Network Software Security and User Incentives Terrence August and Tunay I. Tunca Graduate School of Business Stanford University Management Science, 2006, 52 (11), pp. 1703-1720 Abstract We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) Consumer self patching (where no external incentives are provided for patching or purchasing); (ii) Mandatory patching; (iii) Patching rebate; and (iv) Usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare maximizing social planner and a profit maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self patching is best. We also show that when a rebate is effective, the profit maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare maximizing rebates are also increasing in patching costs but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs and security risk are low, in which case, a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs but can decrease in the security risk for high risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security. Graduate School of Business, Stanford University, Stanford, CA 94305-5015. e-mails: taugust@stanford.edu, tunca tunay@stanford.edu. We thank Barrie Nault (the department editor), the associate editor and anonymous referees as well as Mike Harrison, Sunil Kumar, Howard Kunreuther, Haim Mendelson, Jim Patell, Hal Varian, Larry Wein, Jin Whang, Muhamet Yildiz and seminar participants at Harvard University, New York University and Stanford University for helpful discussions. Financial support from the Center of Electronic Business and Commerce at the Graduate School of Business, Stanford University is gratefully acknowledged.
1 Introduction With approximately 800 million worldwide users, the Internet as a network of interconnected computers is unprecedented in its size, reach and content (InternetWorldStats 2004). One of the most important issues that arises in such a broad communications environment, in which all systems share not only the benefits of the ability to communicate with a vast number of other users but also the vulnerabilities that come with it, is information security. As the recent years have proven, increased Internet usage brought about increased security attacks, with the number of reported security incidents reaching 140,000 in 2003, a nearly sixty-fold increase compared to 1995 (CERT 2004). The cumulative cost of information security breaches has many different implicit and explicit components, some of which can be difficult to quantify, including the direct costs of repairing and rebuilding infected systems, lost sales, and reduced productivity due to loss of reputation (D Amico 2000, Garg 2003, Timms et al. 2004). The cost of system security breaches is intimately tied to the nature of a firm s business, the firm s reputation, the size of the firm and the significance of the attack. These costs vary largely among users and can be substantial. The total worldwide cost of 14 major attacks between 1999 and 2004 was estimated to be about $36.5 Billion (ComputerEconomics 2004). Despite the immense losses due to security vulnerabilities, prevention is difficult in an open network environment such as the Internet, which is formed of users with a wide range of motivations and resources. This becomes especially clear when one considers that maintaining the security of a local network is a costly endeavor requiring physical and computing resources as well as time and effort of expert system administrators. In addition, software patching imposes risks of system crashes and instability (MS-Support 2004, Schweitzer 2003). As a result, proper patch maintenance typically involves a careful system administrator dedicating time toward testing of patch integrity and application interactions as well as final installation on a production server. Combining various dimensions of costs, per server patching costs are estimated to be hundreds of dollars (e.g., Bloor 2003, Davidson 2004 and Symantec 2004). Unfortunately, for a widely used software product such as Microsoft IIS, not all consumers have sufficient incentives to undergo these costs. Consequently, system security as a whole suffers from users not acting in an optimal way when it comes to maintaining network security (e.g., Lemos 2003, 2004, Messmer 2004b and Sullivan 2004). As an example, consider the case of the Code Red worm and its successor Code Red II that hit during the summer of 2001. Exploiting a buffer-overflow vulnerability in IIS, the worm replicated 100 times over upon each infection. Code Red II opened up back-door access on affected servers providing people with malicious intent full privileges on these servers. Given this degree of compromise, the requisite corrective action often involved completely reformatting affected servers and re-installing all software to original form. The cost to compromised firms associated 1
with bad service to consumers, public defacement and technical labor hours was substantial. The most troubling part is that these damages could have been prevented. Microsoft released a patch for the IIS vulnerability exposed by Code Red one month prior to the attack. Poor patching behavior in the user community extended the life and spread of these twin worms and caused damages reaching $2.6 Billion (Moore et al. 2002). Code Red is no exception. Most security attacks exploit known vulnerabilities for which patches are already available. Patches were also available for the vulnerabilities exploited by major worms such as Nimda, Slammer, Blaster, and Sasser up to six months in advance of each attack. In virtually all of these cases, large losses could have been mostly avoided by proper patch maintenance by the consumers (Schweitzer 2003). As these examples demonstrate, because of network effects, the actions that each user takes in the face of a potential security threat can have important consequences on other users, and mechanisms to induce the right incentives for patching, both from the point of view of a profit maximizing vendor and a social welfare maximizing planner need to be considered. In this paper, we present a model of a market for a software product with a potential security vulnerability to compare mechanisms aimed to mitigate the security problem by utilizing user incentives. The consumers who choose to purchase or use the software face a decision whether to undergo patching costs to maintain the security of their software. If they patch their systems, they avoid the risk of being hit by worms and do not cause negative externalities on the other users. However, if they avoid patching, they not only risk being hit but also increase the risk faced by other users. The equilibrium patching decisions of the users depend on the cost of patching and the overall riskiness of the software. This, in turn, determines the equilibrium purchasing decisions of the consumers. We consider two different cases: (a) Proprietary software that is offered by a vendor who produces and sells copies of it for profit (e.g., Microsoft IIS); (b) Freeware, which is available to users at no charge and often distributed by open source development projects (e.g., Apache HTTP Server). For both cases, we examine four candidate policies: (i) Consumer self patching, where users make their own decisions on patching (i.e., the status quo); (ii) Mandatory patching, where users, by agreement, are required to patch when one is available; (iii) Patching rebate, where users are compensated by the vendor when a patch is available and they actually patch; and (iv) Usage tax, where a social planner imposes a tax on the usage of the software in order to control the negative network externalities caused by low valuation users who are not reliable patchers. For proprietary software, contractually mandating patching can substantially reduce the vendor profit and hence is not an appealing policy for a software vendor to apply. Although mandating patching can improve expected social welfare, for most cases it will reduce the welfare by inducing the vendor to price at levels that move the network away from the overall socially optimal security level. We also find that if the risk that the users are facing is small compared to the patching costs, patching rebates cannot increase the vendor s expected profit, since it will cost the vendor too much 2
Proprietary Software Social Welfare and Vendor Profit Freeware Social Welfare Low High Low High security risk security risk security risk security risk (a) Low patching cost Self Self Rebate Tax High patching cost Self Rebate Tax Tax Vendor Price and Planner Determined Rebate Vendor Price and Vendor Determined Rebate Proprietary Softw. Security risk Patching cost Security risk Patching cost (b) Low patching cost + + High patching cost + + + Planner Determined Rebate and Tax Freeware Security risk Patching cost Rebate: Med. security risk 0 + Tax: Low security risk + 0 High security risk + Table 1: Policy recommendations and comparative statics for optimal rebates, prices and taxes. Panel (a) provides recommendations to a social welfare maximizing planner and a profit maximizing vendor. Self refers to the self patching policy with no incentives, Rebate refers to the patching rebate policy and Tax refers to the usage tax policy. Panel (b) provides comparative statics on the vendor s optimal price, the optimal rebate and usage tax. All results are given for the ranges where comparative statics are applicable, i.e., where the considered policy is effective. 3
to induce a desired level of patching behavior. On the other hand, if the security risk is high, the vendor can increase his profits through rebates by inducing increased security and consequently increased value of his product. Similarly, by inducing efficient patching behavior, rebates can be an effective tool for a social welfare maximizing planner when the security risk and patching costs are high. However, by significantly reducing the usage, taxes are not helpful for increasing either vendor profits or social welfare even though they may increase the security of the product. We also show that the optimal patching rebate and the corresponding vendor price tend to increase in patching costs but decrease in the effective riskiness of the software. However, when the patching costs are high, the optimal planner determined rebate increases with the security risk to reduce the high network externalities that arise from poor user patching behavior. These results are summarized in Table 1. Panel (a) gives the policy recommendations, and panel (b) gives the comparative statics results for the optimal vendor price, rebates and tax. When software is freeware, we demonstrate that mandating patching reduces welfare by forcing consumers to make socially inefficient decisions. However, our conclusions about the impact of the rebates and taxes change significantly. Unlike proprietary software, patching rebates have only limited effectiveness for freeware, since they often induce users to patch in cases where doing so is socially inefficient. However, taxes can be effective since they eliminate low valuation users who do not patch and cause negative security externalities on other users. When the security risk or patching costs are low, unlike the case of proprietary software where self patching is preferable, for freeware, an intervention by a social planner through rebates and taxes increases social welfare. When both software riskiness and the patching costs are low, rebates are preferable while for high patching costs or security risk, a tax policy can significantly increase social welfare and be preferred. The optimal tax and rebate tend to increase with the security risk and the patching costs except when the security risk is high, in which case further usage should be encouraged by lowering the tax. These results are again summarized in Table 1. The remainder of this paper is organized as follows. Section 2 presents the literature review. Section 3 presents the basic model and derives the equilibrium purchasing and patching behavior for a given set of parameters and price per copy of the software. Section 4 presents the vendor s price setting problem and compares different incentive mechanisms for the case of a profit maximizing vendor. Section 5 explores and compares policies for freeware. Section 6 offers our concluding remarks. 2 Literature Review The role of incentives in software security is a relatively new research subject, but the literature in the area is growing. Anderson (2001) argues that information security is not simply a technical problem that can be solved by more sophisticated hardware, software, and strategies. Rather, the 4
