that the economic gains from a world
with versioning on patching rights
are not overshadowed by losses in the
“equilibrium” state that arises. More
research studies that endogenize black
hat behavior can help to better predict
the actual outcomes.
The U.S. government would likely
be a strong advocate of the approach
we outline. Several federal agencies
including the National Science Foundation (NSF) have recognized that innovative policies are needed to help
reduce security risks currently faced
by the U.S.
4, 8 Along with President
Obama’s executive order to develop a
cybersecurity framework, the Department of Commerce was also directed
to determine what types of economic
incentives will cost-efficiently help
facilitate adoption of the framework
and whether additional legislation
may be required.
9 The government
seems to implicitly favor a voluntary
approach toward improving cyber-security. For example, whether software producers should be held liable
for the economic losses incurred by
their users due to poor security has
been heavily debated over the last decade, but with little legislative action
taken by the government.
6, 10 In spirit,
the idea is that holding a company
like Microsoft liable will ultimately
hurt its bottom line and thus finally
provide incentives for greater investments in making its products more
secure. This outcome may indeed be
the case. But, other undesirable outcomes can certainly arise instead. In
particular, Microsoft may make strategic choices to limit its liability. One
way to do so is to serve fewer users because a smaller network of users corresponds to reduced security risk due
to the network externality. Specifically, all software users benefit in terms
of security when there are fewer users
exhibiting insecure behaviors, such
as not protecting their individual systems. Under a liability policy, Microsoft would, in turn, benefit by not paying out as much to cover users’ losses.
If this latter effect of a liability policy
is strong, Microsoft may in fact reduce
its investments and/or raise its prices
to achieve a smaller user population.
Instead, an approach where soft-
ware producers begin versioning their
products based on patching rights
seems to strike a balance across the
interests of government, software
producers, and users. Unlike govern-
ment-imposed liability, this approach
is more consistent with how the gov-
ernment has thus far attempted to
nudge stakeholders toward better cy-
bersecurity outcomes. Furthermore,
targeting user incentives to protect
their machines can be a more direct
and effective approach in comparison
to liability schemes that software pro-
ducers would prefer to avoid. In fact,
if producers are able to charge higher
prices from users who appreciate the
increased security and it thereby leads
to increased producer profitability,
there is the potential for win/win out-
comes that also substantially improve
the economic value associated with
software to society.
1. Anderson, R. and Moore, T. The economics of
information security. Science 314, (2006), 610–613.
2. August, T. and Tunca, T. Network software security
and user incentives. Management Science 52 (2006),
3. August, T. and Tunca, T. Who should be responsible for
software security? A comparative analysis of liability
policies in network environments. Management
Science 57 (2011), 934–959.
4. Department of Defense, Department of Defense
Strategy for Operating in Cyberspace (2011); http://
5. Espiner, T. EC wants software makers held liable for
code. ZDNet (2009).
6. Heckman, C. Two views on security software liability:
Using the right legal tools. IEEE Security & Privacy 1,
7. Moore, D., Shannon, C., and Brown, J. Code-Red: A
case study on the spread and victims of an Internet
worm. In Proceedings of the ACM SIGCOMM/USENIX
Internet Measurement Workshop (2002), 273–284.
8. National Science Foundation. Secure and Trustworthy
Cyberspace (Sa TC) Program Solicitation NSF 12-596
9. Obama, B. Executive Order—Improving Critical
Infrastructure Cybersecurity. The White House, Office
of the Press Secretary, Washington, D.C., 2013.
10. Ryan, D. Two views on security software liability: Let
the legal system decide. IEEE Security & Privacy 1,
11. Satter, R. ACLU: Slow smartphone updates are privacy
threat. Associated Press (2013).
12. Yang, J. Smartphones in use surpass 1 billion, will
double by 2015. Bloomberg (2012).
Terrence August ( firstname.lastname@example.org) is an associate
professor in the Rady School of Management at the
University of California, San Diego and a visiting Iljin
Professor at the Korea University Business School, Seoul,
Robert August ( email@example.com) is an associate
professor emeritus in the School of Business and
Leadership at Our Lady of the Lake University, San
Hyoduk Shin ( firstname.lastname@example.org) is an assistant professor
in the Rady School of Management at the University of
California, San Diego.
This Viewpoint is based upon work supported by the
National Science Foundation under Grant No. CNS-
Copyright held by authors.