Network Software Security and User Incentives

Terrence August and Tunay I.Tunca

¤

Graduate School of Business

Stanford University

Management Science,2006,52 (11),pp.1703-1720

Abstract

We study the e®ect of user incentives on software security in a network of individual users

under costly patching and negative network security externalities.For proprietary software or

freeware,we compare four alternative policies to manage network security:(i) Consumer self

patching (where no external incentives are provided for patching or purchasing);(ii) Mandatory

patching;(iii) Patching rebate;and (iv) Usage tax.We show that for proprietary software,

when the software security risk and the patching costs are high,for both a welfare maximizing

social planner and a pro¯t maximizing vendor,a patching rebate dominates the other policies.

However,when the patching cost or the security risk is low,self patching is best.We also

show that when a rebate is e®ective,the pro¯t maximizing rebate is decreasing in the security

risk and increasing in patching costs.The welfare maximizing rebates are also increasing in

patching costs but can be increasing in the e®ective security risk when patching costs are high.

For freeware,a usage tax is the most e®ective policy except when both patching costs and

security risk are low,in which case,a patching rebate prevails.Optimal patching rebates and

taxes tend to increase with increased security risk and patching costs but can decrease in the

security risk for high risk levels.Our results suggest that both the value generated fromsoftware

and vendor pro¯ts can be signi¯cantly improved by mechanisms that target user incentives to

maintain software security.

¤

Graduate School of Business,Stanford University,Stanford,CA 94305-5015.e-mails:

taugust@stanford.edu,tunca

tunay@stanford.edu.We thank Barrie Nault (the department editor),the asso-

ciate editor and anonymous referees as well as Mike Harrison,Sunil Kumar,Howard Kunreuther,Haim Mendelson,

Jim Patell,Hal Varian,Larry Wein,Jin Whang,Muhamet Yildiz and seminar participants at Harvard University,

New York University and Stanford University for helpful discussions.Financial support from the Center of Electronic

Business and Commerce at the Graduate School of Business,Stanford University is gratefully acknowledged.

1 Introduction

With approximately 800 million worldwide users,the Internet as a network of interconnected com-

puters is unprecedented in its size,reach and content (InternetWorldStats 2004).One of the most

important issues that arises in such a broad communications environment,in which all systems

share not only the bene¯ts of the ability to communicate with a vast number of other users but

also the vulnerabilities that come with it,is information security.As the recent years have proven,

increased Internet usage brought about increased security attacks,with the number of reported

security incidents reaching 140,000 in 2003,a nearly sixty-fold increase compared to 1995 (CERT

2004).

The cumulative cost of information security breaches has many di®erent implicit and explicit

components,some of which can be di±cult to quantify,including the direct costs of repairing and

rebuilding infected systems,lost sales,and reduced productivity due to loss of reputation (D'Amico

2000,Garg 2003,Timms et al.2004).The cost of system security breaches is intimately tied to

the nature of a ¯rm's business,the ¯rm's reputation,the size of the ¯rm and the signi¯cance

of the attack.These costs vary largely among users and can be substantial.The total world-

wide cost of 14 major attacks between 1999 and 2004 was estimated to be about $36.5 Billion

(ComputerEconomics 2004).

Despite the immense losses due to security vulnerabilities,prevention is di±cult in an open

network environment such as the Internet,which is formed of users with a wide range of motivations

and resources.This becomes especially clear when one considers that maintaining the security of

a local network is a costly endeavor requiring physical and computing resources as well as time

and e®ort of expert system administrators.In addition,software patching imposes risks of system

crashes and instability (MS-Support 2004,Schweitzer 2003).As a result,proper patch maintenance

typically involves a careful system administrator dedicating time toward testing of patch integrity

and application interactions as well as ¯nal installation on a production server.Combining various

dimensions of costs,per server patching costs are estimated to be hundreds of dollars (e.g.,Bloor

2003,Davidson 2004 and Symantec 2004).Unfortunately,for a widely used software product such

as Microsoft IIS,not all consumers have su±cient incentives to undergo these costs.Consequently,

system security as a whole su®ers from users not acting in an optimal way when it comes to

maintaining network security (e.g.,Lemos 2003,2004,Messmer 2004b and Sullivan 2004).

As an example,consider the case of the\Code Red"worm and its successor\Code Red II"

that hit during the summer of 2001.Exploiting a bu®er-over°ow vulnerability in IIS,the worm

replicated 100 times over upon each infection.Code Red II opened up\back-door"access on

a®ected servers providing people with malicious intent full privileges on these servers.Given this

degree of compromise,the requisite corrective action often involved completely reformatting a®ected

servers and re-installing all software to original form.The cost to compromised ¯rms associated

1

with bad service to consumers,public defacement and technical labor hours was substantial.The

most troubling part is that these damages could have been prevented.Microsoft released a patch for

the IIS vulnerability exposed by Code Red one month prior to the attack.Poor patching behavior

in the user community extended the life and spread of these twin worms and caused damages

reaching $2.6 Billion (Moore et al.2002).Code Red is no exception.Most security attacks exploit

known vulnerabilities for which patches are already available.Patches were also available for the

vulnerabilities exploited by major worms such as Nimda,Slammer,Blaster,and Sasser up to six

months in advance of each attack.In virtually all of these cases,large losses could have been mostly

avoided by proper patch maintenance by the consumers (Schweitzer 2003).

As these examples demonstrate,because of network e®ects,the actions that each user takes

in the face of a potential security threat can have important consequences on other users,and

mechanisms to induce the right incentives for patching,both from the point of view of a pro¯t

maximizing vendor and a social welfare maximizing planner need to be considered.In this paper,

we present a model of a market for a software product with a potential security vulnerability to

compare mechanisms aimed to mitigate the security problem by utilizing user incentives.The

consumers who choose to purchase or use the software face a decision whether to undergo patching

costs to maintain the security of their software.If they patch their systems,they avoid the risk of

being hit by worms and do not cause negative externalities on the other users.However,if they

avoid patching,they not only risk being hit but also increase the risk faced by other users.The

equilibrium patching decisions of the users depend on the cost of patching and the overall riskiness

of the software.This,in turn,determines the equilibrium purchasing decisions of the consumers.

We consider two di®erent cases:(a) Proprietary software that is o®ered by a vendor who produces

and sells copies of it for pro¯t (e.g.,Microsoft IIS);(b) Freeware,which is available to users at no

charge and often distributed by open source development projects (e.g.,Apache HTTP Server).

For both cases,we examine four candidate policies:(i) Consumer self patching,where users make

their own decisions on patching (i.e.,the status quo);(ii) Mandatory patching,where users,by

agreement,are required to patch when one is available;(iii) Patching rebate,where users are

compensated by the vendor when a patch is available and they actually patch;and (iv) Usage tax,

where a social planner imposes a tax on the usage of the software in order to control the negative

network externalities caused by low valuation users who are not reliable patchers.

For proprietary software,contractually mandating patching can substantially reduce the vendor

pro¯t and hence is not an appealing policy for a software vendor to apply.Although mandating

patching can improve expected social welfare,for most cases it will reduce the welfare by inducing

the vendor to price at levels that move the network away from the overall socially optimal security

level.We also ¯nd that if the risk that the users are facing is small compared to the patching costs,

patching rebates cannot increase the vendor's expected pro¯t,since it will cost the vendor too much

2

Proprietary Software Freeware

Social Welfare and Vendor Pro¯t Social Welfare

Low High

Low High

security risk security risk

security risk security risk

(a)

Low patching cost

Self Self

Rebate Tax

High patching cost

Self Rebate

Tax Tax

Vendor Price and Vendor Price and

Planner Determined Rebate Vendor Determined Rebate

Proprietary Softw.

Security risk Patching cost

Security risk Patching cost

(b)

Low patching cost

{ +

{ +

High patching cost

+ +

{ +

Planner Determined

Rebate and Tax

Freeware

Security risk Patching cost

Rebate:Med.security risk

0 +

Tax:

Low security risk

+ 0

High security risk

{ +

Table 1:Policy recommendations and comparative statics for optimal rebates,prices and taxes.

Panel (a) provides recommendations to a social welfare maximizing planner and a pro¯t maximizing

vendor.\Self"refers to the self patching policy with no incentives,\Rebate"refers to the patching

rebate policy and\Tax"refers to the usage tax policy.Panel (b) provides comparative statics on

the vendor's optimal price,the optimal rebate and usage tax.All results are given for the ranges

where comparative statics are applicable,i.e.,where the considered policy is e®ective.

3

to induce a desired level of patching behavior.On the other hand,if the security risk is high,the

vendor can increase his pro¯ts through rebates by inducing increased security and consequently

increased value of his product.Similarly,by inducing e±cient patching behavior,rebates can be an

e®ective tool for a social welfare maximizing planner when the security risk and patching costs are

high.However,by signi¯cantly reducing the usage,taxes are not helpful for increasing either vendor

pro¯ts or social welfare even though they may increase the security of the product.We also show

that the optimal patching rebate and the corresponding vendor price tend to increase in patching

costs but decrease in the e®ective riskiness of the software.However,when the patching costs are

high,the optimal planner determined rebate increases with the security risk to reduce the high

network externalities that arise from poor user patching behavior.These results are summarized in

Table 1.Panel (a) gives the policy recommendations,and panel (b) gives the comparative statics

results for the optimal vendor price,rebates and tax.

When software is freeware,we demonstrate that mandating patching reduces welfare by forcing

consumers to make socially ine±cient decisions.However,our conclusions about the impact of

the rebates and taxes change signi¯cantly.Unlike proprietary software,patching rebates have only

limited e®ectiveness for freeware,since they often induce users to patch in cases where doing so is

socially ine±cient.However,taxes can be e®ective since they eliminate low valuation users who

do not patch and cause negative security externalities on other users.When the security risk or

patching costs are low,unlike the case of proprietary software where self patching is preferable,for

freeware,an intervention by a social planner through rebates and taxes increases social welfare.

When both software riskiness and the patching costs are low,rebates are preferable while for high

patching costs or security risk,a tax policy can signi¯cantly increase social welfare and be preferred.

The optimal tax and rebate tend to increase with the security risk and the patching costs except

when the security risk is high,in which case further usage should be encouraged by lowering the

tax.These results are again summarized in Table 1.

The remainder of this paper is organized as follows.Section 2 presents the literature review.

Section 3 presents the basic model and derives the equilibriumpurchasing and patching behavior for

a given set of parameters and price per copy of the software.Section 4 presents the vendor's price

setting problem and compares di®erent incentive mechanisms for the case of a pro¯t maximizing

vendor.Section 5 explores and compares policies for freeware.Section 6 o®ers our concluding

remarks.

2 Literature Review

The role of incentives in software security is a relatively new research subject,but the literature

in the area is growing.Anderson (2001) argues that information security is not simply a technical

problem that can be solved by more sophisticated hardware,software,and strategies.Rather,the

4

problem with information security is due to the fact that the economic incentives are misaligned.

Kunreuther et al.(2002) and Kunreuther and Heal (2002) identify a concept for security inter-

dependence and study security investment decisions made by agents in a computer network when

each agent's decision impacts the risk endured by the other agents.They examine a model where

there is a single shared resource whose security is increased by user investments and proceed to

characterize the equilibrium investment strategies and their dependence upon the cost structure.

They conclude that in order to best induce adoption of security measures,regulation and institu-

tional coordination mechanisms are needed.Varian (2004) considers how the reliability of a public

good is a®ected by the e®ort of individuals working in teams with varying incentives and e®ects on

system security.He ¯nds that when system reliability is based upon total e®ort,it is completely

determined by the agent with the highest bene¯t-cost ratio.On the other hand,when reliability

depends on the weakest link,the agent with the lowest bene¯t-cost ratio contributes the e®ort.