problem with information security is due to the fact that the economic incentives are misaligned. Kunreuther et al. (2002) and Kunreuther and Heal (2002) identify a concept for security interdependence and study security investment decisions made by agents in a computer network when each agent s decision impacts the risk endured by the other agents. They examine a model where there is a single shared resource whose security is increased by user investments and proceed to characterize the equilibrium investment strategies and their dependence upon the cost structure. They conclude that in order to best induce adoption of security measures, regulation and institutional coordination mechanisms are needed. Varian (2004) considers how the reliability of a public good is affected by the effort of individuals working in teams with varying incentives and effects on system security. He finds that when system reliability is based upon total effort, it is completely determined by the agent with the highest benefit-cost ratio. On the other hand, when reliability depends on the weakest link, the agent with the lowest benefit-cost ratio contributes the effort. When maximum effort is the determinant of system reliability, however, either of these equilibria can result. Choi et al. (2005) explore a model with negative network security externalities to examine the optimal software vulnerability disclosure decision of a vendor, finding that firms may announce vulnerabilities when it is not socially optimal. Arora et al. (2005) analyze the optimal timing for disclosure of software security vulnerabilities and establish that vendors always choose to release a patch later than a socially optimal disclosure time. Jaisingh and Li (2005) examine the role of commitment in optimal social policy for disclosure of vulnerabilities when the social planner commits to a disclosure agenda, and the vendor determines the patch release time after a vulnerability is discovered. They find that the time lag between the decisions of the social planner and the vendor is important only when the the hacker can accumulate experience from vulnerabilities over time. Cavusoglu et al. (2005) explore a model to derive the optimal frequency of patching to balance the operational and damage costs associated with security vulnerabilities. They show that a firm s patch cycle is not necessarily synchronized with the vendor s patch release cycle and demonstrate that cost sharing and liability schemes may coordinate these cycles. In our model, the focus is on the role of externalities in a network environment. We explore policies to maximize the value generated by software and highlight that consumers purchase (or usage) decisions play a fundamental role in our results as does the vendor s profit maximization. Moore et al. (2002) find that most of the victims of the Code Red worm were home and small business users rather than large corporations, while most of the costs in terms of damages were borne by the large corporations that were hit. This demonstrates that low valuation consumers, e.g., home and small business users, do not have as much motivation as high valuation consumers, e.g. large corporations, to engage in reducing risk on the network by securing their systems. The equilibrium patching behavior and the loss structure in our model is consistent with these findings. Weaver et al. (2003) demonstrate that for a scanning worm, the spread rate is proportional to the 5
size of the vulnerable population. The infection model we use in our paper is consistent with this observation. Our work is also related to research in vaccination incentives and the economics of disease spread control found in the public health literature. Although recognizing the externalities imposed by unprotected agents on the population as a whole, traditionally, the literature on mathematical epidemiology (e.g., Bailey 1975 and Anderson and May 1991) does not consider the role of economic behavior and incentives of individuals in prevention and control of disease spread. Brito et al. (1991) is one of the first papers to consider individual incentives and their role with negative externalities in a biological disease spread setting. They find that mandating vaccination reduces social welfare and that tax/subsidy levers are useful for governmental welfare coordination. Francis (1997) establishes that under certain assumptions, in a dynamic model of vaccination, government intervention may not be necessary, i.e., agents may behave in a manner consistent with the social objective. Gersovitz (2003) shows, on the other hand, that when one takes into account certain factors such as recoveries and deaths, the decentralized outcome diverges from the social outcome, and the necessity of economic intervention through market forces or government is persistent. Geoffard and Philipson (1996) highlight the differences between economic models and mathematical epidemiological models and their implications. In a model of disease spread with rational agents choosing between protective and exposed activity, they find that the hazard rate of infection may be a decreasing function of disease prevalence, resulting from increased demand for protection due to rational behavior. This result is contrasted with results from the epidemiological literature where the hazard rate is typically increasing in prevalence. Kessing and Nuscheler (2003) study the case of a vaccine monopolist and argue the ineffectiveness of subsidies to improve social welfare. Kremer (1996) shows that the behavior of heterogeneous agents increases the effectiveness of public policy intervention in populations of high disease prevalence, stressing that the models of such epidemics must be fundamentally economic ones. Several other dynamic economic models of disease spread examining the role of rational individuals trade-offs between costly protection and the risk that is imposed by negative externalities of other individuals and the social planner s welfare maximization through the use of preventive and therapeutic measures can be found in Goldman and Lightwood (2002) and Gersovitz and Hammer (2004, 2005). Our result that mandatory patching decreases social welfare in the freeware case is parallel to the finding of Brito et al. (1991). We also look at rebate and tax mechanisms which a social planner may use to increase social welfare. However, unlike the biological disease spread literature, our case of proprietary software involves a profit maximizing vendor who sets a price for the usage of the activity. Our goal is to better understand how the negative externalities that arise due to spread of malicious code affect the vendor s profit maximization problem and subsequently how both consumer and vendor behavior together impact social welfare. Further, our results are driven 6
by issues that are different in nature such as the trade-off between surplus generated by increased usage of software and the security risks that accompany it. The true analogs of the usage decisions (for instance an agent s decision to live or die or a vendor selling life to people) would not be reasonable issues to consider in most biological settings, much less their control by a social planner through incentives such as taxes. The literature on economics of biological epidemiology demonstrates that in many cases agents individual decisions result in misalignment of incentives, and therefore economic intervention by a social planner is necessary. Although the evolution of the spread of a malicious agent has a dynamic nature, static models also manage to capture this incentive misalignment (for instance, heterogeneity of preferences in the population as we have in our model is sufficient to expose this as also indicated by Francis 1997). Further, there are certain differences between the time frames of most cases of biological epidemics and computer network security attacks, which makes a static model more suitable in the latter case by comparison. In dynamic models of biological epidemics, the spread depends on deaths, recoveries and the structural nature of contact among the agents, and hence the vaccination/prevention decisions evolve in time with the spread of the disease. This is because the time frame for the spread of a biological disease is several days, weeks or months in most cases if not longer. Further, individual vaccinations take a small amount of time compared to the epidemic time frame, and therefore, dynamic control of incentives with the evolution of an epidemic is possible. On the other hand, for most cases of computer network attacks, the broad spread of the infection may take minutes (e.g., Moore et al. 2003 and Shannon and Moore 2004), while patching often takes hours or sometimes even a full day or more (e.g., Nicastro 2005 and Leung 2005). Specifically, if a user s system is unpatched when an attack breaks on the network it is usually too late to patch. Therefore, in the computer security context, in order to shield for a potential attack, a user usually must patch before such an attack occurs. Thus, the patching decision is not as much related to the specific dynamics of the spread of infection in the network as the vaccination decisions in the dynamic context of a biological epidemic. Considering these facts and to keep the analysis simple, we employ a static model that captures the main economic trade-offs related to the spread of a computer worm in a network environment. Although our static approach is simpler compared to the dynamic models in the economics of biological epidemiology, it allows us to demonstrate the intuition behind our arguments and the effects of the incentive schemes that we analyze and compare. 7
Figure 1: Model Timeline 3 The Model and the Consumer Market Equilibrium 3.1 Model Description There is a continuum of consumers whose valuations of a software product lie uniformly on V = [0, 1]. There are three periods: In the first period, given the price of the software, each consumer makes a decision whether to buy or not to buy the product. The software may have a potential security vulnerability. If there is a vulnerability, it can be exploited by hackers who write worms to cause damage to purchasing consumers systems. In the second period, it is revealed whether the software has a vulnerability, and if there is a vulnerability, a patch is made available to the users (either by the vendor if the software is proprietary or by the developers of the freeware). At this stage, each user makes a decision whether to patch or not, considering the costs of patching versus value risked by not patching. If a consumer chooses to patch the software, she will incur an expected cost denoted by c p > 0, which we refer to as the effective patching cost. This cost accounts for the money and effort that a consumer must exert in order to verify, test, and roll-out patched versions of existing systems. 1 Finally, if there is a security vulnerability, an attack may occur in the third period, and the unpatched consumers may get hit and incur losses. However, the consumers who patched in the second period are fully protected and do not incur any losses. The timeline is illustrated in Figure 1. We denote the probability of both a security vulnerability and a worm attack occuring on the network with π. If the mass of the unpatched population in the network is u, then the probability that the worm will successfully penetrate the network and hit an unpatched user will be πu. If a user s system is unpatched and is hit by the worm, one would expect that she suffers a loss positively correlated with her valuation. That is, the consumers with high valuations will suffer higher losses than the consumers with lower valuations due to opportunity costs, higher criticality of data and loss of business. For simplicity, we assume that the correlation is of first order, i.e., the expected loss that a consumer with valuation v suffers if she is hit by a worm is αv where α > 0 is a constant. 2 1 Note that a single decision maker can own multiple hosts (e.g., servers) on which she makes purchasing and patching decisions. Technically, the analysis will not be affected as long as each decision maker owns at most countably many hosts. 2 Note that this loss structure is robust to the exact information that the users have about the realizations of their losses, i.e., whether the users know exactly what their losses will be if they are hit by an attack or only have an 8
We denote the strategy set for a given consumer with S. We refer to the purchasing decision as either buy, B, or not buy, NB. Similarly, the patching decision is denoted by either patch, P, or not patch, NP. The consumer action space then becomes S = {B, NB} {P, NP } (NB, P ), the last exclusion stemming from (NB, P ) clearly being infeasible. Given the price p 0, in a consumer market equilibrium, each consumer maximizes her expected utility taking the equilibrium strategies for all consumers as fixed. For a strategy profile σ : V S, the expected cost faced by the consumer with valuation v is then defined by πu(σ)αv if σ(v) = (B, NP ) ; C(v, σ) (1) c p if σ(v) = (B, P ), where u(σ) = V 1 {σ(y)=(b,np )} dy and 1 {σ(y)=(b,np )} is 1 if σ(y) = (B, NP ) and zero otherwise. 3 The surplus gained by the consumer with valuation v by employing the software will then be v C(v, σ), less the price she pays for the software. The consumers who buy but do not patch cause a negative externality on all users by decreasing the safety of the network and the software. Clearly, for any v V, C(v, σ) defined by (1) is increasing in u(σ) (i.e., the unpatched population). Furthermore, consumers who patch protect themselves from the negative externality caused by the unpatched population. To avoid trivialities and without loss of generality, we focus on the parameter space where c p (0, 1), π (0, 1], and α (0, ). For convenience, we refer to the product πα as the effective security risk. 3.2 Equilibrium We will consider the software being offered by either a vendor (Section 4), in which case the price of the software will be determined by the vendor, or as freeware (Section 5), in which case the price will be zero. In this section, we derive the consumer market equilibrium taking the price p as given. That is, we concentrate on the last two (purchasing and patching) out of three stages of decision making in the model. In equilibrium, holding all other consumers actions fixed, i.e., given the equilibrium strategy profile σ, each consumer chooses the action from S that maximizes her expected payoff. The following lemma gives the consumer market equilibrium. Lemma 1 Given the parameters π, α, c p and the consumer price p [0, 1], there exists a unique equilibrium in the consumer market. 4 The equilibrium consumer strategy profile is characterized by ex-ante probability distribution on those losses. In the latter case, the losses integrate out of the expected payoff to the users into an expected loss αv, and the rest of the analysis is unaffected. 3 The notation has the meaning as a definition throughout the paper. 4 Uniqueness is naturally up to positive measure. 9
