter piracy:
Two regions – August and Tunca (2006)
Consumer Market Structure
Pricing and Piracy
0
1Region 2:•High price
0
1Region 1:•Low price
Consumer Market Structure
Threshold Characterization
vb
Consumer Market Structure
Pricing and Piracy
Two policies which the firm can enforce:
Permissive policy: “Let” the pirates patch
Restrictive policy: Do “not let” the pirates patch
Consumer Market Structure
Let the Pirates Patch:
Unpatched population:
Consumer Market Structure
Let the Pirates Patch:
Four possible equilibrium market structures
Increasing security risk
Consumer Market Structure
Don’t Let the Pirates Patch:
Unpatched population:
Consumer Market Structure
Don’t Let the Pirates Patch:
Six possible equilibrium market structures
Increasing security risk
Vendor Profit Maximization
Profit Functions and the Vendor’s Problem:
When to restrict security patches?
When to let pirates patch?
Results
Optimal Policy Decision for the Vendor
Results
Proposition 1: When to be restrictive When the effective security risk is high, a software vendor can strictly increase his profit by restricting pirates from receiving security patches.
Common perception Reduce the risk on the network A more secure product benefits all users
Results
Don’t let them patch when…
Let Do not Let
Results
Proposition 2: When to be permissive When the patching cost is not too high and the effective security risk is below a threshold value, a software vendor should permit pirates with access to security patches.
Contrast Strong incentives to patch Vendor wants to price high Not willing to provide incentives for conversion Increased usage due to reduction in negative network effects
Results
Let them patch when…
LetDo not Let
Results
Proposition 3 When the potential for piracy in a market is high, a software vendor should enforce a restrictive policy.
Candidates: Vietnam, Ukraine, China, … Small size of low piracy tendency (Type L) population
When the potential for piracy in a market is high, a software vendor prefers a less secure product to a more secure product.
Lack of Incentives for Secure Software
Results
Proposition 4 When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement.
High
Security Risk
Low
Piracy Enforcement
Low
High
Results
Increasing
Increasing
Results
0 0.1 0.2 0.3 0.4 0.50.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.2
0.21
0.22Increasing Returns to Enforcement
*
(p*)
dc
d
II'
II III
Proposition 4 When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement.
High
Security Risk
Low
Piracy Enforcement
Low
High
Results
Increasing
Increasing Increasing
Decreasing
Results
0 0.1 0.2 0.3 0.4 0.50.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.2
0.21
0.22Increasing Returns to Enforcement
*
(p*)
dc
d
II'
II III
0 0.1 0.2 0.3 0.4 0.5
0.186
0.188
0.19
0.192
0.194
0.196
0.198
0.2
0.202
0.204
0.206Decreasing Returns to Enforcement
*
(p*)
dc
d
II III
0 0.1 0.2 0.3 0.4 0.50.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.2
0.21
0.22Increasing Returns to Enforcement
*
(p*)
dc
d
II'
II III
Results
0 0.1 0.2 0.3 0.4 0.50.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.2
0.21
0.22Increasing Returns to Enforcement
*
(p*)
dc
d
II'
II III
Results
0 0.1 0.2 0.3 0.4 0.5
0.3
0.32
0.34
0.36
0.38
0.4Impact of Piracy Enforcement on Social Welfare
W *
(p*)
dc
d
I'
I II III
Results
0 0.1 0.2 0.3 0.4 0.5
0.186
0.188
0.19
0.192
0.194
0.196
0.198
0.2
0.202
0.204
0.206Decreasing Returns to Enforcement
*
(p*)
dc
d
II III
Results
0 0.1 0.2 0.3 0.4 0.50.3
0.31
0.32
0.33
0.34
0.35
0.36Impact of Piracy Enforcement on Social Welfare
W *
(p*)
dc
d
II III
Results
Proposition 5
When the patching cost and the effective security risk is low, social welfare can increase under a restrictive policy.
Security patch restrictions can be welfare superior to a permissive approach
Let the Pirates Patch?
Results
Concluding Remarks
Summary Model of network software security with piracy
Role of incentives in setting security patch restriction policies
Explain patch restrictions under high security risk Microsoft’s permissive policy
Security risk can be strategically used by vendors as a tool to convert pirates into legitimate users
Security patch restrictions do not necessarily reduce welfare