When maximum e®ort is the determinant of system reliability,however,either of these equilibria

can result.Choi et al.(2005) explore a model with negative network security externalities to

examine the optimal software vulnerability disclosure decision of a vendor,¯nding that ¯rms may

announce vulnerabilities when it is not socially optimal.Arora et al.(2005) analyze the optimal

timing for disclosure of software security vulnerabilities and establish that vendors always choose

to release a patch later than a socially optimal disclosure time.Jaisingh and Li (2005) examine the

role of commitment in optimal social policy for disclosure of vulnerabilities when the social planner

commits to a disclosure agenda,and the vendor determines the patch release time after a vulner-

ability is discovered.They ¯nd that the time lag between the decisions of the social planner and

the vendor is important only when the the hacker can accumulate experience from vulnerabilities

over time.Cavusoglu et al.(2005) explore a model to derive the optimal frequency of patching

to balance the operational and damage costs associated with security vulnerabilities.They show

that a ¯rm's patch cycle is not necessarily synchronized with the vendor's patch release cycle and

demonstrate that cost sharing and liability schemes may coordinate these cycles.In our model,

the focus is on the role of externalities in a network environment.We explore policies to maximize

the value generated by software and highlight that consumers'purchase (or usage) decisions play

a fundamental role in our results as does the vendor's pro¯t maximization.

Moore et al.(2002) ¯nd that most of the victims of the Code Red worm were home and small

business users rather than large corporations,while most of the costs in terms of damages were

borne by the large corporations that were hit.This demonstrates that low valuation consumers,

e.g.,home and small business users,do not have as much motivation as high valuation consumers,

e.g.large corporations,to engage in reducing risk on the network by securing their systems.The

equilibrium patching behavior and the loss structure in our model is consistent with these ¯ndings.

Weaver et al.(2003) demonstrate that for a scanning worm,the spread rate is proportional to the

5

size of the vulnerable population.The infection model we use in our paper is consistent with this

observation.

Our work is also related to research in vaccination incentives and the economics of disease

spread control found in the public health literature.Although recognizing the externalities imposed

by unprotected agents on the population as a whole,traditionally,the literature on mathematical

epidemiology (e.g.,Bailey 1975 and Anderson and May 1991) does not consider the role of economic

behavior and incentives of individuals in prevention and control of disease spread.Brito et al.

(1991) is one of the ¯rst papers to consider individual incentives and their role with negative

externalities in a biological disease spread setting.They ¯nd that mandating vaccination reduces

social welfare and that tax/subsidy levers are useful for governmental welfare coordination.Francis

(1997) establishes that under certain assumptions,in a dynamic model of vaccination,government

intervention may not be necessary,i.e.,agents may behave in a manner consistent with the social

objective.Gersovitz (2003) shows,on the other hand,that when one takes into account certain

factors such as recoveries and deaths,the decentralized outcome diverges from the social outcome,

and the necessity of economic intervention through market forces or government is persistent.

Geo®ard and Philipson (1996) highlight the di®erences between economic models and mathe-

matical epidemiological models and their implications.In a model of disease spread with rational

agents choosing between protective and exposed activity,they ¯nd that the hazard rate of infection

may be a decreasing function of disease prevalence,resulting from increased demand for protection

due to rational behavior.This result is contrasted with results from the epidemiological literature

where the hazard rate is typically increasing in prevalence.Kessing and Nuscheler (2003) study the

case of a vaccine monopolist and argue the ine®ectiveness of subsidies to improve social welfare.

Kremer (1996) shows that the behavior of heterogeneous agents increases the e®ectiveness of public

policy intervention in populations of high disease prevalence,stressing that the models of such

epidemics must be fundamentally economic ones.Several other dynamic economic models of dis-

ease spread examining the role of rational individuals'trade-o®s between costly protection and the

risk that is imposed by negative externalities of other individuals and the social planner's welfare

maximization through the use of preventive and therapeutic measures can be found in Goldman

and Lightwood (2002) and Gersovitz and Hammer (2004,2005).

Our result that mandatory patching decreases social welfare in the freeware case is parallel to

the ¯nding of Brito et al.(1991).We also look at rebate and tax mechanisms which a social

planner may use to increase social welfare.However,unlike the biological disease spread literature,

our case of proprietary software involves a pro¯t maximizing vendor who sets a price for the usage

of the activity.Our goal is to better understand how the negative externalities that arise due to

spread of malicious code a®ect the vendor's pro¯t maximization problem and subsequently how

both consumer and vendor behavior together impact social welfare.Further,our results are driven

6

by issues that are di®erent in nature such as the trade-o® between surplus generated by increased

usage of software and the security risks that accompany it.The true analogs of the usage decisions

(for instance an agent's decision to live or die or a vendor\selling life"to people) would not be

reasonable issues to consider in most biological settings,much less their control by a social planner

through incentives such as taxes.

The literature on economics of biological epidemiology demonstrates that in many cases agents'

individual decisions result in misalignment of incentives,and therefore economic intervention by

a social planner is necessary.Although the evolution of the spread of a malicious agent has a

dynamic nature,static models also manage to capture this incentive misalignment (for instance,

heterogeneity of preferences in the population as we have in our model is su±cient to expose this

as also indicated by Francis 1997).Further,there are certain di®erences between the time frames

of most cases of biological epidemics and computer network security attacks,which makes a static

model more suitable in the latter case by comparison.In dynamic models of biological epidemics,

the spread depends on deaths,recoveries and the structural nature of contact among the agents,

and hence the vaccination/prevention decisions evolve in time with the spread of the disease.This

is because the time frame for the spread of a biological disease is several days,weeks or months in

most cases if not longer.Further,individual vaccinations take a small amount of time compared

to the epidemic time frame,and therefore,dynamic control of incentives with the evolution of an

epidemic is possible.On the other hand,for most cases of computer network attacks,the broad

spread of the\infection"may take minutes (e.g.,Moore et al.2003 and Shannon and Moore 2004),

while patching often takes hours or sometimes even a full day or more (e.g.,Nicastro 2005 and

Leung 2005).Speci¯cally,if a user's system is unpatched when an attack breaks on the network

it is usually too late to patch.Therefore,in the computer security context,in order to shield for

a potential attack,a user usually must patch before such an attack occurs.Thus,the patching

decision is not as much related to the speci¯c dynamics of the spread of infection in the network

as the vaccination decisions in the dynamic context of a biological epidemic.Considering these

facts and to keep the analysis simple,we employ a static model that captures the main economic

trade-o®s related to the spread of a computer worm in a network environment.Although our static

approach is simpler compared to the dynamic models in the economics of biological epidemiology,

it allows us to demonstrate the intuition behind our arguments and the e®ects of the incentive

schemes that we analyze and compare.

7

Figure 1:Model Timeline

3 The Model and the Consumer Market Equilibrium

3.1 Model Description

There is a continuum of consumers whose valuations of a software product lie uniformly on V =

[0;1].There are three periods:In the ¯rst period,given the price of the software,each consumer

makes a decision whether to buy or not to buy the product.The software may have a potential

security vulnerability.If there is a vulnerability,it can be exploited by hackers who write worms

to cause damage to purchasing consumers'systems.In the second period,it is revealed whether

the software has a vulnerability,and if there is a vulnerability,a patch is made available to the

users (either by the vendor if the software is proprietary or by the developers of the freeware).At

this stage,each user makes a decision whether to patch or not,considering the costs of patching

versus value risked by not patching.If a consumer chooses to patch the software,she will incur

an expected cost denoted by c

p

> 0,which we refer to as the e®ective patching cost.This cost

accounts for the money and e®ort that a consumer must exert in order to verify,test,and roll-out

patched versions of existing systems.

1

Finally,if there is a security vulnerability,an attack may

occur in the third period,and the unpatched consumers may get hit and incur losses.However,

the consumers who patched in the second period are fully protected and do not incur any losses.

The timeline is illustrated in Figure 1.

We denote the probability of both a security vulnerability and a worm attack occuring on the

network with ¼.If the mass of the unpatched population in the network is u,then the probability

that the worm will successfully penetrate the network and hit an unpatched user will be ¼u.If

a user's system is unpatched and is hit by the worm,one would expect that she su®ers a loss

positively correlated with her valuation.That is,the consumers with high valuations will su®er

higher losses than the consumers with lower valuations due to opportunity costs,higher criticality

of data and loss of business.For simplicity,we assume that the correlation is of ¯rst order,i.e.,the

expected loss that a consumer with valuation v su®ers if she is hit by a worm is ®v where ® > 0 is

a constant.

2

1

Note that a single decision maker can own multiple hosts (e.g.,servers) on which she makes purchasing and

patching decisions.Technically,the analysis will not be a®ected as long as each decision maker owns at most

countably many hosts.

2

Note that this loss structure is robust to the exact information that the users have about the realizations of their

losses,i.e.,whether the users know exactly what their losses will be if they are hit by an attack or only have an

8

We denote the strategy set for a given consumer with S.We refer to the purchasing decision as

either buy,B,or not buy,NB.Similarly,the patching decision is denoted by either patch,P,or

not patch,NP.The consumer action space then becomes S = fB;NBg£fP;NPg¡(NB;P),the

last exclusion stemming from(NB;P) clearly being infeasible.Given the price p¸0,in a consumer

market equilibrium,each consumer maximizes her expected utility taking the equilibriumstrategies

for all consumers as ¯xed.For a strategy pro¯le ¾:V!S,the expected cost faced by the consumer

with valuation v is then de¯ned by

C(v;¾),

8

<

:

¼u(¾)®v if ¾(v) = (B;NP);

c

p

if ¾(v) = (B;P);

(1)

where u(¾) =

R

V

1

f¾(y)=(B;NP)g

dy and 1

f¾(y)=(B;NP)g

is 1 if ¾(y) = (B;NP) and zero otherwise.

3

The surplus gained by the consumer with valuation v by employing the software will then be

v ¡ C(v;¾),less the price she pays for the software.The consumers who buy but do not patch

cause a negative externality on all users by decreasing the safety of the network and the software.

Clearly,for any v 2 V,C(v;¾) de¯ned by (1) is increasing in u(¾) (i.e.,the unpatched population).

Furthermore,consumers who patch protect themselves from the negative externality caused by

the unpatched population.To avoid trivialities and without loss of generality,we focus on the

parameter space where c

p

2 (0;1),¼ 2 (0;1],and ® 2 (0;1).For convenience,we refer to the

product ¼® as the e®ective security risk.

3.2 Equilibrium

We will consider the software being o®ered by either a vendor (Section 4),in which case the price

of the software will be determined by the vendor,or as freeware (Section 5),in which case the

price will be zero.In this section,we derive the consumer market equilibrium taking the price p

as given.That is,we concentrate on the last two (purchasing and patching) out of three stages of

decision making in the model.In equilibrium,holding all other consumers'actions ¯xed,i.e.,given

the equilibrium strategy pro¯le ¾

¤

,each consumer chooses the action from S that maximizes her

expected payo®.The following lemma gives the consumer market equilibrium.

Lemma 1

Given the parameters ¼,®,c

p

and the consumer price p 2 [0;1],there exists a unique

equilibrium in the consumer market.

4

The equilibrium consumer strategy pro¯le is characterized by

ex-ante probability distribution on those losses.In the latter case,the losses integrate out of the expected payo® to

the users into an expected loss ®v,and the rest of the analysis is una®ected.

3

The notation\,"has the meaning\as a de¯nition"throughout the paper.

4

Uniqueness is naturally up to positive measure.

9

v

b

;v

p

2 [0;1] and v

b

·v

p

such that,for v 2 V,

¾

¤

(v) =

8

>

>

<

>

>

:

(NB;NP) if 0 ·v < v

b

;

(B;NP) if v

b

·v < v

p

;

(B;P) if v

p

·v ·1:

(2)

Let

p,(1 ¡c

p

)(1 ¡

c

p

¼®

)

+

.Given (2),the patching behavior is characterized by two regions in the

parameter space:

Region I:

If ¼® ¸ c

p

and p <

p,then

(i)

When p > 0,in equilibrium,p < v

b

< p +c

p

< v

p

=

c

p

v

b

v

b

¡p

< 1.

(ii)

When p = 0,if c

p

·¼®·

1

c

p

,then v

b

= 0,and v

p

=

q

c

p

¼®

.If ¼® ¸

1

c

p

,then

v

b

= c

p

¡

1

¼®

,and v

p

= c

p

.

Region II:

If ¼® < c

p

or both ¼® ¸ c

p

and p¸

p,then 0 < p < v

b

< v

p

= 1.

As can be seen from Lemma 1,in equilibrium,the population is segmented into three groups,

namely non-buyers,buyers who do not patch in case of a vulnerability and buyers who do patch

in case of a vulnerability.This separation occurs due to the monotonicity of the relative losses

that arise from non-patching behavior in equilibrium:Given the risk that arises from the collective

behavior of the population,if a consumer purchases the product,any consumer with higher val-

uation will prefer to purchase the product.Furthermore,if a consumer patches the product,any

consumer with a higher valuation,who is facing a higher security risk,will also ¯nd it preferable

to patch the product.This three-tier structure is consistent with observations that indicate higher

valuation users (such as larger corporations and institutions) are more likely to be patchers,while

the lower valuation users (such as small companies and home users) are less likely to patch and

thus contribute to the faster spread of malicious code such as worms (Moore et al.2002).