v b, v p [0, 1] and v b v p such that, for v V, (NB, NP ) if 0 v < v b ; σ (v) = (B, NP ) if v b v < v p ; (B, P ) if v p v 1. (2) Let p (1 c p )(1 c p πα )+. Given (2), the patching behavior is characterized by two regions in the parameter space: Region I: If πα c p and p < p, then (i) When p > 0, in equilibrium, p < v b < p + c p < v p = cpv b v b p < 1. (ii) When p = 0, if c p πα 1 c p, then v b = 0, and v p = v b = c p 1 πα, and v p = c p. Region II: If πα < c p or both πα c p and p p, then 0 < p < v b < v p = 1. cp 1 πα. If πα c p, then As can be seen from Lemma 1, in equilibrium, the population is segmented into three groups, namely non-buyers, buyers who do not patch in case of a vulnerability and buyers who do patch in case of a vulnerability. This separation occurs due to the monotonicity of the relative losses that arise from non-patching behavior in equilibrium: Given the risk that arises from the collective behavior of the population, if a consumer purchases the product, any consumer with higher valuation will prefer to purchase the product. Furthermore, if a consumer patches the product, any consumer with a higher valuation, who is facing a higher security risk, will also find it preferable to patch the product. This three-tier structure is consistent with observations that indicate higher valuation users (such as larger corporations and institutions) are more likely to be patchers, while the lower valuation users (such as small companies and home users) are less likely to patch and thus contribute to the faster spread of malicious code such as worms (Moore et al. 2002). A patching population will exist only if the effective security risk is sufficiently high and the price is sufficiently low. If the price is sufficiently high, the patching population will be small, and no user will patch (i.e., v p = 1). This remains true even as πα goes to infinity: The size of the patching population will shrink until it reaches a level where the equilibrium risk is finite and some users find it worthwhile to purchase the software and bear the risk (i.e., as πα, the purchasing population shrinks in the order of 1/πα). The case when p = 0 is noteworthy. As can be seen from Lemma 1, when the effective security risk is low compared to the patching cost (i.e., when the market is in Region II), all consumers buy the product and no consumer patches. When expected security losses are moderate (i.e., when c p πα 1/c p ), all users still choose to employ the product, but in this case, since potential losses are high, some of them find it worthwhile to patch. When the effective security risk is high 10
however (i.e., when πα > 1/c p ), some consumers do not employ the software even though it is available for free. Since v b < p + c p in Region I, by Lemma 1, there is always a group of consumers who do not patch. Thus, the software always comes with a certain amount of risk unless the user patches it. Therefore, as can also be seen from the lemma (unless p = 0 and πα < 1/c p ), the condition v b > p always holds and hence there is a population of users whose valuations are higher than the price but end up not purchasing the product, resulting in inefficiencies in product usage. Thus far, we have focused our attention on self patching where consumers decide whether or not to patch in self-interest. Henceforth, we will denote this policy with the subscript s to separate it from the other policies we will be examining later in the paper. Further, we will utilize superscripts i and ii to indicate whether the measure of interest has an equilibrium outcome in Region I or Region II as described in Lemma 1, respectively. 4 Proprietary Software Suppose that the software is offered by a profit maximizing vendor who sets the price. Without loss of generality, we assume that the marginal cost of production for each copy of the software is zero. Under self patching, given effective patching cost (c p ), effective security risk (πα), and the consumer market equilibrium outcome of Lemma 1, the vendor faces the following optimization problem max p Π s (p) p(1 v b ) s.t. 0 p 1 (3) where v b is as described in Lemma 1. This problem has a well defined solution and depending on the parameters, under optimal vendor pricing, the consumer market equilibrium may or may not yield a patching population. Specifically, when the effective security risk is high, the vendor must price the software low to increase the purchasing population, and as a result, higher valuation customers will elect to patch, moving the equilibrium to Region I as specified in Lemma 1. On the other hand, when the security risk is low with respect to the patching costs, the vendor can optimally price the product high enough without reducing the buyer population, even driving the equilibrium to Region II of Lemma 1, where no consumer patches (see Lemma A.2 in the appendix for details on the vendor s optimal pricing behavior). In this section, we will investigate the effects of security policies on social welfare. Therefore, before proceeding, we define the measure of social welfare. Adding the expected surpluses for the consumers and the vendor, we obtain the expected social welfare as W (p) (v C(v, σ )) dv. (4) {v V: v>v b } 11
Notice that, in effect, W (p) measures the expected social welfare generated by the policy under consideration by subtracting the security costs induced from the value generated by that policy. 4.1 Mandatory Patching Under network effects, when consumers make self patching decisions, the population of consumers who purchase and choose not to patch can decrease the value of the product and consequently reduce vendor profits and social welfare. Therefore, one might suggest that mandating patching might be helpful by eliminating the unpatched population and hence reducing security losses associated with the product, as has been voiced and discussed by some experts and government authorities (e.g., Middleton 2001, Geer 2004 and Bragg 2004). In the context of computer networks, the monitoring and enforcement of the patching of software is easily technically implementable. Software that detects installation of updates for various applications (e.g., spyware protection definition files or even plain updates to Internet software such as media players) and practices such as disabling certain functionalities of machines that fail to demonstrate such installations in certain cases (as it is sometimes called blackholing ) are in broad use today. Further, the fully observable nature of the technology also enables the contractibility of mandatory patching, and such a condition can be easily made part of a licensing agreement. The questions then are: Can the vendor increase his profit by contractually mandating patching to the buyers? Can mandating patching increase social welfare? To answer these questions, we next consider a mandatory patching policy offered by the vendor to the consumers. That is, the purchase of the software involves a binding commitment to patch the software if a security vulnerability emerges. We will be using the subscript m to denote the mandatory patching policy. Unlike with self patching, when patching is mandated, all consumers must decide whether to buy the software given that they must patch the software at an effective cost of c p due to security vulnerabilities. Consumers will purchase and patch the software per the purchase agreement with the vendor, and since there is no risk, it follows that v b = v p = p + c p, which says that a consumer only buys the software if her valuation is higher than the price plus the effective patching cost. Thus, the equilibrium is characterized by a single threshold valuation v m p + c p. Consumers with valuations v v m purchase and patch the software. Consequently, the profit function for the vendor is given by Π m (p) p(1 v m ) = p(1 p c p ), which is maximized at p m = (1 c p )/2, with optimal profit Π m (p m) = (1 c p ) 2 /4. Then, by Lemma 1, the purchasing threshold under self patching satisfies v b < v m for any p. Specifically, this inequality holds at p m. Thus, Π s (p s) Π s (p m) = p m(1 v b (p m)) > Π m (p m). (5) Intuitively, the vendor is better off by employing a self patching decision policy and charging the 12
optimal price he charges under mandatory patching. Under such an action, all users who employed the product under mandatory patching would still be users. If the user with valuation p m + c p patches under self patching, then the marginal consumer at this valuation level will purchase the product since her valuation is higher than p m and there is no security risk. If the user with valuation p m + c p does not patch, it follows that the patching cost must be higher than the risk that the marginal user is facing and she will again find the product attractive without patching in case a security vulnerability arises. In both cases, the user population will increase, i.e., the vendor can improve his profits by allowing users to make their own patching decisions and charging the same price as he would with a mandatory patching policy. From the vendor s standpoint, consumers assuming risk in an incentive compatible way, by resolving their own trade-off between the risk of not patching and the cost of patching, is profitable. As a result, self patching yields higher profit for the vendor, i.e., mandatory patching strictly decreases vendor profits. As we mentioned above, this result is consistent with what is seen in the software industry. Although it is technologically feasible, vendors typically do not require the purchasing consumers to patch their systems when vulnerabilities arise. While contributing to increased vendor profits, consumers assuming security risks as opposed to undergoing patching costs may increase total risk for the population through network effects and ultimately reduce social welfare. Therefore, one might argue that mandating patching can increase social welfare, and this possibility needs to be explored. The following proposition examines the effect of mandatory patching on the expected social welfare and shows that mandatory patching may in fact be undesirable. Proposition 1 If (i) πα < c p ; or (ii) πα c p and there is a population of users who are patching the software under the vendor s optimal pricing decision, then mandating patching decreases social welfare. When the effective security risk is low compared to the patching cost (i.e., when πα < c p ), mandating consumers to patch not only reduces the number of buyers but also forces some buying consumers to make socially inefficient decisions by undertaking high patching costs when it is unnecessary. Consequently, expected social welfare decreases with mandatory patching for such cases as stated in part (i) of Proposition 1 and illustrated in panel (a) of Figure 2. When the security risk is high and there is a patching population under the vendor s optimal pricing (i.e., the market is in equilibrium Region I described in Lemma 1), the existence of a patching population makes the software safer and increases the value of the software. As a result, we again see that mandating patching decreases social welfare, as indicated in part (ii) of Proposition 1 and illustrated in panel (b) of Figure 2. When πα c p and no consumer is patching in equilibrium, mandating patching can either decrease or increase the social welfare. If the patching cost and the security risk are both moderate, 13
Expected Profit / Social Welfare Expected Profit / Social Welfare 0.35 0.3 0.25 0.2 0.15 0.1 0.05 (a) c p = 0.60, π = 0.50, α = 1 0 0 0.2 0.4 0.6 0.8 1 p 0.12 0.1 0.08 0.06 0.04 0.02 (c) c p = 0.60, π = 0.50, α = 5 Π s i Π s ii W s W m 0 0 0.2 0.4 0.6 0.8 1 p Expected Profit / Social Welfare 0.1 0.08 0.06 0.04 0.02 Expected Profit / Social Welfare (b) c p = 0.60, π = 0.50, α = 7 0 0 0.2 0.4 0.6 0.8 1 p 8 x 10 3 (d) c p = 0.88, π = 0.50, α = 100 6 4 2 0 0 0.2 0.4 0.6 0.8 1 p Figure 2: Expected social welfare and vendor profit as a function of price. The parameters are c p = 0.60, π = 0.50, and α = 1 for panel (a); c p = 0.60, π = 0.50, and α = 7 for panel (b); c p = 0.60, π = 0.50, and α = 5 for panel (c); and c p = 0.88, π = 0.50, and α = 100 for panel (d). 14
mandating patching can reduce the expected social welfare as shown in panel (c) of Figure 2 by reducing the consumer base. However, when both the patching cost and the effective security risk are high, the vendor might find it optimal to price the product in such a way that the buying population is small, and no consumer finds it optimal to patch if a security vulnerability emerges. In such a case, mandating patching can increase the number of buyers since it forces the vendor to reduce prices significantly, which makes the software attractive to a higher number of consumers even when those consumers are forced to bear patching costs. As a consequence, mandating patching can increase social welfare. Such a case is illustrated in panel (d) of Figure 2. 5 4.2 Patching Rebates We have seen in Section 4.1 that contractually mandating consumers to patch does not improve vendor profit and is usually not helpful in increasing social welfare. The primary reason for the ineffectiveness of mandatory patching is that consumers are forced to bear the potential patching costs when they purchase the product, which negatively influences their purchasing behavior. This observation suggests that leaving the patching decision to the consumers is preferable, and other ways to improve users patching behavior should be investigated. One way of doing so is to provide users with increased incentives to patch by offering rebates to patching customers. Such a mechanism can improve vendor profit by increasing the patching consumer population, thereby lowering the security risk of the software and allowing the vendor to charge a higher price to remaining consumers. Based upon this intuition, we next consider an incentive scheme in which the vendor offers a compensation to consumers contingent upon their patching of the software product in case a security vulnerability arises. Specifically, each consumer who patches when a security vulnerability arises receives, in expectation, an effective rebate 0 r c p. We consider two cases: (i) The vendor determines the rebate to give to the patching customers by jointly optimizing the rebate amount and the price; and (ii) a social planner determines the rebate amount, and taking that rebate amount as given, the vendor determines the price of the software. We use a subscript v to denote that the rebate is determined by the vendor and a subscript g (for government) to denote that the rebate is determined by a social planner. 4.2.1 Vendor Determined Rebate We first examine the incentives for a vendor to offer patching rebates. The expected profit for the vendor with an effective rebate r can be written as Π v (p, r) p(1 v b ) r(1 v p ), and the vendor 5 This also demonstrates the difference in the effect of negative network externalities in the contexts of vendor intermediated software security and disease control. For instance, Brito et al. (1991) demonstrate that in the case of disease spread, where there is no intermediating vendor, mandating patching always decreases social welfare. In our case, however, mandating patching can make the vendor radically decrease the price of the software and cause an increase in usage, which in turn increases social welfare. 15
needs to optimize with respect to both price and the rebate amount, i.e., he solves the following maximization problem: max p,r s.t. Π v (p, r) 0 r c p 0 p 1, (6) where v b and v p satisfy the conditions given in Lemma 1 with parameters πα, c p r and p. Here, the vendor is facing a trade-off: The higher the rebate paid to the consumers, the larger the population of consumers who patch. A larger patching population effectively increases the security of the software, thus allowing the vendor to increase his optimal price in such a way to increase his expected profit. On the downside, if a security vulnerability arises, the vendor must assume a larger portion of the consumers patching costs. Whether offering such a rebate can ever strictly increase the vendor s profit is an open question. The following proposition demonstrates that this is possible. Further, the proposition establishes the parameter ranges where the offering of such a rebate is desirable and not desirable for the vendor as well as providing comparative statics for the optimal rebate and price. Proposition 2 Consider a patching rebate offered by a software vendor. (i) There exists a threshold ω > 0 such that if πα ω, (a) A rebate policy can strictly increase the vendor s expected profit if and only if c p > 1/3. (b) The optimal rebate (rv) and the optimal price (p v) are decreasing in πα. (c) As πα becomes large, rv (3c p 1)/4 and p v (1 + c p )/4. (ii) If πα < c 2 p/(1 + c p ), then there does not exist a patching rebate, r > 0, that will increase the vendor s expected profit, i.e., the self patching policy is optimal for the vendor. When both the patching cost and the effective security risk are high, the vendor must price low to induce purchases, and the consumer population consists of high valuation consumers who are sensitive to security of the software. In such a case, by offering a rebate, he can induce an increased patching population and increase the security of the product. As a result, and because of the sensitivity of his users to the security of the software, he can then increase his price and consequently his profits. However, when the patching costs are sufficiently low, the vendor can price relatively high. Further, in that case, a larger patching population exists, and rebates may not help to further increase the patching population as significantly while making the vendor unnecessarily provide incentives to users who would patch even without rebates. Consequently, offering rebates can backfire and reduce the vendor s profits as stated in part (i) of Proposition 2. When the expected security risk is sufficiently large, the optimal rebate amount and the optimal price decrease with increased security risk. In this region, a further increase in risk significantly 16
reduces the purchasing population, and by reducing prices (which come with reduced rebates), the vendor can increase his sales. An increase in patching costs, however, reduces incentives to patch and profit maximization calls for additional incentives to be provided to the consumers. When the expected security risk is low compared to the patching costs, it becomes relatively expensive for the vendor to incentivize consumers to patch, and rebates can result in losses for the vendor, as implied by part (ii) of Proposition 2. Importantly, Proposition 2 is not about the weak increase in profits that comes with the addition of a degree of freedom to the vendor with the availability of a rebate offer. This proposition verifies that a rebate policy can indeed be effective under certain conditions due to network effects and characterizes these conditions. Further, it characterizes the effect of the problem parameters on the optimal rebate and price when a rebate is effective and hence gives insights about optimal network security risk sharing with the consumers from the point of view of the vendor. 4.2.2 Social Planner Determined Rebate We next examine the case where a social planner chooses the amount of patching rebate to maximize social welfare: That is, the planner decides the socially optimal amount of risk and responsibility that the vendor should assume for his product s security. Hence, the social planner s optimization problem can be written as max r s.t. W g (p(r), r) 0 r c p p(r) = arg max 0 p 1 Π g (p, r), where W g (p(r), r) = v p v b v(1 πα(v p v b )) dv + 1 v p (v c p ) dv, Π g (p, r) = p(1 v b ) r(1 v p ) with r chosen by the social planner rather than the vendor, and v b and v p are as given in Lemma 1 for parameters πα, c p r and p(r). The following proposition characterizes the optimal rebate and price under this structure. Proposition 3 Consider the social planner s problem given above. (i) There exists a threshold ω > 0 such that if πα ω, (a) A patching rebate policy strictly increases social welfare if and only if c p > 6 33. (b) There exist threshold values θ, θ such that 6 33 < θ < θ < 1 and the optimal rebate (r g) and vendor s optimal price (p g) are strictly increasing in πα if and only if c p > θ and c p > θ, respectively. 6 (c) As πα becomes large, r g (c p (12 c p ) 3)/16 and p g (5 c p )(1 + c p )/16. 6 6 33 = 0.2554, θ = 0.3692, and θ = 0.4347 up to four significant digits. Details for the derivations are given in the proof of the proposition in appendix. (7) 17
(ii) There exists a threshold ω > 0 such that if πα < ω, then there does not exist a patching rebate, r > 0, that will increase the social welfare, i.e., patching rebates are ineffective. When the software security risk is high and patching costs are high, under vendor s optimal pricing, the patching population is small. Therefore, forcing the vendor to assume part of the risk by paying a rebate to the patching consumers may increase social welfare. Further, Proposition 3 indicates that when the cost of patching is low, forcing the vendor to offer a rebate can decrease social welfare by inducing inefficient patching behavior. When the patching costs are high enough to make rebates desirable, the optimal rebate and the corresponding vendor price decrease with increased security risk. On the other hand, when the patching costs are high, the patching population shrinks and as the security risk increases, social welfare optimization requires increased rebates, and consequently, increased software price. Further, both the optimal rebate and the induced vendor price are increasing in patching costs. Notice however that the optimal price can be increasing while the optimal rebate is decreasing in the security risk. Finally, when the security risk is too low compared to the patching costs, it is socially inefficient to induce a patching population through rebates. In addition, when r = c p, i.e., when a social planner imposes that the vendor cover all patching costs, it is easy to see that W g = W m = 3(1 c p ) 2 /8. Moreover, evaluating the first derivative of W g (r, p(r)) in (7) at r = c p, it follows that dw g(r,p(r)) dr = c p(1+3c p ) < 0. Therefore we have r=cp 4παvb 2 W g > W m. Panels (a) and (b) of Figure 3 illustrate the two possibilities for the vendor determined rebate. Panel (a) presents a scenario with low security risk. As can be seen from the figure and indicated in Proposition 2, in such a case, offering a rebate reduces the profits of the vendor. On the other hand, when the patching costs and the security risk are both high, the vendor can increase his expected profit by offering a rebate of r = 0.282 off the patching cost as illustrated in panel (b), thereby increasing expected profits. Panels (c) and (d) of the figure show the two possibilities for a social planner determined rebate case. When the security risk is low, requiring the vendor to assume part of the responsibility through patching rebates is not helpful, as demonstrated in panel (c), since the increased network security induced by these rebates cannot compensate for reduced usage resulting from the vendor s increased prices. The same conclusion holds when the security risk is high but the patching cost is sufficiently low, as the welfare curve for c p = 0.21 in panel (d) demonstrates. However, when both patching costs and the security risk are sufficiently high, rebates can help to increase social welfare substantially, e.g., for c p = 0.70 as can also be seen in panel (d). 18
0.4 (a) Vendor Det. Rebate (Low πα) 0.1 (b) Vendor Det. Rebate (High πα) Expected Profit 0.2 0 0.2 0.4 r = 0.60 r = 0.75 r = 0 Expected Profit 0.05 0 0.05 r = 0 r* = 0.282 r = 0.65 0.6 0 0.2 0.4 0.6 0.8 1 p 0.1 0 0.2 0.4 0.6 0.8 1 p Expected Social Welfare 0.35 0.3 0.25 0.2 0.15 0.1 0.05 (c) Government Det. Rebate (Low πα) πα = 1.2 πα = 0.3 Expected Social Welfare 0.241 0.239 0.237 (d) Government Det. Rebate (High πα) c p = 0.21 c p = 0.70 0.054 0.046 0.038 0 0 0.2 0.4 0.6 0.8 r 0.235 0 0.2 0.4 0.6 r 0.03 Figure 3: The effect of patching rebates on vendor profits and social welfare. Panels (a) and (b) are for the vendor determined rebate, and panels (c) and (d) are for the planner determined rebate case. For panel (a), c p = 0.80, π = 0.30 and α = 1; for panel (b), c p = 0.70, π = 0.50 and α = 10; for panel (c), c p = 0.80; and for panel (d), π = 0.50, α = 20, the left y-axis is scaled for the c p = 0.21 case, and the right y-axis is scaled for the c p = 0.70 case. 4.3 Usage Tax As we have seen in the previous sections, poor patching behavior by the users introduces security risks on the entire user population. Further, the direction of this negative externality is from lower value consumers to higher value consumers since lower value consumers are less likely to patch, which gets reflected as increased effective losses for higher value consumers. Therefore, one might argue that imposing a tax can improve the security of the network, vendor profits, or social welfare by eliminating a segment of lower value consumers from the user pool. In this section, we analyze this issue. Suppose that each consumer is charged a tax τ > 0 for a copy of the software. Taking this tax as given, the vendor optimizes the price he charges for the product. We use a subscript t to denote this tax policy. The purchasing threshold v b is now a function of the aggregate price, p + τ, faced by the consumer. The profit for the vendor will then be Π t (p, τ) p(1 v b (p + τ)). Additionally, for given τ, we denote p s and p t as the maximizers of Π s and Π t, respectively. Figure 4 shows the effects of a tax policy. As can be seen from the figure, imposing a tax decreases the vendor s optimal price (p t ), but the price plus the tax (p t + τ), i.e. the effective 19
1 0.5 0.8 0.4 Optimal Price and Tax 0.6 0.4 p t *+ τ p t * τ Π t (p t *,τ) W t (p t *,τ) 0.3 0.2 Optimal Expected Profit and Social Welfare 0.2 0.1 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 Tax (τ) Figure 4: The effect of a tax on proprietary software. Parameters are c p = 0.70 and πα = 0.30. amount that the consumers have to pay to use the software, is larger than the optimal vendor price with no tax. This is because the vendor s profit under a given tax τ > 0 can be written as Π t (p, τ) = Π s (p + τ) τ(1 v b (p + τ)). The first order condition is then Π t(p t ) = Π s(p t ) + τ v b (p t ) = 0. Since v b is increasing in p, we then have Π s(p t ) < Π s(p s τ) = 0, and since the vendor s profit function is concave, it follows that p t + τ > p s. As a result, the vendor s profit declines as can be seen in the figure. Further, a positive tax also decreases social welfare since welfare is decreasing in the effective consumer price in this region as well. In summary, taxes do not increase vendor profits, and due to the vendor s endogenous price setting at a level where decreasing the user population decreases welfare, taxes do not increase the social welfare for proprietary software. However, with freeware, taxes can be a powerful tool to improve social welfare as we will discuss in Section 5.3. 4.4 Policy Comparison Summary for Proprietary Software In this section, we summarize how the different policies considered thus far perform relative to one another, highlighting the results, comparisons, and the recommendations that emerge from them. When the expected security risk and the patching costs are high, a social welfare maximizing planner should employ patching rebates. Specifically, for such cases we have found that W g > W s > W m, W t. Under high security risk, a planner may choose to force the software vendor to assume part of the users patching costs via rebates. In response, the vendor will increase the price of the software which decreases usage and hurts welfare. However, the net effect is a strict increase in welfare if the patching is costly beyond a threshold. Further, under self patching, the vendor prices the software in a way that a patching population exists, which ensures higher welfare than 20