A patching population will exist only if the e®ective security risk is su±ciently high and the

price is su±ciently low.If the price is su±ciently high,the patching population will be small,and

no user will patch (i.e.,v

p

= 1).This remains true even as ¼® goes to in¯nity:The size of the

patching population will shrink until it reaches a level where the equilibrium risk is ¯nite and some

users ¯nd it worthwhile to purchase the software and bear the risk (i.e.,as ¼®!1,the purchasing

population shrinks in the order of 1=¼®).

The case when p = 0 is noteworthy.As can be seen from Lemma 1,when the e®ective security

risk is low compared to the patching cost (i.e.,when the market is in Region II),all consumers

\buy"the product and no consumer patches.When expected security losses are moderate (i.e.,

when c

p

·¼®·1=c

p

),all users still choose to employ the product,but in this case,since potential

losses are high,some of them ¯nd it worthwhile to patch.When the e®ective security risk is high

10

however (i.e.,when ¼® > 1=c

p

),some consumers do not employ the software even though it is

available for free.

Since v

b

< p +c

p

in Region I,by Lemma 1,there is always a group of consumers who do not

patch.Thus,the software always comes with a certain amount of risk unless the user patches it.

Therefore,as can also be seen from the lemma (unless p = 0 and ¼® < 1=c

p

),the condition v

b

> p

always holds and hence there is a population of users whose valuations are higher than the price

but end up not purchasing the product,resulting in ine±ciencies in product usage.

Thus far,we have focused our attention on self patching where consumers decide whether or not

to patch in self-interest.Henceforth,we will denote this policy with the subscript\s"to separate it

from the other policies we will be examining later in the paper.Further,we will utilize superscripts

i and ii to indicate whether the measure of interest has an equilibrium outcome in Region I or

Region II as described in Lemma 1,respectively.

4 Proprietary Software

Suppose that the software is o®ered by a pro¯t maximizing vendor who sets the price.Without

loss of generality,we assume that the marginal cost of production for each copy of the software is

zero.Under self patching,given e®ective patching cost (c

p

),e®ective security risk (¼®),and the

consumer market equilibrium outcome of Lemma 1,the vendor faces the following optimization

problem

max

p

¦

s

(p),p(1 ¡v

b

)

s:t:0 · p · 1

(3)

where v

b

is as described in Lemma 1.This problem has a well de¯ned solution and depending

on the parameters,under optimal vendor pricing,the consumer market equilibrium may or may

not yield a patching population.Speci¯cally,when the e®ective security risk is high,the vendor

must price the software low to increase the purchasing population,and as a result,higher valuation

customers will elect to patch,moving the equilibrium to Region I as speci¯ed in Lemma 1.On

the other hand,when the security risk is low with respect to the patching costs,the vendor can

optimally price the product high enough without reducing the buyer population,even driving the

equilibrium to Region II of Lemma 1,where no consumer patches (see Lemma A.2 in the appendix

for details on the vendor's optimal pricing behavior).

In this section,we will investigate the e®ects of security policies on social welfare.Therefore,

before proceeding,we de¯ne the measure of social welfare.Adding the expected surpluses for the

consumers and the vendor,we obtain the expected social welfare as

W(p),

Z

fv2V:v>v

b

g

(v ¡C(v;¾

¤

)) dv:(4)

11

Notice that,in e®ect,W(p) measures the expected social welfare generated by the policy under

consideration by subtracting the security costs induced from the value generated by that policy.

4.1 Mandatory Patching

Under network e®ects,when consumers make self patching decisions,the population of consumers

who purchase and choose not to patch can decrease the value of the product and consequently reduce

vendor pro¯ts and social welfare.Therefore,one might suggest that mandating patching might be

helpful by eliminating the unpatched population and hence reducing security losses associated with

the product,as has been voiced and discussed by some experts and government authorities (e.g.,

Middleton 2001,Geer 2004 and Bragg 2004).In the context of computer networks,the monitoring

and enforcement of the patching of software is easily technically implementable.Software that

detects installation of updates for various applications (e.g.,spyware protection de¯nition ¯les or

even plain updates to Internet software such as media players) and practices such as disabling

certain functionalities of machines that fail to demonstrate such installations in certain cases (as it

is sometimes called\blackholing") are in broad use today.Further,the fully observable nature of

the technology also enables the contractibility of mandatory patching,and such a condition can be

easily made part of a licensing agreement.

The questions then are:Can the vendor increase his pro¯t by contractually mandating patching

to the buyers?Can mandating patching increase social welfare?To answer these questions,we

next consider a mandatory patching policy o®ered by the vendor to the consumers.That is,

the purchase of the software involves a binding commitment to patch the software if a security

vulnerability emerges.We will be using the subscript\m"to denote the mandatory patching

policy.

Unlike with self patching,when patching is mandated,all consumers must decide whether to

buy the software given that they must patch the software at an e®ective cost of c

p

due to security

vulnerabilities.Consumers will purchase and patch the software per the purchase agreement with

the vendor,and since there is no risk,it follows that v

b

= v

p

= p + c

p

,which says that a consumer

only buys the software if her valuation is higher than the price plus the e®ective patching cost.

Thus,the equilibrium is characterized by a single threshold valuation v

m

,p + c

p

.Consumers

with valuations v ¸ v

m

purchase and patch the software.Consequently,the pro¯t function for the

vendor is given by ¦

m

(p),p(1 ¡v

m

) = p(1 ¡p ¡c

p

),which is maximized at p

¤

m

= (1 ¡c

p

)=2,

with optimal pro¯t ¦

m

(p

¤

m

) = (1 ¡c

p

)

2

=4.Then,by Lemma 1,the purchasing threshold under self

patching satis¯es v

b

< v

m

for any p.Speci¯cally,this inequality holds at p

¤

m

.Thus,

¦

s

(p

¤

s

) ¸ ¦

s

(p

¤

m

) = p

¤

m

(1 ¡v

b

(p

¤

m

)) > ¦

m

(p

¤

m

):(5)

Intuitively,the vendor is better o® by employing a self patching decision policy and charging the

12

optimal price he charges under mandatory patching.Under such an action,all users who employed

the product under mandatory patching would still be users.If the user with valuation p

¤

m

+ c

p

patches under self patching,then the marginal consumer at this valuation level will purchase the

product since her valuation is higher than p

¤

m

and there is no security risk.If the user with valuation

p

¤

m

+ c

p

does not patch,it follows that the patching cost must be higher than the risk that the

marginal user is facing and she will again ¯nd the product attractive without patching in case a

security vulnerability arises.In both cases,the user population will increase,i.e.,the vendor can

improve his pro¯ts by allowing users to make their own patching decisions and charging the same

price as he would with a mandatory patching policy.

From the vendor's standpoint,consumers assuming risk in an incentive compatible way,by

resolving their own trade-o® between the risk of not patching and the cost of patching,is pro¯table.

As a result,self patching yields higher pro¯t for the vendor,i.e.,mandatory patching strictly

decreases vendor pro¯ts.As we mentioned above,this result is consistent with what is seen in

the software industry.Although it is technologically feasible,vendors typically do not require the

purchasing consumers to patch their systems when vulnerabilities arise.

While contributing to increased vendor pro¯ts,consumers assuming security risks as opposed

to undergoing patching costs may increase total risk for the population through network e®ects and

ultimately reduce social welfare.Therefore,one might argue that mandating patching can increase

social welfare,and this possibility needs to be explored.The following proposition examines the

e®ect of mandatory patching on the expected social welfare and shows that mandatory patching

may in fact be undesirable.

Proposition 1

If (i) ¼® < c

p

;or (ii) ¼®¸c

p

and there is a population of users who are patching

the software under the vendor's optimal pricing decision,then mandating patching decreases social

welfare.

When the e®ective security risk is low compared to the patching cost (i.e.,when ¼® < c

p

),

mandating consumers to patch not only reduces the number of buyers but also forces some buying

consumers to make socially ine±cient decisions by undertaking high patching costs when it is

unnecessary.Consequently,expected social welfare decreases with mandatory patching for such

cases as stated in part (i) of Proposition 1 and illustrated in panel (a) of Figure 2.When the

security risk is high and there is a patching population under the vendor's optimal pricing (i.e.,the

market is in equilibrium Region I described in Lemma 1),the existence of a patching population

makes the software safer and increases the value of the software.As a result,we again see that

mandating patching decreases social welfare,as indicated in part (ii) of Proposition 1 and illustrated

in panel (b) of Figure 2.

When ¼® ¸ c

p

and no consumer is patching in equilibrium,mandating patching can either de-

crease or increase the social welfare.If the patching cost and the security risk are both moderate,

13

0

0.2

0.4

0.6

0.8

1

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

(a) c

p

= 0.60, = 0.50, = 1

p

Expected Profit / Social Welfare

0

0.2

0.4

0.6

0.8

1

0

0.02

0.04

0.06

0.08

0.1

(b) c

p

= 0.60, = 0.50, = 7

p

Expected Profit / Social Welfare

0

0.2

0.4

0.6

0.8

1

0

0.02

0.04

0.06

0.08

0.1

0.12

(c) c

p

= 0.60, = 0.50, = 5

p

Expected Profit / Social Welfare

0

0.2

0.4

0.6

0.8

1

0

2

4

6

8

x 10

-3

(d) c

p

= 0.88, = 0.50, = 100

p

Expected Profit / Social Welfare

s

i

s

ii

W

s

W

m

Figure 2:Expected social welfare and vendor pro¯t as a function of price.The parameters are

c

p

= 0:60,¼ = 0:50,and ® = 1 for panel (a);c

p

= 0:60,¼ = 0:50,and ® = 7 for panel (b);c

p

= 0:60,

¼ = 0:50,and ® = 5 for panel (c);and c

p

= 0:88,¼ = 0:50,and ® = 100 for panel (d).

14

mandating patching can reduce the expected social welfare as shown in panel (c) of Figure 2 by

reducing the consumer base.However,when both the patching cost and the e®ective security risk

are high,the vendor might ¯nd it optimal to price the product in such a way that the buying pop-

ulation is small,and no consumer ¯nds it optimal to patch if a security vulnerability emerges.In

such a case,mandating patching can increase the number of buyers since it forces the vendor to re-

duce prices signi¯cantly,which makes the software attractive to a higher number of consumers even

when those consumers are forced to bear patching costs.As a consequence,mandating patching

can increase social welfare.Such a case is illustrated in panel (d) of Figure 2.

5

4.2 Patching Rebates

We have seen in Section 4.1 that contractually mandating consumers to patch does not improve

vendor pro¯t and is usually not helpful in increasing social welfare.The primary reason for the

ine®ectiveness of mandatory patching is that consumers are forced to bear the potential patching

costs when they purchase the product,which negatively in°uences their purchasing behavior.This

observation suggests that leaving the patching decision to the consumers is preferable,and other

ways to improve users'patching behavior should be investigated.One way of doing so is to provide

users with increased incentives to patch by o®ering rebates to patching customers.Such a mecha-

nism can improve vendor pro¯t by increasing the patching consumer population,thereby lowering

the security risk of the software and allowing the vendor to charge a higher price to remaining

consumers.

Based upon this intuition,we next consider an incentive scheme in which the vendor o®ers

a compensation to consumers contingent upon their patching of the software product in case a

security vulnerability arises.Speci¯cally,each consumer who patches when a security vulnerability

arises receives,in expectation,an e®ective rebate 0·r ·c

p

.We consider two cases:(i) The vendor

determines the rebate to give to the patching customers by jointly optimizing the rebate amount

and the price;and (ii) a social planner determines the rebate amount,and taking that rebate

amount as given,the vendor determines the price of the software.We use a subscript\v"to denote

that the rebate is determined by the vendor and a subscript\g"(for government) to denote that

the rebate is determined by a social planner.