under mandatory patching. Additionally, under high security risk, taxes are ineffective. On the other hand, for low patching cost and regardless of security risk, patching rebates hurt social welfare. We find that W s > W g, W m, W t and conclude that it is advisable to keep the status quo, i.e., self patching. For low effective security risk, an imposed rebate results in socially inefficient patching decisions. Further, mandatory patching, though increasing the security of the product, inefficiently reduces the user population and yields a decrease in expected social welfare. From the vendor s point of view, mandating patching, although increasing software security, decreases profits. For high security risk, the value of the product for the consumers is low. Therefore, it may be desirable for the vendor to offer patching rebates to increase usage. However, paying patching rebates also decreases vendor profits, and the net effect can be negative. We show that, under high security risk, rebates increase profits if and only if the patching costs are higher than a threshold level. That is, under high security risk and patching costs, Π v > Π s > Π m, and hence, a rebate policy is preferable. When the security risk is low, on the other hand, offering a rebate becomes too costly. Therefore, under such conditions, Π s > Π v, Π m, and a self patching policy is more profitable (note also that a planner imposed usage tax always decreases vendor profits). 5 Freeware We next turn our attention to a software product offered to consumers as freeware. Freeware is often open source software which is typically developed and maintained by a group of software enthusiasts. These developers share the product with the public for free and hope to make it increasingly feature rich and more secure with broader public participation. Freeware products have governing bodies that promote development and distribution as well as providing organizational, legal, and financial support. For instance, Free Software Foundation (FSF), which was founded in 1985, promotes the development and use of free software and documentation. The FSF is closely tied to the GNU Project and the GNU General Public License (GNU GPL). In essence, the GNU GPL keeps all software that comes out of the FSF and GNU Project free to the public domain. Furthermore, any modifications to that software must remain free to the public domain. When a security vulnerability arises within an open source software product, patches are typically readily made available by the developers of the software or possibly even third party support companies in light of the fact that open source software is transparent (Maguire 2004). Another example of such a governing body is the Apache Software Foundation (ASF), which oversees the Apache projects. Freeware is also vulnerable to security attacks and such attacks can be as damaging and costly as they would be for proprietary software (US-CERT 2004). Security of freeware as perceived by the potential users naturally affects the usage and consequently the value derived by the software in the user community. In this section, we compare policies that can be implemented by a social planner or the governing body of a freeware product to improve social welfare. 21
5.1 Mandatory Patching Since freeware is available to consumers at zero price, a large population of users may develop. This increase in the number of users leads to an increased population of non-patching users, which in turn increases the negative network security externalities and consequently hurts social welfare. The governing body for a freeware product (such as ASF for Apache projects) has authority on managing licenses for the software supported by these projects. Therefore, the technical mechanisms that enable the implementation of mandatory patching for proprietary software, described in Section 4.1, can also be used for freeware, and such policies can be included as a part of the license agreement if the governing body or a social planner sees fit. However, there is a critical trade-off here: If patching is mandated to users, only the consumers whose valuations justify the costs of patching would employ the product. As a result, some of the current population of consumers would be lost while the remaining population would enjoy a secure product. Thus, surplus generation from usage would decrease along with the expected security losses, and the net effect on social welfare needs to be determined. By (1), C(v, σ ) c p holds and hence, (v C(v, σ )) + (v c p ) + for all v V. Noting that p = 0, it then follows that W s (0) = (v C(v, σ )) + dv (v c p ) + dv = W m (0), (8) V that is, mandating patching for freeware reduces social welfare. 7 V In short, mandating patching induces users to take actions that are welfare-inferior to their self patching decisions, and therefore cannot be helpful. Intuitively, and similar to the case for proprietary software, all consumers who use the product under the mandatory patching policy would still be users under the self patching policy since their expected security losses are bounded by c p. If the user with valuation c p patches under self patching (assuming the user population stays the same), the product will be attractive to the marginal non-user under mandatory patching since there will be no risk associated with the product. If the user with valuation c p does not patch under the self patching policy, then the risk associated with the product must be lower than c p, and hence the product will again be attractive to the marginal non-user. In both cases, the welfare will (at least weakly) increase since a larger population of users, including those with valuations below the threshold under mandatory patching, non-negatively contribute to the welfare. 8 7 Notice that each user has two separate effects on social welfare: First, she contributes her own surplus, i.e., (v C(v, σ )) +. Second, because of negative network externalities, her decision also impacts other users surpluses by affecting the term C(v, σ ) in the corresponding expressions. When calculating welfare, the latter effect shows itself in other users surpluses and hence is also included in the calculation of the surplus given in (8). 8 This result is parallel to the result in Brito et al. (1991), which states that for the case of an infectious disease, mandating vaccination cannot increase social welfare. Specifically, both results state that with negative network externalities, self-protection decisions are socially more efficient compared to forced protection. However the two results are different. In our case, each consumer makes a usage decision by comparing the type dependent losses from being infected by a worm (that increase with the size of the unpatched population) to the constant patching costs and 22
5.2 Patching Rebates As we have seen in Section 5.1, mandatory patching is ineffective at increasing social welfare associated with freeware since such a policy improves the security of the product but results in consumers making socially inefficient decisions. Therefore, policies that can improve network security while leaving the patching decisions to consumers should be investigated. Hence, we next consider a policy in which a patching rebate is offered by a social planner to the consumers of the freeware. That is, similar to the rebate policy we discussed in Section 4.2, in the face of a security vulnerability, with a patch made available by the freeware developers, consumers who patch will receive an effective rebate r > 0, as an incentive. In this case, the rebate is given by a social planner. There is a growing call for and discussion on government intervention for software security. The recommendations invite the government to play a more active role in improving software security by the implementation of a mix of market and regulatory efforts. The aim of these suggested efforts is to induce vendors to write more secure software as well as to induce computer users and network operators to better maintain the security of their own systems (see, e.g., Mimoso 2003, Krim 2004, Joyce 2005). The patching rebates for freeware can be implemented as corporate or individual tax rebates or credits. Such tax rebates are employed as tools in many other cases when the government wants to regulate compliance of good behavior in cases with negative externalities (Lyne 2001). The following proposition explores the effectiveness of such a rebate policy. Proposition 4 Consider a patching rebate offered by a social planner to users of a freeware product. (i) If πα 2c p /3 or πα 32/(27c p ), then for all r > 0, offering a patching rebate r decreases the expected social welfare. (ii) If 2c p /3 < πα < 32/(27c p ), then it is possible to improve the expected social welfare with a positive patching rebate. Further, the social welfare maximizing rebate is given by r g = c p /3. As in the case of proprietary software, patching rebates increase the security of freeware as well. However, some users may be induced to patch when it is not socially efficient. The main trade-off is between the welfare loss endured by inducing such users to patch and the welfare gain obtained by the network effects of increased security. Part (i) of Proposition 4 states that when the software security risk is low, rebates are ineffective. In such cases, the social value of the network effects is relatively low, and the losses from inefficient patching dominate. In addition, when the security risk is high, the patching population is small and as rebates increase the size of the patching population, new non-patching users join and wipe out the positive network effects gained. When the security risk is at a moderate level, however, rebates can be effective as stated in part (ii) subsequently comparing the minimum of these two quantities to the type dependent benefit of using the software. This usage decision by the consumers plays a particularly key role for the other policies we consider (Sections 5.2, 5.3) and for proprietary software (Section 4). 23
of Proposition 4. In summary, a patching rebate policy can improve social welfare generated by freeware for a moderate risk level, but for sufficiently low or high levels of risk, such a policy may end up decreasing social welfare. 5.3 Usage Tax In Section 5.2, we presented a rebate based policy that was able to induce patching behavior and yield higher social welfare for certain cases. However, in Proposition 4, we saw that such a policy can be ineffective for the two ends of the security spectrum where the expected security losses are small or large. Since consumers acting in self-interest are causing a security risk on other consumers through network effects, a mechanism that drives out some of the consumers, who have low valuations but create negative externalities on other users by not patching, can be helpful. This mechanism can be achieved by imposing a small price or a tax on the freeware. Such a policy, by forcing certain low valuation consumers out of the system, can eliminate the negative security externalities that they cause and can help improve the net social welfare obtained from the freeware. Notably, this policy aims at the opposite effect achieved by a patching rebate policy since a rebate mechanism intends to encourage non-users of the product to reconsider its use. From the consumers point of view, a tax imposed by a social planner is identical to a price charged by a vendor. However, in this case, the tax payment that the consumers must make in order to use the freeware is set to maximize social welfare. Therefore, the relevant region is the lower end of the tax (or price) spectrum with decisions focusing on whether or not to impose such a small payment. The following proposition explores the effectiveness of a tax policy. Proposition 5 (i) There exists a τ > 0, such that the expected social welfare can be increased by imposing a user tax of τ on the freeware product. (ii) There exist threshold values ω and ω such that 0 < ω ω and when πα < ω, the optimal user tax increases with πα and is not affected by increases in c p ; and when πα > ω, the optimal user tax increases with c p and decreases with πα. Proposition 5 states that a certain level of usage tax can always improve the expected social welfare for freeware under network effects by eliminating consumers whose valuations are low but cause negative security externalities on all users by not patching. This result is in contrast to the corresponding case for proprietary software (Section 4.3). The reason for the effectiveness of a tax policy with freeware is the lack of a profit maximizing vendor who reduces social welfare by limiting usage through a price set to maximize profit. With proprietary software, the vendor is already endogenously pricing the product at a range where the network effects from elimination of part of the user population through additional taxation is inefficient. Imposing a tax in that case 24