4.2.1 Vendor Determined Rebate

We ¯rst examine the incentives for a vendor to o®er patching rebates.The expected pro¯t for the

vendor with an e®ective rebate r can be written as ¦

v

(p;r),p(1 ¡v

b

) ¡r(1 ¡v

p

),and the vendor

5

This also demonstrates the di®erence in the e®ect of negative network externalities in the contexts of vendor

intermediated software security and disease control.For instance,Brito et al.(1991) demonstrate that in the case

of disease spread,where there is no intermediating vendor,mandating patching always decreases social welfare.In

our case,however,mandating patching can make the vendor radically decrease the price of the software and cause

an increase in usage,which in turn increases social welfare.

15

needs to optimize with respect to both price and the rebate amount,i.e.,he solves the following

maximization problem:

max

p;r

¦

v

(p;r)

s:t:0 · r · c

p

0 · p · 1;

(6)

where v

b

and v

p

satisfy the conditions given in Lemma 1 with parameters ¼®,c

p

¡r and p.Here,

the vendor is facing a trade-o®:The higher the rebate paid to the consumers,the larger the

population of consumers who patch.A larger patching population e®ectively increases the security

of the software,thus allowing the vendor to increase his optimal price in such a way to increase

his expected pro¯t.On the downside,if a security vulnerability arises,the vendor must assume a

larger portion of the consumers'patching costs.Whether o®ering such a rebate can ever strictly

increase the vendor's pro¯t is an open question.The following proposition demonstrates that this

is possible.Further,the proposition establishes the parameter ranges where the o®ering of such a

rebate is desirable and not desirable for the vendor as well as providing comparative statics for the

optimal rebate and price.

Proposition 2

Consider a patching rebate o®ered by a software vendor.

(i)

There exists a threshold

!> 0 such that if ¼® ¸

!,

(a)

A rebate policy can strictly increase the vendor's expected pro¯t if and only if c

p

> 1=3.

(b)

The optimal rebate (r

¤

v

) and the optimal price (p

¤

v

) are decreasing in ¼®.

(c)

As ¼® becomes large,r

¤

v

!(3c

p

¡1)=4 and p

¤

v

!(1 +c

p

)=4.

(ii)

If ¼® < c

2

p

=(1 +c

p

),then there does not exist a patching rebate,r > 0,that will increase the

vendor's expected pro¯t,i.e.,the self patching policy is optimal for the vendor.

When both the patching cost and the e®ective security risk are high,the vendor must price

low to induce purchases,and the consumer population consists of high valuation consumers who

are sensitive to security of the software.In such a case,by o®ering a rebate,he can induce an

increased patching population and increase the security of the product.As a result,and because

of the sensitivity of his users to the security of the software,he can then increase his price and

consequently his pro¯ts.However,when the patching costs are su±ciently low,the vendor can price

relatively high.Further,in that case,a larger patching population exists,and rebates may not help

to further increase the patching population as signi¯cantly while making the vendor unnecessarily

provide incentives to users who would patch even without rebates.Consequently,o®ering rebates

can back¯re and reduce the vendor's pro¯ts as stated in part (i) of Proposition 2.

When the expected security risk is su±ciently large,the optimal rebate amount and the optimal

price decrease with increased security risk.In this region,a further increase in risk signi¯cantly

16

reduces the purchasing population,and by reducing prices (which come with reduced rebates),the

vendor can increase his sales.An increase in patching costs,however,reduces incentives to patch

and pro¯t maximization calls for additional incentives to be provided to the consumers.When the

expected security risk is low compared to the patching costs,it becomes relatively expensive for

the vendor to incentivize consumers to patch,and rebates can result in losses for the vendor,as

implied by part (ii) of Proposition 2.

Importantly,Proposition 2 is not about the weak increase in pro¯ts that comes with the addition

of a degree of freedom to the vendor with the availability of a rebate o®er.This proposition veri¯es

that a rebate policy can indeed be e®ective under certain conditions due to network e®ects and

characterizes these conditions.Further,it characterizes the e®ect of the problemparameters on the

optimal rebate and price when a rebate is e®ective and hence gives insights about optimal network

security risk sharing with the consumers from the point of view of the vendor.

4.2.2 Social Planner Determined Rebate

We next examine the case where a social planner chooses the amount of patching rebate to maximize

social welfare:That is,the planner decides the socially optimal amount of risk and responsibility

that the vendor should assume for his product's security.Hence,the social planner's optimization

problem can be written as

max

r

W

g

(p(r);r)

s:t:0 · r · c

p

p(r) = arg max

0·p·1

¦

g

(p;r);

(7)

where W

g

(p(r);r) =

R

v

p

v

b

v(1 ¡¼®(v

p

¡v

b

)) dv+

R

1

v

p

(v ¡c

p

) dv,¦

g

(p;r) = p(1¡v

b

)¡r(1¡v

p

) with

r chosen by the social planner rather than the vendor,and v

b

and v

p

are as given in Lemma 1 for

parameters ¼®,c

p

¡ r and p(r).The following proposition characterizes the optimal rebate and

price under this structure.

Proposition 3

Consider the social planner's problem given above.

(i)

There exists a threshold

!> 0 such that if ¼® ¸

!,

(a)

A patching rebate policy strictly increases social welfare if and only if c

p

> 6 ¡

p

33.

(b)

There exist threshold values µ,µ

0

such that 6 ¡

p

33 < µ < µ

0

< 1 and the optimal rebate

(r

¤

g

) and vendor's optimal price (p

¤

g

) are strictly increasing in ¼® if and only if c

p

> µ

0

and c

p

> µ,respectively.

6

(c)

As ¼® becomes large,r

¤

g

!(c

p

(12 ¡c

p

) ¡3)=16 and p

¤

g

!(5 ¡c

p

)(1 +c

p

)=16.

6

6 ¡

p

33 = 0:2554,µ = 0:3692,and µ

0

= 0:4347 up to four signi¯cant digits.Details for the derivations are given

in the proof of the proposition in appendix.

17

(ii)

There exists a threshold!

> 0 such that if ¼® <!

,then there does not exist a patching rebate,

r > 0,that will increase the social welfare,i.e.,patching rebates are ine®ective.

When the software security risk is high and patching costs are high,under vendor's optimal

pricing,the patching population is small.Therefore,forcing the vendor to assume part of the risk

by paying a rebate to the patching consumers may increase social welfare.Further,Proposition 3

indicates that when the cost of patching is low,forcing the vendor to o®er a rebate can decrease

social welfare by inducing ine±cient patching behavior.When the patching costs are high enough

to make rebates desirable,the optimal rebate and the corresponding vendor price decrease with in-

creased security risk.On the other hand,when the patching costs are high,the patching population

shrinks and as the security risk increases,social welfare optimization requires increased rebates,and

consequently,increased software price.Further,both the optimal rebate and the induced vendor

price are increasing in patching costs.Notice however that the optimal price can be increasing

while the optimal rebate is decreasing in the security risk.Finally,when the security risk is too low

compared to the patching costs,it is socially ine±cient to induce a patching population through

rebates.

In addition,when r = c

p

,i.e.,when a social planner imposes that the vendor cover all patching

costs,it is easy to see that W

g

= W

m

= 3(1 ¡c

p

)

2

=8.Moreover,evaluating the ¯rst derivative of

W

g

(r;p(r)) in (7) at r = c

p

,it follows that

dW

g

(r;p(r))

dr

¯

¯

¯

r=c

p

= ¡

c

p

(1+3c

p

)

4¼®v

2

b

< 0.Therefore we have

W

g

> W

m

.

Panels (a) and (b) of Figure 3 illustrate the two possibilities for the vendor determined rebate.

Panel (a) presents a scenario with low security risk.As can be seen from the ¯gure and indicated

in Proposition 2,in such a case,o®ering a rebate reduces the pro¯ts of the vendor.On the other

hand,when the patching costs and the security risk are both high,the vendor can increase his

expected pro¯t by o®ering a rebate of r

¤

= 0:282 o® the patching cost as illustrated in panel (b),

thereby increasing expected pro¯ts.Panels (c) and (d) of the ¯gure show the two possibilities for

a social planner determined rebate case.When the security risk is low,requiring the vendor to

assume part of the responsibility through patching rebates is not helpful,as demonstrated in panel

(c),since the increased network security induced by these rebates cannot compensate for reduced

usage resulting from the vendor's increased prices.The same conclusion holds when the security

risk is high but the patching cost is su±ciently low,as the welfare curve for c

p

= 0:21 in panel

(d) demonstrates.However,when both patching costs and the security risk are su±ciently high,

rebates can help to increase social welfare substantially,e.g.,for c

p

= 0:70 as can also be seen in

panel (d).

18

0

0.2

0.4

0.6

0.8

1

-0.1

-0.05

0

0.05

0.1

(b) Vendor Det. Rebate (High )

p

Expected Profit

r* = 0.282

r = 0.65

r = 0

0

0.2

0.4

0.6

0.8

1

-0.6

-0.4

-0.2

0

0.2

0.4

(a) Vendor Det. Rebate (Low )

p

Expected Profit

r = 0.60

r = 0

r = 0.75

0

0.235

0.237

0.239

0.241

(d) Government Det. Rebate (High )

r

Expected Social Welfare

c

p

= 0.21

0

0.2

0.4

0.6

0.03

0.038

0.046

0.054

0

0.2

0.4

0.6

0.8

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

(c) Government Det. Rebate (Low )

r

Expected Social Welfare

= 0.3

= 1.2

c

p

= 0.70

Figure 3:The e®ect of patching rebates on vendor pro¯ts and social welfare.Panels (a) and (b)

are for the vendor determined rebate,and panels (c) and (d) are for the planner determined rebate

case.For panel (a),c

p

= 0:80,¼ = 0:30 and ® = 1;for panel (b),c

p

= 0:70,¼ = 0:50 and ® = 10;

for panel (c),c

p

= 0:80;and for panel (d),¼ = 0:50,® = 20,the left y-axis is scaled for the

c

p

= 0:21 case,and the right y-axis is scaled for the c

p

= 0:70 case.

4.3 Usage Tax

As we have seen in the previous sections,poor patching behavior by the users introduces security

risks on the entire user population.Further,the direction of this negative externality is from lower

value consumers to higher value consumers since lower value consumers are less likely to patch,

which gets re°ected as increased e®ective losses for higher value consumers.Therefore,one might

argue that imposing a tax can improve the security of the network,vendor pro¯ts,or social welfare

by eliminating a segment of lower value consumers from the user pool.In this section,we analyze

this issue.

Suppose that each consumer is charged a tax ¿ > 0 for a copy of the software.Taking this

tax as given,the vendor optimizes the price he charges for the product.We use a subscript\t"

to denote this tax policy.The purchasing threshold v

b

is now a function of the aggregate price,

p +¿,faced by the consumer.The pro¯t for the vendor will then be ¦

t

(p;¿),p(1 ¡v

b

(p +¿)).

Additionally,for given ¿,we denote p

¤

s

and p

¤

t

as the maximizers of ¦

s

and ¦

t

,respectively.

Figure 4 shows the e®ects of a tax policy.As can be seen from the ¯gure,imposing a tax

decreases the vendor's optimal price (p

¤

t

),but the price plus the tax (p

¤

t

+ ¿),i.e.the e®ective

19

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0

0.2

0.4

0.6

0.8

1

Tax ( )

Optimal Price and Tax

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0

0.1

0.2

0.3

0.4

0.5

Optimal Expected Profit and Social Welfare

W

t

(p

t

*, )

t

(p

t

*, )

p

t

*+

p

t

*

Figure 4:The e®ect of a tax on proprietary software.Parameters are c

p

= 0:70 and ¼® = 0:30.

amount that the consumers have to pay to use the software,is larger than the optimal vendor price

with no tax.This is because the vendor's pro¯t under a given tax ¿ > 0 can be written as ¦

t

(p;¿) =

¦

s

(p +¿) ¡¿(1 ¡v

b

(p +¿)).The ¯rst order condition is then ¦

0

t

(p

¤

t

) = ¦

0

s

(p

¤

t

) +¿ ¢ v

0

b

(p

¤

t

) = 0.

Since v

b

is increasing in p,we then have ¦

0

s

(p

¤

t

) < ¦

0

s

(p

¤

s

¡ ¿) = 0,and since the vendor's pro¯t

function is concave,it follows that p

¤

t

+¿ > p

¤

s

.As a result,the vendor's pro¯t declines as can be

seen in the ¯gure.Further,a positive tax also decreases social welfare since welfare is decreasing

in the e®ective consumer price in this region as well.

In summary,taxes do not increase vendor pro¯ts,and due to the vendor's endogenous price

setting at a level where decreasing the user population decreases welfare,taxes do not increase the

social welfare for proprietary software.However,with freeware,taxes can be a powerful tool to

improve social welfare as we will discuss in Section 5.3.

4.4 Policy Comparison Summary for Proprietary Software

In this section,we summarize how the di®erent policies considered thus far perform relative to one

another,highlighting the results,comparisons,and the recommendations that emerge from them.

When the expected security risk and the patching costs are high,a social welfare maximizing

planner should employ patching rebates.Speci¯cally,for such cases we have found that W

g

>

W

s

> W

m

;W

t

.Under high security risk,a planner may choose to force the software vendor to

assume part of the users'patching costs via rebates.In response,the vendor will increase the price

of the software which decreases usage and hurts welfare.However,the net e®ect is a strict increase

in welfare if the patching is costly beyond a threshold.Further,under self patching,the vendor

prices the software in a way that a patching population exists,which ensures higher welfare than

20

under mandatory patching.Additionally,under high security risk,taxes are ine®ective.

On the other hand,for low patching cost and regardless of security risk,patching rebates hurt

social welfare.We ¯nd that W

s

> W

g

;W

m

;W

t

and conclude that it is advisable to keep the status

quo,i.e.,self patching.For low e®ective security risk,an imposed rebate results in socially ine±cient

patching decisions.Further,mandatory patching,though increasing the security of the product,

ine±ciently reduces the user population and yields a decrease in expected social welfare.

From the vendor's point of view,mandating patching,although increasing software security,

decreases pro¯ts.For high security risk,the value of the product for the consumers is low.Therefore,

it may be desirable for the vendor to o®er patching rebates to increase usage.However,paying

patching rebates also decreases vendor pro¯ts,and the net e®ect can be negative.We show that,

under high security risk,rebates increase pro¯ts if and only if the patching costs are higher than a

threshold level.That is,under high security risk and patching costs,¦

v

> ¦

s

> ¦

m

,and hence,

a rebate policy is preferable.When the security risk is low,on the other hand,o®ering a rebate

becomes too costly.Therefore,under such conditions,¦

s

> ¦

v

;¦

m

,and a self patching policy is

more pro¯table (note also that a planner imposed usage tax always decreases vendor pro¯ts).

5 Freeware

We next turn our attention to a software product o®ered to consumers as freeware.Freeware is often

open source software which is typically developed and maintained by a group of software enthusiasts.

These developers share the product with the public for free and hope to make it increasingly feature

rich and more secure with broader public participation.Freeware products have governing bodies

that promote development and distribution as well as providing organizational,legal,and ¯nancial

support.For instance,Free Software Foundation (FSF),which was founded in 1985,promotes the

development and use of free software and documentation.The FSF is closely tied to the GNU

Project and the GNU General Public License (GNU GPL).In essence,the GNU GPL keeps all

software that comes out of the FSF and GNU Project free to the public domain.Furthermore,any

modi¯cations to that software must remain free to the public domain.When a security vulnerability

arises within an open source software product,patches are typically readily made available by the

developers of the software or possibly even third party support companies in light of the fact that

open source software is transparent (Maguire 2004).Another example of such a governing body is

the Apache Software Foundation (ASF),which oversees the Apache projects.

Freeware is also vulnerable to security attacks and such attacks can be as damaging and costly

as they would be for proprietary software (US-CERT 2004).Security of freeware as perceived by

the potential users naturally a®ects the usage and consequently the value derived by the software

in the user community.In this section,we compare policies that can be implemented by a social

planner or the governing body of a freeware product to improve social welfare.

21

5.1 Mandatory Patching

Since freeware is available to consumers at zero price,a large population of users may develop.This

increase in the number of users leads to an increased population of non-patching users,which in

turn increases the negative network security externalities and consequently hurts social welfare.The

governing body for a freeware product (such as ASF for Apache projects) has authority on managing

licenses for the software supported by these projects.Therefore,the technical mechanisms that

enable the implementation of mandatory patching for proprietary software,described in Section

4.1,can also be used for freeware,and such policies can be included as a part of the license

agreement if the governing body or a social planner sees ¯t.However,there is a critical trade-o®

here:If patching is mandated to users,only the consumers whose valuations justify the costs of

patching would employ the product.As a result,some of the current population of consumers would

be lost while the remaining population would enjoy a secure product.Thus,surplus generation

from usage would decrease along with the expected security losses,and the net e®ect on social

welfare needs to be determined.

By (1),C(v;¾

¤

) ·c

p

holds and hence,(v ¡C(v;¾

¤

))

+

¸(v ¡c

p

)

+

for all v 2 V.Noting that

p = 0,it then follows that

W

s

(0) =

Z

V

(v ¡C(v;¾

¤

))

+

dv ¸

Z

V

(v ¡c

p

)

+

dv = W

m

(0);(8)

that is,mandating patching for freeware reduces social welfare.

7

In short,mandating patching

induces users to take actions that are welfare-inferior to their self patching decisions,and therefore

cannot be helpful.Intuitively,and similar to the case for proprietary software,all consumers who

use the product under the mandatory patching policy would still be users under the self patching

policy since their expected security losses are bounded by c

p

.If the user with valuation c

p

patches

under self patching (assuming the user population stays the same),the product will be attractive

to the marginal non-user under mandatory patching since there will be no risk associated with the

product.If the user with valuation c

p

does not patch under the self patching policy,then the risk

associated with the product must be lower than c

p

,and hence the product will again be attractive

to the marginal non-user.In both cases,the welfare will (at least weakly) increase since a larger

population of users,including those with valuations below the threshold under mandatory patching,

non-negatively contribute to the welfare.

8

7

Notice that each user has two separate e®ects on social welfare:First,she contributes her own surplus,i.e.,

(v ¡C(v;¾

¤

))

+

.Second,because of negative network externalities,her decision also impacts other users'surpluses

by a®ecting the term C(v;¾

¤

) in the corresponding expressions.When calculating welfare,the latter e®ect shows

itself in other users'surpluses and hence is also included in the calculation of the surplus given in (8).

8

This result is parallel to the result in Brito et al.(1991),which states that for the case of an infectious disease,

mandating vaccination cannot increase social welfare.Speci¯cally,both results state that with negative network

externalities,self-protection decisions are socially more e±cient compared to forced protection.However the two

results are di®erent.In our case,each consumer makes a usage decision by comparing the type dependent losses from

being infected by a worm(that increase with the size of the unpatched population) to the constant patching costs and

22

5.2 Patching Rebates

As we have seen in Section 5.1,mandatory patching is ine®ective at increasing social welfare associ-

ated with freeware since such a policy improves the security of the product but results in consumers

making socially ine±cient decisions.Therefore,policies that can improve network security while

leaving the patching decisions to consumers should be investigated.Hence,we next consider a

policy in which a patching rebate is o®ered by a social planner to the consumers of the freeware.

That is,similar to the rebate policy we discussed in Section 4.2,in the face of a security vulnera-

bility,with a patch made available by the freeware developers,consumers who patch will receive

an e®ective rebate r > 0,as an incentive.In this case,the rebate is given by a social planner.

There is a growing call for and discussion on government intervention for software security.The

recommendations invite the government to play a more active role in improving software security

by the implementation of a mix of market and regulatory e®orts.The aimof these suggested e®orts

is to induce vendors to write more secure software as well as to induce computer users and network

operators to better maintain the security of their own systems (see,e.g.,Mimoso 2003,Krim 2004,

Joyce 2005).The patching rebates for freeware can be implemented as corporate or individual tax

rebates or credits.Such tax rebates are employed as tools in many other cases when the government

wants to regulate compliance of good behavior in cases with negative externalities (Lyne 2001).

The following proposition explores the e®ectiveness of such a rebate policy.

Proposition 4

Consider a patching rebate o®ered by a social planner to users of a freeware product.

(i)

If ¼® · 2c

p

=3 or ¼® ¸ 32=(27c

p

),then for all r > 0,o®ering a patching rebate r decreases

the expected social welfare.

(ii)

If 2c

p

=3 < ¼® < 32=(27c

p

),then it is possible to improve the expected social welfare with a

positive patching rebate.Further,the social welfare maximizing rebate is given by r

¤

g

= c

p

=3.

As in the case of proprietary software,patching rebates increase the security of freeware as

well.However,some users may be induced to patch when it is not socially e±cient.The main

trade-o® is between the welfare loss endured by inducing such users to patch and the welfare gain

obtained by the network e®ects of increased security.Part (i) of Proposition 4 states that when the

software security risk is low,rebates are ine®ective.In such cases,the social value of the network

e®ects is relatively low,and the losses from ine±cient patching dominate.In addition,when the

security risk is high,the patching population is small and as rebates increase the size of the patching

population,new non-patching users join and wipe out the positive network e®ects gained.When

the security risk is at a moderate level,however,rebates can be e®ective as stated in part (ii)

subsequently comparing the minimum of these two quantities to the type dependent bene¯t of using the software.

This usage decision by the consumers plays a particularly key role for the other policies we consider (Sections 5.2,

5.3) and for proprietary software (Section 4).

23

of Proposition 4.In summary,a patching rebate policy can improve social welfare generated by

freeware for a moderate risk level,but for su±ciently low or high levels of risk,such a policy may

end up decreasing social welfare.

5.3 Usage Tax

In Section 5.2,we presented a rebate based policy that was able to induce patching behavior and

yield higher social welfare for certain cases.However,in Proposition 4,we saw that such a policy

can be ine®ective for the two ends of the security spectrum where the expected security losses

are small or large.Since consumers acting in self-interest are causing a security risk on other

consumers through network e®ects,a mechanism that drives out some of the consumers,who have

low valuations but create negative externalities on other users by not patching,can be helpful.

This mechanism can be achieved by imposing a small\price"or a\tax"on the freeware.Such a

policy,by forcing certain low valuation consumers out of the system,can eliminate the negative

security externalities that they cause and can help improve the net social welfare obtained from

the freeware.Notably,this policy aims at the opposite e®ect achieved by a patching rebate policy

since a rebate mechanism intends to encourage non-users of the product to reconsider its use.From

the consumers'point of view,a tax imposed by a social planner is identical to a price charged by a

vendor.However,in this case,the tax payment that the consumers must make in order to use the

freeware is set to maximize social welfare.Therefore,the relevant region is the lower end of the

tax (or price) spectrum with decisions focusing on whether or not to impose such a small payment.

The following proposition explores the e®ectiveness of a tax policy.

Proposition 5

(i)

There exists a ¿ > 0,such that the expected social welfare can be increased by imposing a user

tax of ¿ on the freeware product.

(ii)

There exist threshold values!

and

!such that 0 <!

·

!and when ¼® <!

,the optimal user

tax increases with ¼® and is not a®ected by increases in c

p

;and when ¼® >

!,the optimal

user tax increases with c

p

and decreases with ¼®.

Proposition 5 states that a certain level of usage tax can always improve the expected social

welfare for freeware under network e®ects by eliminating consumers whose valuations are low but

cause negative security externalities on all users by not patching.This result is in contrast to the

corresponding case for proprietary software (Section 4.3).The reason for the e®ectiveness of a

tax policy with freeware is the lack of a pro¯t maximizing vendor who reduces social welfare by

limiting usage through a price set to maximize pro¯t.With proprietary software,the vendor is

already endogenously pricing the product at a range where the network e®ects from elimination of

part of the user population through additional taxation is ine±cient.Imposing a tax in that case

24

makes the vendor respond by decreasing the price but the e®ective price the customers perceive

(i.e.,the vendor price plus tax) increases,thus eliminating users and decreasing social welfare.

However,Proposition 5 states that when the price is zero,the usage threshold is always low enough

that a usage tax can su±ciently reduce negative network externalities to improve social welfare.

Proposition 5 also states that when ¼® is low enough,the optimal tax,though eliminating some

low valuation users,will not induce a patching population and hence will not depend on c

p

.But for

such cases,increased security risk makes it optimal for a social planner to increase the tax since the

e®ect of network externalities dominates the value loss.On the other hand,when the security risk is

large,the usage levels fall and the proposition states that the optimal tax decreases with increased

security risk.However,in this region,increased patching costs impose heavy security risks due to

reduced patching which,in turn,makes it optimal to increase the usage tax to compensate.