makes the vendor respond by decreasing the price but the effective price the customers perceive (i.e., the vendor price plus tax) increases, thus eliminating users and decreasing social welfare. However, Proposition 5 states that when the price is zero, the usage threshold is always low enough that a usage tax can sufficiently reduce negative network externalities to improve social welfare. Proposition 5 also states that when πα is low enough, the optimal tax, though eliminating some low valuation users, will not induce a patching population and hence will not depend on c p. But for such cases, increased security risk makes it optimal for a social planner to increase the tax since the effect of network externalities dominates the value loss. On the other hand, when the security risk is large, the usage levels fall and the proposition states that the optimal tax decreases with increased security risk. However, in this region, increased patching costs impose heavy security risks due to reduced patching which, in turn, makes it optimal to increase the usage tax to compensate. 5.4 Policy Comparison Summary for Freeware In this section, we give a comparison and summary of our policy analysis for freeware. First, we have shown that mandatory patching is always inferior to self patching. In contrast, we have seen that rebates and taxes can help to increase welfare. We have found that taxes can strictly increase social welfare for all parameter values, but rebates are ineffective when πα 2c p /3 or πα 32/(27c p ). For these parameter ranges, taxes are strictly better than rebates. The question then becomes whether rebates can ever be recommended over taxes. The following proposition answers this question. Proposition 6 There exists a threshold θ (0, 1) such that when c p < θ and 2c p /3 πα θ, social welfare is greater under the optimal rebate policy compared to that of the optimal tax policy. Figure 5 demonstrates the difference between the expected welfare that can be obtained by the optimal tax and rebate policies, i.e., the difference between the expected social welfare under the optimal tax τt (W t (0, τt )) and the optimal rebate rg (W g (0, rg)) for these two policies, respectively. As can be seen from the figure, the tax policy is dominant for most of the parameter space and is especially dominant when security risk is high, i.e., when πα is large. When the patching cost and the effective security risk are low, taxes have less impact since the negative network externalities are relatively less important. On the other hand, in this region, rebates are effective since it is relatively cheaper to induce users to patch and therefore a rebate policy, which by its nature keeps all willing users active, can achieve better results than a tax policy. Recall that, for proprietary software, usage taxes are detrimental to social welfare, and hence rebates are preferred whenever they are effective (Sections 4.2 and 4.3). However, a usage tax is quite effective for freeware and is the dominant instrument for a social planner in that case. As we discussed in detail in Section 5.3, the main reason for this difference is the vendor s pricing response 25
W t (0,τ t *) W g (0,r g *) 0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0 0.02 2 1.5 1 0.5 0 0.5 1 πα c p Figure 5: Expected social welfare difference between optimal tax and rebate policies for freeware. to a usage tax. Hence, we conclude that it may be advisable for social planners to consider usage taxes only in the case of freeware. In summary, for freeware, when the security risk or patching cost is sufficiently high, W t > W s > W g, W m, i.e., a tax policy dominates. On the other hand, when the security risk and patching costs are low and the security risk is not too low compared to the patching costs, W g > W t > W s > W m, i.e., a rebate policy is most effective. 6 Concluding Remarks In this paper, we presented a model of network software security to demonstrate that in a network environment, where the software security maintenance of each user affects the riskiness and consequently the value of the software for other users, incentives can be a useful tool for both a profit maximizing vendor and a social welfare maximizing planner. In particular, we explored and compared four policies to manage network software security in both proprietary software and freeware contexts: (i) Consumer self patching; (ii) Mandatory patching; (iii) Patching rebate; and (iv) Usage tax. We have compared the preferability of these policies for a vendor (in the case of proprietary software) and a social planner (in the cases of both proprietary software and freeware). We have demonstrated that rebates and self patching are dominant for proprietary software whereas for freeware, taxes compete with rebates, and self patching becomes strictly dominated. Mandatory patching is found to be suboptimal across the board. The main difference between the results for the cases of proprietary software and freeware stems from the fact that for proprietary software, the vendor internalizes the effect of any policy on the users and reflects it in his price. 26
This is because changes in users incentives directly affect the vendor s profits, and induces him to provide a feedback loop by adjusting his price in response. As a result, the social planner s role is more direct and critical in the case of freeware. Another method of improving user patching behavior would be to directly reduce the patching costs that users face. One way of achieving this is the software vendor s development of an automated patching solution. Automated patching aims to lower patching costs for users, ideally to a zero level. If such an idealized scenario were possible, i.e., if the patching costs were zero, all users would patch immediately after the release of a patch for a vulnerability. This would eliminate any effective security risk and negative network effects, and no issues related to the spread of malicious code in the network would be present. However, achieving an effective automated patching solution is not an easy task since each patching problem has unique aspects and each user s system has a more or less unique configuration. Therefore effective patch management is a highly time and resource consuming activity and a one-size-fits-all approach is unlikely to be an immediate remedy as it is also widely acknowledged by practitioners (see, e.g., Messmer 2004a, Bentley 2005). Also note that an automated patching solution only affects the portion of the patching costs associated with the actual deployment of the security patch. The larger portion of the patching costs is due to the labor needed to verify that the security patch works as advertised without breaking any application interaction. Such testing of a security patch usually takes place on a staging server before deployment of the patch to a production server. If a user patches, she must go through these necessary steps to ensure that the security patch works without causing the production server to fail. Therefore, patching costs are an innate part of network software security maintenance and should not be neglected as determinants of user patch behavior and ultimately network security. Our model applies to cases where there is a window for patching between the time a security patch is made available and when an attack occurs, as was the case for most major worms in the past. However, in some cases zero day attacks also occur before or right as patches are released (Shannon and Moore 2004). Analyzing the effect of such cases on user incentives would be an interesting future research topic. In addition, our main concern in this paper is the spread of malicious code that exploits a patchable vulnerability in a common software product, over a network of interconnected users. However, certain high profile users can be specifically targeted for attacks such as the DoS attack experienced by Yahoo in 2000 (Williams 2000). These specific risks are essentially separate from the risks associated with the spread of a worm in characteristic. Examining the security threats for such attacks under network environments would be an interesting future research topic. Also, in our model we assume a uniform distribution of valuations. Although most of our results (such as the threshold valuation characterization of the equilibrium and inferiority of mandatory patching) are robust to the distributional assumption, one future avenue for research could be extending our results to general distributions. 27
Another interesting extension of our model could be analyzing the vendor s problem of inducing optimal patching activity levels based on the users valuations by offering a non-linear patching rebate schedule. Given that the users have different valuations and correlated losses in case of an attack, there may be gains from allowing users to decide the level of their patching activity and receive rebates accordingly. In a separating equilibrium, a software vendor can then offer a non-linear schedule of patching rebates to induce a target level of patching activity for each type of customer and monitor the patching levels (something he can observe), and use them as a proxy to award rebates based on consumer valuations (something he cannot directly observe or price discriminate on). The employment of such a price/rebate schedule may not only benefit the vendor but also improve social welfare by allowing users to choose patching activities at socially efficient levels. One might also investigate the vendor s incentives for disclosure of vulnerabilities to the public. It is typically the case that vulnerabilities in software are discovered by either the vendor or benevolent users before hackers. In such instances, the vendor usually has a grace period to develop and release patches before the existence of these vulnerabilities are publicly announced. The length of that grace period may have implications on the incentives for patch development by the vendor, and these issues are topics for ongoing research (e.g., Arora et al. 2005, Choi et al. 2005, and Jaisingh and Li 2005). Mechanisms that target user incentives used in conjunction with control of the vulnerability disclosure grace period can prove to be powerful at improving software security and is an interesting topic for future research. Our goals in this paper were first to establish that when dealing with network security issues, policies targeting user incentives can be effective tools; and second to gain insights into the types of incentive mechanisms that may be helpful in increasing the value generated by network software in the face of security vulnerabilities. In today s highly interconnected environment where many consumers still do not maintain the security of their software adequately, resulting in losses from hacker attacks that amount to billions of dollars, policies that can induce increased consumer security by taking user incentives into account are needed. Our results may give guidance and insight to software companies and policy-makers to work on such strategies and ultimately help reduce the tremendous losses that occur from computer security incidents every year. References Anderson, R. J. (2001). Why information security is hard an economic perspective. In Proc. of the 17th Annual Computer Security Applications Conf., pp. 358 365. IEEE Computer Soc. Anderson, R. M. and R. M. May (1991). Infectious Diseases of Humans: Dynamics and Control. Oxford Univ. Press. 28
Arora, A., R. Telang, and H. Xu (2005). Optimal policy for software vulnerability disclosure. Working Paper, Carnegie Mellon Univ. Bailey, N. T. (1975). The Mathematical Theory of Infectious Diseases and its Applications. Oxford Univ. Press. Bentley, A. (2005, October). Developing a patch and vulnerability management strategy. http: //www.scmagazine.com. Bloor, B. (2003). The patch problem: It s costing your business real dollars. Baroudi Bloor. http: //www.baroudi.com/pdfs/patch.pdf. Bragg, R. (2004, February). The perils of patching. Redmondmag.com. Brito, D. L., E. Sheshinski, and M. D. Intriligator (1991, June). Externalities and compulsory vaccinations. J. Public Econ. 45 (1), 69 90. Cavusoglu, H., H. Cavusoglu, and J. Zhang (2005, September). Security patch management: Share the burden or share the damage. Working Paper, Univ. of British Columbia. CERT (2004). CERT/CC statistics 1988-2003. CERT Coordination Center. http://www.cert. org/stats. Choi, J. P., C. Fershtman, and N. Gandal (2005, April). Internet security, vulnerability disclosure and software provision. Extended Abstract. ComputerEconomics (2004, February). The cost impact of major virus attacks since 1995. Computer Economics. D Amico, A. D. (2000, September). What does a computer security breach really cost? Secure Decisions, Applied Visions Inc. Davidson, M. A. (2004, June). Automatic software patching: Boon or bane? GlobeAndMail.com. Francis, P. J. (1997). Dynamic epidemiology and the market for vaccinations. J. Public Econ. 63 (3), 383 406. Garg, A. (2003, Spring). The cost of information security breaches. CrossCurrents, Ernst & Young. Geer, D. E. (2004, May). The economics of shared risk at the national scale. Available at http: //www.dtc.umn.edu/weis2004/weis-geer.pdf. Geoffard, P.-Y. and T. Philipson (1996). Rational epidemics and their public control. Int. Econ. Rev. 37 (3), 603 624. Gersovitz, M. (2003). Births, recoveries, vaccinations and externalities. In Economics for an Imperfect World: Essays in Honor of Joseph E. Stiglitz, Cambridge, MA, pp. 469 483. MIT Press. Gersovitz, M. and J. S. Hammer (2004). The economical control of infectious diseases. Econ. J. 114 (492), 1 27. 29
Gersovitz, M. and J. S. Hammer (2005). Tax/subsidy policies toward vector-borne infectious diseases. J. Public Econ. 89 (4), 647 674. Goldman, S. M. and J. Lightwood (2002). Cost optimization in the SIS model of infectious disease with treatment. Top. Econ. Anal. Policy 2 (1), 1 22. InternetWorldStats (2004, September). World internet usage and population statistics. Internet- WorldStats.com. http://www.internetworldstats.com/stats.htm. Jaisingh, J. and Q. Li (2005, November). The optimal time to disclose software vulnerability: Incentive and commitment. Working Paper, Hong Kong Univ. of Science and Technology. Joyce, E. (2005, February). More regulation for the software industry? EnterpriseITPlanet.com. http://www.enterpriseitplanet.com/security/news/article.php/3483876. Kessing, S. and R. Nuscheler (2003, June). Monopoly pricing with negative network effects: The case of vaccines. Working Paper, Social Science Research Center Berlin. Kremer, M. (1996). Integrating behavioral choice into epidemiological models of AIDS. Quart. J. Econ. 111 (2), 549 573. Krim, J. (2004, April). U.S. goals solicited on software security. WashingtonPost.com. Kunreuther, H. and G. M. Heal (2002). Interdependent security: The case of identical agents. Working Paper, Columbia Univ. Kunreuther, H., G. M. Heal, and P. R. Orszag (2002). Interdependent security: Implications for homeland security policy and other areas. The Brookings Institution, Policy Brief #108. Lemos, R. (2003, August). Squashing the next worm. CNET News.com. Lemos, R. (2004, March). Witty worm proves patching not viable. CNET News.com. Leung, L. (2005, January). Patching takes over IT for a day. Techworld.com. Lyne, J. (2001, May). EPA offers incentives to firms that adopt telecommuting in five U.S. metros. Online Insider. http://www.conway.com/ssinsider/incentive/ti0105.htm. Maguire, J. (2004, January). Who s patching open source? Enterprise Linux IT. Messmer, E. (2004a, May). Can software patching be automated? Network World Fusion. http: //www.nwfusion.com/weblogs/security/005182.html. Messmer, E. (2004b, May). Sasser worm exposes patching failures. Network World Fusion. http: //www.nwfusion.com/news/2004/0510sasser.html. Middleton, J. (2001, December). U.S. government calls for enforced patches. Vnunet.com. Mimoso, M. (2003, September). Regulation, bad software, new threats fodder for Congress. Search- Security.com. 30