5.4 Policy Comparison Summary for Freeware

In this section,we give a comparison and summary of our policy analysis for freeware.First,

we have shown that mandatory patching is always inferior to self patching.In contrast,we have

seen that rebates and taxes can help to increase welfare.We have found that taxes can strictly

increase social welfare for all parameter values,but rebates are ine®ective when ¼® · 2c

p

=3 or

¼® ¸ 32=(27c

p

).For these parameter ranges,taxes are strictly better than rebates.The question

then becomes whether rebates can ever be recommended over taxes.The following proposition

answers this question.

Proposition 6

There exists a threshold µ

2 (0;1) such that when c

p

< µ

and 2c

p

=3 · ¼® · µ

,

social welfare is greater under the optimal rebate policy compared to that of the optimal tax policy.

Figure 5 demonstrates the di®erence between the expected welfare that can be obtained by the

optimal tax and rebate policies,i.e.,the di®erence between the expected social welfare under the

optimal tax ¿

¤

t

(W

t

(0;¿

¤

t

)) and the optimal rebate r

¤

g

(W

g

(0;r

¤

g

)) for these two policies,respectively.

As can be seen from the ¯gure,the tax policy is dominant for most of the parameter space and is

especially dominant when security risk is high,i.e.,when ¼® is large.When the patching cost and

the e®ective security risk are low,taxes have less impact since the negative network externalities

are relatively less important.On the other hand,in this region,rebates are e®ective since it is

relatively cheaper to induce users to patch and therefore a rebate policy,which by its nature keeps

all willing users active,can achieve better results than a tax policy.

Recall that,for proprietary software,usage taxes are detrimental to social welfare,and hence

rebates are preferred whenever they are e®ective (Sections 4.2 and 4.3).However,a usage tax is

quite e®ective for freeware and is the dominant instrument for a social planner in that case.As we

discussed in detail in Section 5.3,the main reason for this di®erence is the vendor's pricing response

25

0

0.5

1

0

0.5

1

1.5

2

-0.02

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

c

p

W

t

(0,

t

*)-W

g

(0,r

g

*)

Figure 5:Expected social welfare di®erence between optimal tax and rebate policies for freeware.

to a usage tax.Hence,we conclude that it may be advisable for social planners to consider usage

taxes only in the case of freeware.

In summary,for freeware,when the security risk or patching cost is su±ciently high,W

t

> W

s

>

W

g

;W

m

,i.e.,a tax policy dominates.On the other hand,when the security risk and patching costs

are low and the security risk is not too low compared to the patching costs,W

g

> W

t

> W

s

> W

m

,

i.e.,a rebate policy is most e®ective.

6 Concluding Remarks

In this paper,we presented a model of network software security to demonstrate that in a net-

work environment,where the software security maintenance of each user a®ects the riskiness and

consequently the value of the software for other users,incentives can be a useful tool for both

a pro¯t maximizing vendor and a social welfare maximizing planner.In particular,we explored

and compared four policies to manage network software security in both proprietary software and

freeware contexts:(i) Consumer self patching;(ii) Mandatory patching;(iii) Patching rebate;and

(iv) Usage tax.We have compared the preferability of these policies for a vendor (in the case

of proprietary software) and a social planner (in the cases of both proprietary software and free-

ware).We have demonstrated that rebates and self patching are dominant for proprietary software

whereas for freeware,taxes compete with rebates,and self patching becomes strictly dominated.

Mandatory patching is found to be suboptimal across the board.The main di®erence between the

results for the cases of proprietary software and freeware stems from the fact that for proprietary

software,the vendor internalizes the e®ect of any policy on the users and re°ects it in his price.

26

This is because changes in users'incentives directly a®ect the vendor's pro¯ts,and induces him to

provide a feedback loop by adjusting his price in response.As a result,the social planner's role is

more direct and critical in the case of freeware.

Another method of improving user patching behavior would be to directly reduce the patching

costs that users face.One way of achieving this is the software vendor's development of an auto-

mated patching solution.Automated patching aims to lower patching costs for users,ideally to a

zero level.If such an idealized scenario were possible,i.e.,if the patching costs were zero,all users

would patch immediately after the release of a patch for a vulnerability.This would eliminate any

e®ective security risk and negative network e®ects,and no issues related to the spread of malicious

code in the network would be present.However,achieving an e®ective automated patching solution

is not an easy task since each patching problem has unique aspects and each user's system has a

more or less unique con¯guration.Therefore e®ective patch management is a highly time and re-

source consuming activity and a\one-size-¯ts-all"approach is unlikely to be an immediate remedy

as it is also widely acknowledged by practitioners (see,e.g.,Messmer 2004a,Bentley 2005).Also

note that an automated patching solution only a®ects the portion of the patching costs associated

with the actual deployment of the security patch.The larger portion of the patching costs is due

to the labor needed to verify that the security patch works as advertised without breaking any

application interaction.Such testing of a security patch usually takes place on a staging server

before deployment of the patch to a production server.If a user patches,she must go through these

necessary steps to ensure that the security patch works without causing the production server to

fail.Therefore,patching costs are an innate part of network software security maintenance and

should not be neglected as determinants of user patch behavior and ultimately network security.

Our model applies to cases where there is a window for patching between the time a security

patch is made available and when an attack occurs,as was the case for most major worms in

the past.However,in some cases\zero day"attacks also occur before or right as patches are

released (Shannon and Moore 2004).Analyzing the e®ect of such cases on user incentives would

be an interesting future research topic.In addition,our main concern in this paper is the spread of

malicious code that exploits a patchable vulnerability in a common software product,over a network

of interconnected users.However,certain high pro¯le users can be speci¯cally targeted for attacks

such as the DoS attack experienced by Yahoo in 2000 (Williams 2000).These speci¯c risks are

essentially separate fromthe risks associated with the spread of a wormin characteristic.Examining

the security threats for such attacks under network environments would be an interesting future

research topic.Also,in our model we assume a uniform distribution of valuations.Although most

of our results (such as the threshold valuation characterization of the equilibrium and inferiority of

mandatory patching) are robust to the distributional assumption,one future avenue for research

could be extending our results to general distributions.

27

Another interesting extension of our model could be analyzing the vendor's problem of inducing

optimal patching activity levels based on the users'valuations by o®ering a non-linear patching

rebate schedule.Given that the users have di®erent valuations and correlated losses in case of

an attack,there may be gains from allowing users to decide the level of their patching activity

and receive rebates accordingly.In a separating equilibrium,a software vendor can then o®er a

non-linear schedule of patching rebates to induce a target level of patching activity for each\type"

of customer and monitor the patching levels (something he can observe),and use them as a proxy

to award rebates based on consumer valuations (something he cannot directly observe or price

discriminate on).The employment of such a price/rebate schedule may not only bene¯t the vendor

but also improve social welfare by allowing users to choose patching activities at socially e±cient

levels.

One might also investigate the vendor's incentives for disclosure of vulnerabilities to the public.

It is typically the case that vulnerabilities in software are discovered by either the vendor or benev-

olent users before hackers.In such instances,the vendor usually has a grace period to develop and

release patches before the existence of these vulnerabilities are publicly announced.The length of

that grace period may have implications on the incentives for patch development by the vendor,

and these issues are topics for ongoing research (e.g.,Arora et al.2005,Choi et al.2005,and

Jaisingh and Li 2005).Mechanisms that target user incentives used in conjunction with control of

the vulnerability disclosure grace period can prove to be powerful at improving software security

and is an interesting topic for future research.

Our goals in this paper were ¯rst to establish that when dealing with network security issues,

policies targeting user incentives can be e®ective tools;and second to gain insights into the types

of incentive mechanisms that may be helpful in increasing the value generated by network software

in the face of security vulnerabilities.In today's highly interconnected environment where many

consumers still do not maintain the security of their software adequately,resulting in losses from

hacker attacks that amount to billions of dollars,policies that can induce increased consumer

security by taking user incentives into account are needed.Our results may give guidance and

insight to software companies and policy-makers to work on such strategies and ultimately help

reduce the tremendous losses that occur from computer security incidents every year.

References

Anderson,R.J.(2001).Why information security is hard { an economic perspective.In Proc.of

the 17th Annual Computer Security Applications Conf.,pp.358{365.IEEE Computer Soc.

Anderson,R.M.and R.M.May (1991).Infectious Diseases of Humans:Dynamics and Control.

Oxford Univ.Press.

28

Arora,A.,R.Telang,and H.Xu (2005).Optimal policy for software vulnerability disclosure.

Working Paper,Carnegie Mellon Univ.

Bailey,N.T.(1975).The Mathematical Theory of Infectious Diseases and its Applications.Oxford

Univ.Press.

Bentley,A.(2005,October).Developing a patch and vulnerability management strategy.http:

//www.scmagazine.com.

Bloor,B.(2003).The patch problem:It's costing your business real dollars.Baroudi Bloor.http:

//www.baroudi.com/pdfs/patch.pdf.

Bragg,R.(2004,February).The perils of patching.Redmondmag.com.

Brito,D.L.,E.Sheshinski,and M.D.Intriligator (1991,June).Externalities and compulsory

vaccinations.J.Public Econ.45(1),69{90.

Cavusoglu,H.,H.Cavusoglu,and J.Zhang (2005,September).Security patch management:Share

the burden or share the damage.Working Paper,Univ.of British Columbia.

CERT (2004).CERT/CC statistics 1988-2003.CERT Coordination Center.http://www.cert.

org/stats.

Choi,J.P.,C.Fershtman,and N.Gandal (2005,April).Internet security,vulnerability disclosure

and software provision.Extended Abstract.

ComputerEconomics (2004,February).The cost impact of major virus attacks since 1995.Computer

Economics.

D'Amico,A.D.(2000,September).What does a computer security breach really cost?Secure

Decisions,Applied Visions Inc.

Davidson,M.A.(2004,June).Automatic software patching:Boon or bane?GlobeAndMail.com.

Francis,P.J.(1997).Dynamic epidemiology and the market for vaccinations.J.Public Econ.63(3),

383{406.

Garg,A.(2003,Spring).The cost of information security breaches.CrossCurrents,Ernst & Young.

Geer,D.E.(2004,May).The economics of shared risk at the national scale.Available at http:

//www.dtc.umn.edu/weis2004/weis-geer.pdf.

Geo®ard,P.-Y.and T.Philipson (1996).Rational epidemics and their public control.Int.Econ.

Rev.37(3),603{624.

Gersovitz,M.(2003).Births,recoveries,vaccinations and externalities.In Economics for an Im-

perfect World:Essays in Honor of Joseph E.Stiglitz,Cambridge,MA,pp.469{483.MIT Press.

Gersovitz,M.and J.S.Hammer (2004).The economical control of infectious diseases.Econ.

J.114(492),1{27.

29

Gersovitz,M.and J.S.Hammer (2005).Tax/subsidy policies toward vector-borne infectious dis-

eases.J.Public Econ.89(4),647{674.

Goldman,S.M.and J.Lightwood (2002).Cost optimization in the SIS model of infectious disease

with treatment.Top.Econ.Anal.Policy 2(1),1{22.

InternetWorldStats (2004,September).World internet usage and population statistics.Internet-

WorldStats.com.http://www.internetworldstats.com/stats.htm.

Jaisingh,J.and Q.Li (2005,November).The optimal time to disclose software vulnerability:

Incentive and commitment.Working Paper,Hong Kong Univ.of Science and Technology.

Joyce,E.(2005,February).More regulation for the software industry?EnterpriseITPlanet.com.

http://www.enterpriseitplanet.com/security/news/article.php/3483876.

Kessing,S.and R.Nuscheler (2003,June).Monopoly pricing with negative network e®ects:The

case of vaccines.Working Paper,Social Science Research Center Berlin.

Kremer,M.(1996).Integrating behavioral choice into epidemiological models of AIDS.Quart.J.

Econ.111(2),549{573.

Krim,J.(2004,April).U.S.goals solicited on software security.WashingtonPost.com.

Kunreuther,H.and G.M.Heal (2002).Interdependent security:The case of identical agents.

Working Paper,Columbia Univ.

Kunreuther,H.,G.M.Heal,and P.R.Orszag (2002).Interdependent security:Implications for

homeland security policy and other areas.The Brookings Institution,Policy Brief#108.

Lemos,R.(2003,August).Squashing the next worm.CNET News.com.

Lemos,R.(2004,March).Witty worm proves patching`not viable'.CNET News.com.

Leung,L.(2005,January).Patching takes over IT for a day.Techworld.com.