Moore, D., V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver (2003). The spread of the Sapphire/Slammmer worm. http://www.cs.berkeley.edu/ nweaver/sapphire/. Moore, D., C. Shannon, and J. Brown (2002). Code-red: a case study on the spread and victims of an internet worm. In Proc. of the Second ACM SIGCOMM Workshop on Internet Measurement, pp. 273 284. MS-Support (2004, June). IIS problems after applying a security patch. Microsoft Corporation. Nicastro, F. (2005, September). Network security tactics. Step-by-step guide: How to deploy a successful patch. Searchsecurity.techtarget.com. Schweitzer, D. (2003, August). Emerging technology: Patch me if you can! NetworkMagazine.com. Shannon, C. and D. Moore (2004, August). The spread of the witty worm. IEEE Security and Privacy 2 (4), 46 50. Sullivan, B. (2004, May). Sasser infections begin to subside. MSNBC.com. http://www.msnbc. msn.com/id/4890780/. Symantec (2004, July). Automating patch management. Symantec Corporation. Timms, S., C. Potter, and A. Beard (2004, April). Information security breaches survey 2004. UK Department of Trade and Industry. US-CERT (2004). US-CERT vulnerability notes database. Carnegie Mellon Univ. http://www. kb.cert.org/vuls/. Varian, H. (2004). System reliability and free riding. Working Paper, Univ. of California, Berkeley. Weaver, N., V. Paxson, S. Staniford, and R. Cunningham (2003). A taxonomy of computer worms. In Proc. of the 2003 ACM Workshop on Rapid Malcode, pp. 11 18. Williams, M. (2000, February). Attack takes down Yahoo for three hours. IDG News Service. 31
Appendix for Network Software Security and User Incentives Terrence August and Tunay I. Tunca Graduate School of Business Stanford University Proofs Proof of Lemma 1: In order to characterize the equilibrium, we first start with the second period decisions for the consumers who purchased the product in the first period. If, in the second period, no vulnerabilities arise then there is no decision to make for a consumer. Suppose a vulnerability arises. If a consumer with valuation v decides to patch the software, her expected total payoff is v p c p. Notice that the consumer only incurs a patching cost when vulnerabilities actually occur. Suppose she decides not to patch and the total mass of unpatched population is u. In this case, her expected payoff is v p πuαv. Therefore, a consumer who buys the product patches in the second period in case a security vulnerability is revealed if and only if v c p πuα. (A.1) Consequently, in equilibrium, if a buyer with valuation v 0 patches the software, then every buyer with valuation v > v 0 will patch and hence there exists a v p [0, 1], such that when a vulnerability arises, a consumer with valuation v V will patch if and only if v v p. Next, we examine the buying decision in the first period. If a consumer with valuation v decides to buy the product, she will incur a cost p. Her expected security losses are C(v, σ ). Then she will buy the software if and only if v C(v, σ ) p. (A.2) Now first, suppose v p < 1. Then v p p + c p, and hence, in equilibrium, since (1) implies C(v, σ ) = min{πuαv, c p } and by (A.2), for all v > v p, we have σ (v) = (B, P ). σ (v 1 ) = (B, NP ). Then, by (A.2), v 1 Now let 0 v 1 1 and p 1 πuα, (A.3) and therefore for all v > v 1, σ (v) {(B, P ), (B, NP )}, and hence there exists a v b [0, 1], such that a consumer with valuation v V will purchase if and only if v v b. By definition v p v b. Suppose 0 < v p = v b < 1 and c p > 0. But then, there exists 0 < v < v p such that v p + C(v, σ ) = p, which is a contradiction. Therefore, we conclude that, when c p > 0 and 0 < p < 1 there exist Graduate School of Business, Stanford University, Stanford, CA 94305-5015. e-mails: taugust@stanford.edu, tunca tunay@stanford.edu A.1
0 v b < v p 1 satisfying (2), from which, it follows that πα(v p v b )v p = c p, (A.4) and v b = p + πα(v p v b )v b. (A.5) Substituting (A.4) into (A.5) yields v p = which, in turn, by substituting into (A.5) gives c pv b v b p, (A.6) παv 3 b + (1 πα(c p + p))v 2 b 2pv b + p 2 = 0. (A.7) Now, for v p < 1 to hold, by (A.6), we must have v b > p 1 c p. Plugging this in equation (A.7) and since 0 v b 1, we obtain that for v p < 1, we must have p < p. When p < p, it can be shown that (A.7) has a single root v b that satisfies 1 > v b > p, which is satisfied by (A.2). Further, when p > 0, again from (A.7), v b < p + c p follows, which by plugging in (A.6) confirms p + c p < v p. When p = 0 and α cp π, since p > 0 (A.7) is valid and substituting, p = 0 into (A.7) yields vb 2 ( vb ( c p πα)) 1 = 0, which has two roots, namely vb = 0 and v b = c p 1/πα. If c p < 1/πα, then the only possible solution in [0, 1] is v b = 0, and when v b = 0, by (A.4), it follows that v p = cp πα. (A.8) If α > 1 c pπ, however, under (A.8), (A.2) cannot be satisfied. Therefore, the only valid root for this region is v b = c p 1/πα and by (A.6), the statement follows. Finally when, p p, on the other hand, substituting v p = 1 in (A.5), we obtain παv 2 b + (1 πα)v b p = 0, which has a unique positive root that satisfies v b 1 and is given by v b = 1 πα 2πα + 1 (1 πα) 2πα 2 + 4παp. (A.9) This completes the proof. Before we move on to the next proposition, we first state and prove the following lemmas that will be useful for the remaining proofs: Lemma A.1 The purchasing threshold v b is strictly increasing in price. Further, in Region I, dv b dp > 1. Proof: The statement for Region II is immediate from (A.9). For Region I, from (A.7) and by the implicit function theorem, we obtain dv b dp = παvb 2 + 2(v b p) 3παvb 2 + 2(1 παc p παp)v b 2p = 1 1 + 2παv. (A.10) b(v b c p p) παvb 2+2(v b p) A.2
Re-arranging equation (A.7), we have παv 2 b (v b c p p) = (v b p) 2. (A.11) From (A.10) and (A.11), it then follows that dv b dp = παv2 b + 2(v b p) παvb 2 + 2 p v b (v b p) > 1. (A.12) Lemma A.2 (i) There exists a solution, p s [0, 1], to the profit maximization problem of the vendor. The profit function for the vendor is piece-wise strictly concave in price, i.e., it is concave when restricted to price regions [0, p) and [p, 1], where p is as given in Lemma 1. (ii) Let c p (0, 1) be given. There exist c p < θ < θ such that (a) When πα > θ, the software vendor s profit is maximized by pricing in Region I; (b) When 0 < πα < θ, the software vendor s profit is maximized by pricing in Region II. Proof: By Lemma 1, Π s ( ) is continuous on compact [0, 1]. Therefore, the vendor s problem has an optimal solution on this price range. For strict concavity, we first consider Region II. By (A.9), we have Π ii s (p) = p ( 1 + πα ) (1 πα) 2πα 2 + 4παp. (A.13) In order to circumvent having the first derivative ill-defined, we break the analysis into two cases in which the product πα = 1 and πα 1. When πα = 1, we have Π ii s (p) = p(1 p). Thus we have dπ ii s (p)/dp = 1 3 2 p and d 2 Π ii s (p)/dp 2 = 3 4 p. When πα 1, we have dπii s (p)/dp = ( 1 2πα 1 + πα ) (1 πα) 2 p + 4παp, and (1 πα) 2 +4παp d2 Π ii s (p)/dp 2 = 2(1 πα)2 6παp < 0. ((1 πα) 2 +4παp) 3/2 Hence, we conclude that Π ii s ( ) is indeed strictly concave. Now consider Region I. Notice that dπ i s(p)/dp = 1 v b p dv b dp and d2 Π i s(p)/dp 2 = ( 2 dv b dp +p d2 v b dp 2 ). By differentiating equation (A.12) and rearranging we obtain d 2 v b dp 2 = dv b dp ( 2αv b + 4p πv b ) ( ) 2 ( dvb 2p 2 dp πvb 2 αv 2 b + 2p πv b (v b p) Substituting back into the second derivative of the profit function, we have d 2 Π i s(p) dp 2 ) + 2αv b 2 π. (A.14) ( ( ) ( ) 2 ( ) ) 2 αvb 2 + 2(v b p) π + p dv b dp αv b + 2 p π v b p dvb 1 p 2 dp π + αv vb 2 b p π = αvb 2 + 2p. (A.15) πv b (v b p) A.3
Now, by (A.12) and Lemma A.1, we have dv b dp αv b(v b +p) pαv b ( ) 2 ( ( dvb dv b = αv b v b + p 1 dv )) b dv b = αv b dp dp dp dp Further, again by Lemma A.1 and rearranging ( ( 2p π dv b dp p p dv ) 2 b + 1) π v b dp ( = p 2 dv b π = p π ( p dp v b dv b dp αv2 b ( v b p 1) αv 3 b p + 2 π (v b p) ) 2 1) αv3 b + 2 p 2 π v b (v b p) αvb 2 + 2 p > 0. π v b (v b p) (A.16) ( 1 + p dv ) ( ) b dvb + 2 v b dp dp 1 > 0. (A.17) Combining (A.16), (A.17) and the fact that v b > p, we find that the right hand side of (A.15) is strictly negative and therefore, Π i s is strictly concave. This completes the proof of part (i). To see part (ii), first by part (i), there exists an optimal price that solves the vendor s profit maximization problem. To see part (a), notice that by (A.9), in Region II, lim πα v b = 1. Therefore as πα, profit in Region II for any feasible p approaches zero. By (A.7), v b < p + c p is always satisfied. Therefore for any given p [0, p ), Π i s(p) > p(1 c p p), which has a maximum at p = (1 c p )/2, which is in [0, p ) for sufficiently large πα as desired. For part (b), notice that by Lemma 1, the feasible price range for Region I is p [0, p ). At πα = c p, this range gets reduced to {0} and as πα approaches this threshold the vendor s profit vanishes on [0, p ). For any πα c p, there is no feasible price for Region I. On the other hand, Region II becomes feasible for all values of πα in this range and by (A.9), for any given p p, the profit in Region II increases as πα decreases. Hence, there exists an θ c p > 0 such that the vendor s profit is maximized in Region II for πα < θ. This completes the proof. Lemma A.3 For the proprietary software, if v b v m then W s > W m. Proof: Consider each consumer v [v m, 1]. Under self patching decisions, each of these consumers contributes v C(v, σ ) to the expected social welfare. Note that this contribution incorporates the externalities created by all other users in equilibrium. Under the mandatory patching policy, each of these consumers contributes v c p. However, C(v, σ ) c p for all these consumers since c p is the greatest loss that any purchaser will accept. Each consumer v [v b, v m ] will purchase only if they make a positive contribution to the welfare. Furthermore, by (A.4) and since v p > v b, πα(v p v b )v b < c p. Thus, the expected social welfare under self patching is strictly greater than the expected social welfare under mandatory patching when v b v m. Proof of Proposition 1: To see part (i), first note that v m = p m + c p = (1 + c p )/2 and consider the associated purchasing threshold as a function of c p, i.e. v m (c p ) = (1 + c p )/2. Since πα < c p A.4
and v m ( ) is increasing in c p, it follows that v m (πα) < v m (c p ). Now from (A.9), we have that v b (πα) = 1 πα 2πα + 2πα 1 (1 πα) 2 + 4παp s. By Lemma A.2, Π ii s is concave and since Π ii s (0) = Π ii s (1) = 0 the optimal price can be found through the first order condition, which yields Plugging (A.18) into (A.9), we obtain p s = 1 1 + 4πα (πα) 9πα 2 + (1 + πα) 1 πα + (πα) 2. (A.18) v m (πα) v b (πα) = 3 + 3(πα)2 5 2πα + 5(πα) 2 + 4(1 + πα) 1 πα + (πα) 2 0. (A.19) 6πα (A.19) can be easily established by rearranging the inequality and taking the square of both sides twice. Therefore v b v m and the result follows from Lemma A.3. To see part (ii), suppose that v b > v m. Define p c > 0 as the price such that παv 3 m + (1 πα(c p + p c )) v 2 m 2p c v m + p 2 c = 0. (A.20) Plugging v m = (1 + c p )/2 in (A.20) and solving for p c, we find that p c = 1 8 ( ) 4 + 4c p + πα(1 + c p ) 2 πα(1 + c p ) 2 (16c p + πα(1 + c p ) 2 ). (A.21) By Lemma A.2, at the optimal price for Region I, p s, we have dπi s (p) dp A.1 and again by Lemma A.2, dπi s(p) dp > 0 also holds. Now, p=pc p=p s 0. Then, by Lemma dπ i s(p) dp ( v 2 = 1 v b p b + 2 πα (v ) b p) vb 2 + 2 p πα v b (v b p) Plugging (A.20) in (A.22), we find that dπi s (p) dp = παv3 b (1 p) + 2p(v b p)(1 2v b ) παv 4 b παv 3 b + 2p(v b p) > 0 if and only if p=pc. (A.22) π 2 α 2 (1 + c p ) 3 ( 1 + 3c p ) + 32c 2 pπα(1 + c p ) (8c p πα(1 + c p )(1 3c p )) πα(1 + c p ) 2 (16c p + πα(1 + c p ) 2 ) > 0. (A.23) Suppose that c p 1/3. Moving the radical in (A.23) and squaring yields the equivalent condition, παc 2 p(1 + c p ) 2 (16c p + πα(3 c p )(3c p 1)) < 0, (A.24) and hence (A.23) is not satisfied. Now suppose c p < 1/3 and define s(πα) πα(1 + c p ) 3 ( 1 + 3c p ) + 32c 2 p(1 + c p ) and t(πα) (8c p + πα(1 + c p )( 1 + 3c p )). Notice that s(πα) > 0 if and only 32c if πα < a s 2 p (1+c p ) 2 (1 3c p ) and t(πα) > 0 if and only if πα < a 8c t p (1+c p)(1 3c p). Further (A.24) A.5
16c is violated if and only if πα a τ p (3 c p )(1 3c p ). Notice that, c p < 1/3 implies a s < a t. When a s πα < a t, (A.23) does not hold. It then follows that when πα a t, (A.23) is violated if and only if (A.24) is violated, which is true since a t a τ. Further, when πα < a s (A.23) is violated if and only if (A.24) is violated which is true since a s a τ. Therefore v b v m and, again by Lemma A.3, the result follows. Proof of Proposition 2: For any given p > 0, v b > p and 0 < r < c p, by (A.11) p + c p r v b = 1 πα ( ) vb p 2. (A.25) v b ( ) Define ξ = 1 vb p 2. πα v b By Lemma A.2, for sufficiently large πα the vendor will price in Region I. The first order condition for Π v (p, r) is given by Π v (p, r) p = 1 v b p dv b dp + r(c ( p r) (v b p) 2 v p dv ) b = 0, (A.26) dp which, by combining with (A.12) and (A.25) yields p v = 1 c p 2 ( ) 2 1 + r + c p ξ + O(ξ 2 ). 1 + c p 2(c p r) (A.27) Therefore, combining (A.25) and (A.27), for πα sufficiently large, p v < p and the unconstrained optimum of Π i v will be feasible for Region I. Now consider the optimal price as a function of the rebate denoted p(r) and define the optimal expected vendor profit as a function of the rebate by Π v(r) = Π v (r, p(r), v b (p(r), r)). By Lemma A.2 and the envelope theorem, we obtain the first order condition for the optimal rebate as dπ v(r) dr = Substituting in for (A.25), dπ v(r) dr ) Π v (r, p(r), v b (p(r), r) r = 1 + v b v b p (c p 2r) + ) Π v (r, p(r), v b (p(r), r) v b (p(r), r) + v b r ( 1 + r(c ) p r) (v b p) 2 = 1 + p + c ( p r ξ (c p 2r) + 1 + r(c ) p r) c p r ξ (c p r ξ) 2 which, evaluated at (A.27), yields dπ v(r) dr Hence there exists an ω > 0 such that when πα > ω, pv 2 b v 2 b + 2 πα (v b p) p v b = 0. (A.28) p(c p r ξ) c p r ξ + 2pξ p+c p r ξ = c p(3c p 1 4r) 2(c p r) 2 ξ + O(ξ 2 ). (A.29) dπ v(r) dr 0 if and only if c p > r=0, A.6