Lyne,J.(2001,May).EPA o®ers incentives to ¯rms that adopt telecommuting in ¯ve U.S.metros.

Online Insider.http://www.conway.com/ssinsider/incentive/ti0105.htm.

Maguire,J.(2004,January).Who's patching open source?Enterprise Linux IT.

Messmer,E.(2004a,May).Can software patching be automated?Network World Fusion.http:

//www.nwfusion.com/weblogs/security/005182.html.

Messmer,E.(2004b,May).Sasser worm exposes patching failures.Network World Fusion.http:

//www.nwfusion.com/news/2004/0510sasser.html.

Middleton,J.(2001,December).U.S.government calls for enforced patches.Vnunet.com.

Mimoso,M.(2003,September).Regulation,bad software,new threats fodder for Congress.Search-

Security.com.

30

Moore,D.,V.Paxson,S.Savage,C.Shannon,S.Staniford,and N.Weaver (2003).The spread of

the Sapphire/Slammmer worm.http://www.cs.berkeley.edu/

»

nweaver/sapphire/.

Moore,D.,C.Shannon,and J.Brown (2002).Code-red:a case study on the spread and victims of

an internet worm.In Proc.of the Second ACMSIGCOMMWorkshop on Internet Measurement,

pp.273{284.

MS-Support (2004,June).IIS problems after applying a security patch.Microsoft Corporation.

Nicastro,F.(2005,September).Network security tactics.Step-by-step guide:How to deploy a

successful patch.Searchsecurity.techtarget.com.

Schweitzer,D.(2003,August).Emerging technology:Patch me if you can!NetworkMagazine.com.

Shannon,C.and D.Moore (2004,August).The spread of the witty worm.IEEE Security and

Privacy 2(4),46{50.

Sullivan,B.(2004,May).`Sasser'infections begin to subside.MSNBC.com.http://www.msnbc.

msn.com/id/4890780/.

Symantec (2004,July).Automating patch management.Symantec Corporation.

Timms,S.,C.Potter,and A.Beard (2004,April).Information security breaches survey 2004.UK

Department of Trade and Industry.

US-CERT (2004).US-CERT vulnerability notes database.Carnegie Mellon Univ.http://www.

kb.cert.org/vuls/.

Varian,H.(2004).System reliability and free riding.Working Paper,Univ.of California,Berkeley.

Weaver,N.,V.Paxson,S.Staniford,and R.Cunningham (2003).A taxonomy of computer worms.

In Proc.of the 2003 ACM Workshop on Rapid Malcode,pp.11{18.

Williams,M.(2000,February).Attack takes down Yahoo for three hours.IDG News Service.

31

Appendix for

Network Software Security and User Incentives

Terrence August and Tunay I.Tunca

¤

Graduate School of Business

Stanford University

Proofs

Proof of Lemma 1:

In order to characterize the equilibrium,we ¯rst start with the second period

decisions for the consumers who purchased the product in the ¯rst period.If,in the second period,

no vulnerabilities arise then there is no decision to make for a consumer.Suppose a vulnerability

arises.If a consumer with valuation v decides to patch the software,her expected total payo® is

v¡p¡c

p

.Notice that the consumer only incurs a patching cost when vulnerabilities actually occur.

Suppose she decides not to patch and the total mass of unpatched population is u.In this case,

her expected payo® is v ¡p ¡¼u®v.Therefore,a consumer who buys the product patches in the

second period in case a security vulnerability is revealed if and only if

v ¸

c

p

¼u®

:(A.1)

Consequently,in equilibrium,if a buyer with valuation v

0

patches the software,then every buyer

with valuation v > v

0

will patch and hence there exists a v

p

2[0;1],such that when a vulnerability

arises,a consumer with valuation v 2V will patch if and only if v ¸v

p

.

Next,we examine the buying decision in the ¯rst period.If a consumer with valuation v decides

to buy the product,she will incur a cost p.Her expected security losses are C(v;¾

¤

).Then she

will buy the software if and only if

v ¡C(v;¾

¤

) ¸p:(A.2)

Now ¯rst,suppose v

p

< 1.Then v

p

¸p+c

p

,and hence,in equilibrium,since (1) implies C(v;¾

¤

) =

minf¼u®v;c

p

g and by (A.2),for all v > v

p

,we have ¾

¤

(v) = (B;P).Now let 0·v

1

·1 and

¾

¤

(v

1

) = (B;NP).Then,by (A.2),

v

1

¸

p

1 ¡¼u®

;(A.3)

and therefore for all v > v

1

,¾

¤

(v) 2f(B;P);(B;NP)g,and hence there exists a v

b

2[0;1],such that

a consumer with valuation v 2V will purchase if and only if v ¸v

b

.By de¯nition v

p

¸v

b

.Suppose

0 < v

p

= v

b

< 1 and c

p

> 0.But then,there exists 0 < v < v

p

such that v ¸p + C(v;¾

¤

) = p,

which is a contradiction.Therefore,we conclude that,when c

p

> 0 and 0 < p < 1 there exist

¤

Graduate School of Business,Stanford University,Stanford,CA 94305-5015.e-mails:

taugust@stanford.edu,tunca

tunay@stanford.edu

A.1

0·v

b

< v

p

·1 satisfying (2),from which,it follows that

¼®(v

p

¡v

b

)v

p

= c

p

;(A.4)

and

v

b

= p +¼®(v

p

¡v

b

)v

b

:(A.5)

Substituting (A.4) into (A.5) yields

v

p

=

c

p

v

b

v

b

¡p

;(A.6)

which,in turn,by substituting into (A.5) gives

¼®v

3

b

+(1 ¡¼®(c

p

+p))v

2

b

¡2pv

b

+p

2

= 0:(A.7)

Now,for v

p

< 1 to hold,by (A.6),we must have v

b

>

p

1¡c

p

.Plugging this in equation (A.7) and

since 0·v

b

·1,we obtain that for v

p

< 1,we must have p <

p.When p <

p,it can be shown

that (A.7) has a single root v

b

that satis¯es 1 > v

b

> p,which is satis¯ed by (A.2).Further,when

p > 0,again from (A.7),v

b

< p +c

p

follows,which by plugging in (A.6) con¯rms p +c

p

< v

p

.

When p = 0 and ® ¸

c

p

¼

,since

p > 0 (A.7) is valid and substituting,p = 0 into (A.7) yields

v

2

b

¡

v

b

¡

¡

c

p

¡

1

¼®

¢¢

= 0,which has two roots,namely v

b

= 0 and v

b

= c

p

¡1=¼®.If c

p

< 1=¼®,

then the only possible solution in [0;1] is v

b

= 0,and when v

b

= 0,by (A.4),it follows that

v

p

=

r

c

p

¼®

:(A.8)

If ® >

1

c

p

¼

,however,under (A.8),(A.2) cannot be satis¯ed.Therefore,the only valid root for this

region is v

b

= c

p

¡1=¼® and by (A.6),the statement follows.

Finally when,p¸

p,on the other hand,substituting v

p

= 1 in (A.5),we obtain ¼®v

2

b

+ (1 ¡

¼®)v

b

¡p = 0,which has a unique positive root that satis¯es v

b

·1 and is given by

v

b

= ¡

1 ¡¼®

2¼®

+

1

2¼®

p

(1 ¡¼®)

2

+4¼®p:(A.9)

This completes the proof.¥

Before we move on to the next proposition,we ¯rst state and prove the following lemmas that

will be useful for the remaining proofs:

Lemma A.1

The purchasing threshold v

b

is strictly increasing in price.Further,in Region I,

dv

b

dp

> 1.

Proof:The statement for Region II is immediate from (A.9).For Region I,from (A.7) and by the

implicit function theorem,we obtain

dv

b

dp

=

¼®v

2

b

+2(v

b

¡p)

3¼®v

2

b

+2(1 ¡¼®c

p

¡¼®p)v

b

¡2p

=

1

1 +

2¼®v

b

(v

b

¡c

p

¡p)

¼®v

2

b

+2(v

b

¡p)

:(A.10)

A.2

Re-arranging equation (A.7),we have

¼®v

2

b

(v

b

¡c

p

¡p) = ¡(v

b

¡p)

2

:(A.11)

From (A.10) and (A.11),it then follows that

dv

b

dp

=

¼®v

2

b

+2(v

b

¡p)

¼®v

2

b

+2

p

v

b

(v

b

¡p)

> 1:¤ (A.12)

Lemma A.2

(i)

There exists a solution,p

¤

s

2[0;1],to the pro¯t maximization problem of the vendor.The pro¯t

function for the vendor is piece-wise strictly concave in price,i.e.,it is concave when restricted

to price regions [0;

p) and [

p;1],where

p is as given in Lemma 1.

(ii)

Let c

p

2 (0;1) be given.There exist c

p

< µ

<

µ such that

(a)

When ¼® >

µ,the software vendor's pro¯t is maximized by pricing in Region I;

(b)

When 0 < ¼® < µ

,the software vendor's pro¯t is maximized by pricing in Region II.

Proof:By Lemma 1,¦

s

(¢) is continuous on compact [0;1].Therefore,the vendor's problem has

an optimal solution on this price range.For strict concavity,we ¯rst consider Region II.By (A.9),

we have

¦

ii

s

(p) =

p

2¼®

³

1 +¼® ¡

p

(1 ¡¼®)

2

+4¼®p

´

:(A.13)

In order to circumvent having the ¯rst derivative ill-de¯ned,we break the analysis into two cases

in which the product ¼® = 1 and ¼® 6= 1.When ¼® = 1,we have ¦

ii

s

(p) = p(1 ¡

p

p).Thus

we have d¦

ii

s

(p)=dp = 1 ¡

3

2

p

p and d

2

¦

ii

s

(p)=dp

2

= ¡

3

4

p

p

.When ¼® 6= 1,we have d¦

ii

s

(p)=dp =

1

2¼®

µ

1 +¼® ¡

p

(1 ¡¼®)

2

+4¼®p

¶

¡

p

p

(1¡¼®)

2

+4¼®p

,and d

2

¦

ii

s

(p)=dp

2

=

¡2(1¡¼®)

2

¡6¼®p

((1¡¼®)

2

+4¼®p)

3=2

< 0.

Hence,we conclude that ¦

ii

s

(¢) is indeed strictly concave.

Nowconsider Region I.Notice that d¦

i

s

(p)=dp = 1¡v

b

¡p

dv

b

dp

and d

2

¦

i

s

(p)=dp

2

= ¡

¡

2

dv

b

dp

+p

d

2

v

b

dp

2

¢

.

By di®erentiating equation (A.12) and rearranging we obtain

d

2

v

b

dp

2

=

dv

b

dp

³

2®v

b

+

4p

¼v

b

´

¡

³

dv

b

dp

´

2

³

2p

2

¼v

2

b

+2®v

b

´

¡

2

¼

®v

2

b

+

2p

¼v

b

(v

b

¡p)

:(A.14)

Substituting back into the second derivative of the pro¯t function,we have

d

2

¦

i

s

(p)

dp

2

= ¡

2

µ

®v

2

b

+

2(v

b

¡p)

¼

+p

dv

b

dp

³

®v

b

+

2

¼

p

v

b

´

¡p

³

dv

b

dp

´

2

³

1

¼

p

2

v

2

b

+®v

b

´

¡

p

¼

¶

®v

2

b

+

2p

¼v

b

(v

b

¡p)

:(A.15)

A.3

Now,by (A.12) and Lemma A.1,we have

dv

b

dp

®v

b

(v

b

+p)¡p®v

b

µ

dv

b

dp

¶

2

= ®v

b

dv

b

dp

µ

v

b

+p

µ

1 ¡

dv

b

dp

¶¶

= ®v

b

dv

b

dp

0

@

®v

3

b

+

2

¼

p

2

v

b

(v

b

¡p)

®v

2

b

+

2

¼

p

v

b

(v

b

¡p)

1

A

> 0:

(A.16)

Further,again by Lemma A.1 and rearranging

2p

¼

¢

dv

b

dp

¡

p

¼

Ã

µ

p

v

b

¢

dv

b

dp

¶

2

+1

!

=

p

¼

Ã

2

dv

b

dp

¡

µ

p

v

b

¢

dv

b

dp

¶

2

¡1

!