1 3. Therefore, a rebate policy will be effective if and only if c p > 1/3. By (A.29), we have rv (3c p 1)/4 and hence, by (A.27), p v (1 + c p )/4. Further, there exists a constant k r such that lim v (3c p 1)/4 p ξ 0 ξ = lim v (1+c p)/4 ξ 0 ξ = k. Substituting into (A.29), it follows that k = (1 c p )/(8c p ) > 0. Therefore, rv and p v are increasing in ξ, and hence decreasing in πα. This completes the proof of part (i). To see part (ii) first notice that under the hypothesis πα < c p holds and in this region, for a rebate r > 0 to be effective, by Lemma 1, we must have c p πα < r < c p, since, only in this case the consumers will face a patching cost that will induce at least some of them to patch. For a fixed p, let v b (r) and v p (r) denote the purchasing and patching thresholds when a rebate r is offered, respectively. Clearly, when r > c p πα, v b (r) < v b (0), since otherwise Π v (p, r) < Π v (p, 0) holds. But then, by (A.5), v b (r) = p 1 πα(v p (r) v b (r)) < p 1 πα(1 v b (0)) = v b(0), (A.30) which implies 1 v p (r) > v b (0) v b (r) and therefore, for Π v (p, r) > Π v (p, 0), p > r has to hold. When the vendor offers such a rebate, r, his expected profit function can be written as Π v (p, r) = p(1 v b ) r(1 v p ) where p [0, (1 (c p r))(1 c p r πα )]. Also note that the purchasing threshold is now governed by the equation παvb 3 +( 1 πα(c p r +p) ) vb 2 2pv b +p 2 = 0. then, by the implicit function theorem, we obtain: and hence 1 dv b dr dπ r dr v 2 b dv b dr = vb 2 + 2 πα (v b p) p, (A.31) v b 0. Differentiating the expected profit function, we obtain = pdv b dr 1 + v p + r dv p dr = pdv b dr 1 + v p + r ( p(c ) p r) dv b dr (v b p) 2 v b v b p. (A.32) Notice that the first three terms are bounded and that r approaches c p as πα approaches zero. Substituting c p r in place of c p in (A.11) and re-arranging we obtain ( vb p ) c p r = (v b p) παvb 2 + 1. (A.33) Therefore p(c p r) dv b dp (v b p) 2 v b v b p = παv 2 b p παv 2 b + 2(v b p) p v b = dv ( b dr r 1 + p ) παvb 2. (A.34) Now since πα < have c2 p 1+c p and p 1, πα(p (c p πα)) < (c p πα) 2, and since p > r > c p πα, we πα < (c p πα) 2 p (c p πα) < pr p r. (A.35) A.7
From (A.35), and since v b 1, it follows that p r pr παvb 2 < 0. (A.36) Combining (A.32), (A.34) and (A.36), we obtain dπ r /dr < 0 and therefore, it is suboptimal for the vendor to offer a rebate. This completes the proof. Proof of Proposition 3: By (4), (A.6) and (A.7), ( ) Wg(p, i r) = 1 1 vb 2 2 παv3 b (v b p c p + r) 2 (v b + c p p r) (v b p) 3 + 2c p (p v b (1 + r c p )). (A.37) v b p Taking the total derivative with respect to r, substituting (A.12) and (A.31), utilizing the implicit function theorem on (A.26), and defining ξ as in the proof of Proposition 2, by (A.25) and (A.27) we then obtain lim ξ 0 1 dwg (r) = c p (c p (12 c p ) 3 16r) ξ dr 4(1 + c p )(c p r) 2. (A.38) Notice that c p (12 c p ) 3 is a concave quadratic expression in c p with roots 6 33 and 6 + 33. Since 6 33 < 1 < 6 + 33, we conclude that there exists an ω > 0 such that when πα > ω, 0 if and only if c p > 6 33. Hence, in this region, a rebate policy is effective r=0 dw g (r) dr at increasing social welfare if and only if c p is large enough as stated in the proposition. (A.38), as πα becomes large, we have r g (c p (12 c p ) 3)/16 and, by substituting into (A.27), p g (5 c p )(1 + c p )/16. Clearly, both r g and p g are strictly increasing in c p. Further, substituting r g back into (A.38) we obtain rg (c p (12 c p ) 3)/16 lim = f(c p ), (A.39) ξ 0 ξ where f(c p ) is a fifth order polynomial with three real roots only one of which (denoted by θ ) in (6 33, 1) and for all c p (θ, 1), f(c p ) < 0. Thus, for πα sufficiently large, r g is decreasing in πα if c p (6 33, θ ) and increasing in πα if c p (θ, 1). Substituting r g into (A.27) and carrying out the analysis in a similar way shows that there exists a θ in (6 33, 1) such that p v is decreasing in πα if c p (6 33, θ) and increasing in πα if c p (θ, 1). This completes the proof of part (i). For part (ii), when πα < c p and r = 0, by Lemmas 1 and A.2, the optimal price, p s, is found in Region II. Plugging (A.18) in (A.22), we find that lim πα dπi s πα 0 dp = (c p r)r p=p s ν(1 + 8ν), (A.40) where, from (A.7), ν = lim πα 0 (v b p)/πα > 0. Therefore, when a planner imposed rebate is effective, i.e., when a large enough r < c p induces the vendor to price so that there is a patching population, since the vendor s profit curve is strictly piecewise concave in p, p g > p s follows. Now By A.8
define Further, define v s b n (p g(r) p s) = sup{n : lim πα 0 (πα) n < }. (A.41) as given in (A.9), which is the purchasing threshold for r = 0 and By (A.4) and hence, n (v b (p g(r), r) vb s = sup{n : lim ) πα 0 (πα) n < }. (A.42) lim πα 0 v p (p g(r), r) (πα) min{n,n } <, (A.43) v p (p g(r), r) v b (p g(r), r) lim <. (A.44) πα 0 (πα) min{n,n } Since p g(r) > p s, it then follows that there exists a θ > 0 such that when 0 < πα < θ, for any r such that v p (p g(r), r) < 1, W i g(p g(r), r) W ii g (p s, 0) < πα(v p (p g(r), r) v b (p g(r), r))v p (p g(r), r) (1 v p (p g(r), r)c p < 0. This completes the proof. (A.45) Proof of Proposition 4: We first have to consider how the equilibrium region changes when a rebate is offered. By Lemma 1, when πα < c p r equilibrium outcome is in Region II with all consumers are purchasing and the expected social welfare is W ii g πα 1 c p r only consumers with valuations v > 1 2 c p + c p+r 2 = 1 2 (1 πα). When c p r, the equilibrium outcome is in Region I with p = 0, all consumers are purchasing, cp r πα are patching, and the expected social welfare is W g i = cp r 1 πα. Finally, when πα > c p r, the equilibrium outcome is in Region I with only purchasing and only the consumers with valuations the consumers with valuations v > c p r 1 πα v > c p r are patching. The expected social welfare in this region is Wg i = 1 2 (1 c p) 2 r2 2. Which of the above regions are reachable is determined by whether πα < c p, c p πα 1 c p, or πα > 1 c p. When πα > 1 c p, for any rebate such that c p 1 πα r c p, the equilibrium outcome will be in Region I, with v b = 0. For 0 r < c p 1 πα, on the other hand, the equilibrium outcome will be in Region I, with v b > 0. When πα < c p, for any rebate such that 0 r < c p πα, the equilibrium outcome will remain in Region II, while for c p πα r c p, it will move into Region I with v b = 0. Finally, when c p πα 1 c p, the equilibrium outcome will remain in Region I, with v b = 0 for all r in 0 r c p. With these ranges in mind, we first address the case where πα > 1 c p. For r such that 0 r < c p 1 πα, the expected social welfare is W g i = 1 2 (1 c p) 2 r2 2 and is decreasing in r. Thus, the highest expected social welfare achievable under this rebate range is 1 2 (1 c p) 2. For r [c p 1 πα, c p], expected social welfare is given by Wg i = 1 2 c p+ c p+r cp r 2 πα. Let g(r) 1 2 c p+ c p+r cp r 2 πα. Then, A.9
c we have dg(r)/dr = p 3r and hence g is increasing on r [0, cp 4 πα(c p r) 3 ] and decreasing on r [ cp 3, c p]. Since rg = c p 3 maximizes this function, it remains to find when r g is feasible, i.e. c p 1 πα c p 3. This condition is equivalent to πα 3 2c p and when it holds along with 1 2 (1 c p) 2 g( cp 3 ), then there does not exist an r > 0 such that the expected social welfare can be increased by offering a rebate of r. The latter holds if and only if ( 1 2 (1 c p) 2 1 2 c p + 2c ) p 2cp 3 3πα 0, (A.46) which, in turn, is satisfied if and only if πα 32 27c p. Now if πα > 3 2c p then rg is not feasible. However, g(rg) g(r) for any other r. Thus when πα 32 27c p, there is no r > 0 such that the expected social welfare can be increased by offering a rebate r, while when for πα [ 1 32 c p, 27c p ), offering a rebate of rg = c p /3 maximizes the expected social welfare. Second, when πα [c p, 1 c p ] as we showed above, for all r, the equilibrium outcome will be in Region I, with v b = 0, and the expected social welfare will be g(r) as described above. Clearly, in this range, it is optimal to offer a rebate precisely equal to r g = c p /3. Finally, when πα < c p as we have shown above, for all rebates such that 0 r < c p πα we are still operating in Region II. Thus, the expected social welfare is unchanged as no consumer elects to patch even with the rebate. We focus our attention on r such that c p πα r c p in which case the equilibrium outcome will be in Region I, with v b = 0. In order for r g to be feasible, we require that c p πα rg = c p 3 which can be equivalently written as πα 2c p 3. For πα 2cp 3, we compare the expected social welfare W ii g = 1 πα 2 against g(c p πα) as g( ) is decreasing in this range of rebates. However, it can be easily seen that g(c p πα) = Wg ii and hence, for πα 2c p 3 it is clearly suboptimal to offer a rebate. For πα > 2cp 3, we must compare g(r g) = g( cp 3 2c p 2cp 3 3πα c p + πα 2 obtain dg(πα)/d(πα) = 1 2 6 ( c p πα )3/2 πα 6 ) against W ii g. Let h(πα) g( 2cp 3 ) 1 πα 2 =. We first establish that h is increasing in πα. Taking the first derivative, we 9 ( c p πα )3/2. Taking the second derivative, we obtain d 2 h(πα)/(dπα) 2 = 0. Hence, h is convex and a lower bound on dh(πα)/d(πα) is dh(πα)/d(πα) πα=2cp /3, which is positive. Therefore, h is increasing as well. Again since πα 2c p /3, we obtain that h(πα) 0 for all πα in this range. Therefore when πα ( 2cp 3, c p], offering a rebate of rg = cp 3 maximizes) the expected social welfare. increases (and Proof of Proposition 5: For part (i), first suppose πα > 1 c p. Then W i s(p) = 1 2 ( 1 vb 2 + πα(p + c p v b ) 2 vb 3(c ( p p + v b ) (p v b ) 3 2c p 1 + c )) pv b. (A.47) p v b A.10
Taking the derivative with respect to p, we obtain dw i s(p) dp ) = πα(c p + p v b ) (3c 2 p vb 2 dv b dp v3 b dv b 3pv2 b dp + dv b 4v3 b dp ( ( dv b v b dp + 1 2(p v b ) 3 2πα(c p + p v b ) 1 dv b dp ( ) 3πα(c p + p v b ) 2 vb 3(c p p + v b ) 1 dv b dp 2(p v b ) 4 c2 dv b p dp + p v b ) v 3 b (c p p + v b ) c 2 pv b (1 dv b dp ) (p v b ) 2. (A.48) Furthermore, since πα > 1 c p and p = 0, by Lemma 1, we have v b = c p 1 v b = c p 1 πα, we obtain dv b dp = 1 + 2 παv b. Simplifying, we obtain dw i s(p) dp = p=0 1 2παc p 2πα(1 παc p ) > 0. πα. Evaluating at (A.49) Next suppose c p πα 1 c p. From (A.11), we see that v b approaches Plugging (A.12) into (A.48) and taking the limit as p 0, we have dw lim s(p) i = p 0 dp p 1 παc p as p approaches zero. c p 4 ( 1 παc p ) > 0. (A.50) Finally let πα < c p, i.e., the market can only be in Region II as described in Lemma 1. Consequently Ws ii (p) = 1 2 (1 v2 b )(1 πα(1 v b)) = (πα + p)(1 πα) + (πα p) (1 πα) 2 + 4παp. (A.51) 4πα Taking the derivative, we obtain s (p) dp = 1 πα (1 πα) p=0 4πα 2 + 4παp πα p + 4πα 2 = (1 πα) 2 + 4παp p=0 dw ii πα 2(1 πα) > 0. (A.52) Therefore for all πα > 0, there exists a τ > 0 such that the expected social welfare can be increased by imposing a tax τ. For part (ii), first consider πα < c p. By Region II of Lemma 1, v p = 1 and v b is given by (A.9). Substituting into (4), the first order condition yields τ t = 1 + 2πα(1 + πα) + (1 πα) (1 2 2πα + 4 (πα) 2) 9πα, (A.53) which is clearly increasing in πα in this range. By Lemma 1 and continuity of the welfare function, there exists a θ > c p such that for all c p < πα < θ, the optimal tax is given by (A.53). Defining ξ as in the proof of Proposition 2 and by (A.48), we obtain τt = ξ 3 2c p ξ 2 + O ( ξ 3). Therefore, for large enough πα, τt is decreasing in πα and increasing in c p. A.11
Proof of Proposition 6: By part (ii) of Proposition 4, the social welfare under the optimal ( ) rebate is given by Wg W g ( cp 3 ) = 1 2 c p + 1 2cp 3/2. πα When a tax is imposed the resulting equilibrium is either in Region I or Region II as given in Lemma 1. Suppose that the equilibrium falls in Region II. By Lemma 1, v p = 1 and v b is given by (A.9). Substituting into (4), the social welfare is given by 3 Wt ii (τ) = (πα + τ)(1 πα) + (πα τ) (1 πα) 2 + 4πατ. (A.54) 4πα W ii t ( ) is concave and the optimal tax given by τ t = 1 + 2πα(1 + πα) + (1 πα) 2 (1 2πα + 4πα 2 ) 9πα. (A.55) Define W t W ii t (τ t ) and let πα = kc p. We then have W g = 1 2 ( 1 2 3 ) 2 c p + O(c 2 3k p), (A.56) and Wt = 1 2 kc p 2 + O(c2 p). Comparing the two expressions, it follows that for sufficiently small c p, Wg > Wt if and only if k > 2/3. Now suppose that the optimal tax induces Region I equilibrium behavior. In this case, the social welfare is given by W i t (τ) = 1 2 ( 1 vb 2 παv3 b (v b τ c p ) 2 ( (v b τ + c p ) (v b τ) 3 2c p 1 c )) pv b, (A.57) v b τ where v b solves (A.7) with p = τ. By (A.7), as c p 0, z 1 lim cp 0(v b τ)/c 2 p is constant. Further, taking the derivative with respect to τ, substituting πα = kc p, writing the first order condition and by (A.12), it follows that for the optimal tax τ t, z 2 lim cp 0 τ t /c p is constant. Substituting in (A.7) and taking the limit of both sides as c p 0, we obtain z 2 = z 1 / k. Further, substituting these two limits back into the first order condition and by taking the limit as c p 0, we find that for the optimal tax τt lim = 27z3 2 c p 0 c p 16 + 81k4 z2 9 256z1 8 + 81k2 z 6 2 64z 4 1 + z2 1 k + 3z4 1 4k 2. (A.58) Substituting in z 2 = z 1 / k in (A.58) and solving for z 1, we obtain z 1 = k/4. It follows that z 2 = ) 1/4. Substituting back into (A.57) yields Wt Wt i (τt ) = 1 2 (1 1 2 c k p + O(c 2 p). Comparing with (A.56), we see that Wg > Wt, which completes the proof. A.12