=

p

¼

0

@

®v

2

b

(

v

b

p

¡1)

®v

3

b

p

+

2

¼

(v

b

¡p)

µ

1 +

p

v

b

¢

dv

b

dp

¶

+2

µ

dv

b

dp

¡1

¶

1

A

> 0:

(A.17)

Combining (A.16),(A.17) and the fact that v

b

> p,we ¯nd that the right hand side of (A.15) is

strictly negative and therefore,¦

i

s

is strictly concave.This completes the proof of part (i).

To see part (ii),¯rst by part (i),there exists an optimal price that solves the vendor's pro¯t

maximization problem.To see part (a),notice that by (A.9),in Region II,lim

¼®!1

v

b

= 1.

Therefore as ¼®!1,pro¯t in Region II for any feasible p approaches zero.By (A.7),v

b

< p +c

p

is always satis¯ed.Therefore for any given p2[0;

p),¦

i

s

(p) > p(1 ¡c

p

¡p),which has a maximum

at p = (1 ¡c

p

)=2,which is in [0;

p) for su±ciently large ¼® as desired.For part (b),notice that by

Lemma 1,the feasible price range for Region I is p 2 [0;

p).At ¼® = c

p

,this range gets reduced to

f0g and as ¼® approaches this threshold the vendor's pro¯t vanishes on [0;

p).For any ¼® · c

p

,

there is no feasible price for Region I.On the other hand,Region II becomes feasible for all values of

¼® in this range and by (A.9),for any given p¸

p,the pro¯t in Region II increases as ¼® decreases.

Hence,there exists an µ

¸c

p

> 0 such that the vendor's pro¯t is maximized in Region II for ¼® < µ

.

This completes the proof.¤

Lemma A.3

For the proprietary software,if v

b

·v

m

then W

s

> W

m

.

Proof:Consider each consumer v 2 [v

m

;1].Under self patching decisions,each of these consumers

contributes v ¡C(v;¾

¤

) to the expected social welfare.Note that this contribution incorporates

the externalities created by all other users in equilibrium.Under the mandatory patching policy,

each of these consumers contributes v ¡c

p

.However,C(v;¾

¤

) · c

p

for all these consumers since

c

p

is the greatest loss that any purchaser will accept.Each consumer v 2 [v

b

;v

m

] will purchase

only if they make a positive contribution to the welfare.Furthermore,by (A.4) and since v

p

> v

b

,

¼®(v

p

¡v

b

)v

b

< c

p

.Thus,the expected social welfare under self patching is strictly greater than

the expected social welfare under mandatory patching when v

b

·v

m

.¤

Proof of Proposition 1:

To see part (i),¯rst note that v

m

= p

¤

m

+c

p

= (1 +c

p

)=2 and consider

the associated purchasing threshold as a function of c

p

,i.e.v

m

(c

p

) = (1 +c

p

)=2.Since ¼® < c

p

A.4

and v

m

(¢) is increasing in c

p

,it follows that v

m

(¼®) < v

m

(c

p

).

Now from (A.9),we have that v

b

(¼®) = ¡

1¡¼®

2¼®

+

1

2¼®

p

(1 ¡¼®)

2

+4¼®p

¤

s

.By Lemma A.2,

¦

ii

s

is concave and since ¦

ii

s

(0) = ¦

ii

s

(1) = 0 the optimal price can be found through the ¯rst order

condition,which yields

p

¤

s

=

1

9¼®

q

¡1 +4¼® ¡(¼®)

2

+(1 +¼®)

p

1 ¡¼® +(¼®)

2

:(A.18)

Plugging (A.18) into (A.9),we obtain

v

m

(¼®) ¡v

b

(¼®) =

3 +3(¼®)

2

¡

q

5 ¡2¼® +5(¼®)

2

+4(1 +¼®)

p

1 ¡¼® +(¼®)

2

6¼®

¸0:(A.19)

(A.19) can be easily established by rearranging the inequality and taking the square of both sides

twice.Therefore v

b

· v

m

and the result follows from Lemma A.3.

To see part (ii),suppose that v

b

> v

m

.De¯ne p

c

> 0 as the price such that

¼®v

3

m

+(1 ¡¼®(c

p

+p

c

)) v

2

m

¡2p

c

v

m

+p

2

c

= 0:(A.20)

Plugging v

m

= (1 +c

p

)=2 in (A.20) and solving for p

c

,we ¯nd that

p

c

=

1

8

µ

4 +4c

p

+¼®(1 +c

p

)

2

¡

q

¼®(1 +c

p

)

2

(16c

p

+¼®(1 +c

p

)

2

)

¶

:(A.21)

By Lemma A.2,at the optimal price for Region I,p

¤

s

,we have

d¦

i

s

(p)

dp

¯

¯

¯

p=p

¤

s

¸0.Then,by Lemma

A.1 and again by Lemma A.2,

d¦

i

s

(p)

dp

¯

¯

¯

p=p

c

> 0 also holds.Now,

d¦

i

s

(p)

dp

= 1 ¡v

b

¡p

Ã

v

2

b

+

2

¼®

(v

b

¡p)

v

2

b

+

2

¼®

p

v

b

(v

b

¡p)

!

=

¼®v

3

b

(1 ¡p) +2p(v

b

¡p)(1 ¡2v

b

) ¡¼®v

4

b

¼®v

3

b

+2p(v

b

¡p)

:(A.22)

Plugging (A.20) in (A.22),we ¯nd that

d¦

i

s

(p)

dp

¯

¯

¯

p=p

c

> 0 if and only if

¼

2

®

2

(1 +c

p

)

3

(¡1 +3c

p

) +32c

2

p

¼®(1 +c

p

)

¡(8c

p

¡¼®(1 +c

p

)(1 ¡3c

p

))

q

¼®(1 +c

p

)

2

(16c

p

+¼®(1 +c

p

)

2

) > 0:(A.23)

Suppose that c

p

¸ 1=3.Moving the radical in (A.23) and squaring yields the equivalent condition,

¼®c

2

p

(1 +c

p

)

2

(16c

p

+¼®(3 ¡c

p

)(3c

p

¡1)) < 0;(A.24)

and hence (A.23) is not satis¯ed.Now suppose c

p

< 1=3 and de¯ne s(¼®),¼®(1 + c

p

)

3

(¡1 +

3c

p

) +32c

2

p

(1 +c

p

) and t(¼®),(8c

p

+¼®(1 +c

p

)(¡1 +3c

p

)).Notice that s(¼®) > 0 if and only

if ¼® < a

s

,

32c

2

p

(1+c

p

)

2

(1¡3c

p

)

and t(¼®) > 0 if and only if ¼® < a

t

,

8c

p

(1+c

p

)(1¡3c

p

)

.Further (A.24)

A.5

is violated if and only if ¼®¸a

¿

,

16c

p

(3¡c

p

)(1¡3c

p

)

.Notice that,c

p

< 1=3 implies a

s

< a

t

.When

a

s

·¼® < a

t

,(A.23) does not hold.It then follows that when ¼®¸a

t

,(A.23) is violated if and

only if (A.24) is violated,which is true since a

t

¸a

¿

.Further,when ¼® < a

s

(A.23) is violated if

and only if (A.24) is violated which is true since a

s

·a

¿

.Therefore v

b

·v

m

and,again by Lemma

A.3,the result follows.¥

Proof of Proposition 2:

For any given p > 0,v

b

> p and 0 < r < c

p

,by (A.11)

p +c

p

¡r ¡v

b

=

1

¼®

µ

v

b

¡p

v

b

¶

2

:(A.25)

De¯ne » =

1

¼®

³

v

b

¡p

v

b

´

2

.By Lemma A.2,for su±ciently large ¼® the vendor will price in Region I.

The ¯rst order condition for ¦

v

(p;r) is given by

@¦

v

(p;r)

@p

= 1 ¡v

b

¡p

dv

b

dp

+

r(c

p

¡r)

(v

b

¡p)

2

µ

v ¡p

dv

b

dp

¶

= 0;(A.26)

which,by combining with (A.12) and (A.25) yields

p

¤

v

=

1 ¡c

p

2

+r +c

p

µ

2

1 +c

p

¡

1

2(c

p

¡r)

¶

» +O(»

2

):(A.27)

Therefore,combining (A.25) and (A.27),for

¼®

su±ciently large,

p

¤

v

<

p

and the unconstrained

optimum of ¦

i

v

will be feasible for Region I.

Now consider the optimal price as a function of the rebate denoted p(r) and de¯ne the optimal

expected vendor pro¯t as a function of the rebate by ¦

¤

v

(r) = ¦

v

(r;p(r);v

b

(p(r);r)).By Lemma

A.2 and the envelope theorem,we obtain the ¯rst order condition for the optimal rebate as

d¦

¤

v

(r)

dr

=

@¦

v

³

r;p(r);v

b

(p(r);r)

´

@r

+

@¦

v

³

r;p(r);v

b

(p(r);r)

´

@v

b

@v

b

(p(r);r)

@r

= ¡1 +

v

b

v

b

¡p

(c

p

¡2r) +

µ

1 +

r(c

p

¡r)

(v

b

¡p)

2

¶

pv

2

b

v

2

b

+

2

¼®

(v

b

¡p)

p

v

b

= 0:(A.28)

Substituting in for (A.25),

d¦

¤

v

(r)

dr

= ¡1 +

p +c

p

¡r ¡»

c

p

¡r ¡»

(c

p

¡2r) +

µ

1 +

r(c

p

¡r)

(c

p

¡r ¡»)

2

¶

p(c

p

¡r ¡»)

c

p

¡r ¡» +

2p»

p+c

p

¡r¡»

;

which,evaluated at (A.27),yields

d¦

¤

v

(r)

dr

=

c

p

(3c

p

¡1 ¡4r)

2(c

p

¡r)

2

» +O(»

2

):(A.29)

Hence there exists an

!> 0 such that when ¼® >

!,

d¦

¤

v

(r)

dr

¯

¯

¯

r=0

¸ 0 if and only if c

p

>

A.6

1

3

.Therefore,a rebate policy will be e®ective if and only if c

p

> 1=3.By (A.29),we have

r

¤

v

!(3c

p

¡1)=4 and hence,by (A.27),p

¤

v

!(1 +c

p

)=4.Further,there exists a constant k

such that lim

»!0

r

¤

v

¡(3c

p

¡1)=4

»

= lim

»!0

p

¤

v

¡(1+c

p

)=4

»

= k.Substituting into (A.29),it follows that

k = (1 ¡c

p

)=(8c

p

) > 0.Therefore,r

¤

v

and p

¤

v

are increasing in »,and hence decreasing in ¼®.This

completes the proof of part (i).

To see part (ii) ¯rst notice that under the hypothesis ¼® < c

p

holds and in this region,for a

rebate r > 0 to be e®ective,by Lemma 1,we must have c

p

¡¼® < r < c

p

,since,only in this case

the consumers will face a patching cost that will induce at least some of them to patch.For a ¯xed

p,let v

b

(r) and v

p

(r) denote the purchasing and patching thresholds when a rebate r is o®ered,

respectively.Clearly,when r > c

p

¡¼®,v

b

(r) < v

b

(0),since otherwise ¦

v

(p;r) < ¦

v

(p;0) holds.

But then,by (A.5),

v

b

(r) =

p

1 ¡¼®(v

p

(r) ¡v

b

(r))

<

p

1 ¡¼®(1 ¡v

b

(0))

= v

b

(0);(A.30)

which implies 1 ¡v

p

(r) > v

b

(0) ¡v

b

(r) and therefore,for ¦

v

(p;r) > ¦

v

(p;0),p > r has to hold.

When the vendor o®ers such a rebate,r,his expected pro¯t function can be written as ¦

v

(p;r) =

p(1¡v

b

) ¡r(1¡v

p

) where p 2 [0;(1¡(c

p

¡r))(1¡

c

p

¡r

¼®

)].Also note that the purchasing threshold

is now governed by the equation ¼®v

3

b

+

¡

1¡¼®(c

p

¡r+p)

¢

v

2

b

¡2pv

b

+p

2

= 0.then,by the implicit

function theorem,we obtain:

dv

b

dr

= ¡

v

2

b

v

2

b

+

2

¼®

(v

b

¡p)

p

v

b

;(A.31)

and hence ¡1 ·

dv

b

dr

· 0.Di®erentiating the expected pro¯t function,we obtain

d¦

r

dr

= ¡p

dv

b

dr

¡1 +v

p

+r

dv

p

dr

= ¡p

dv

b

dr

¡1 +v

p

+r

Ã

¡

p(c

p

¡r)

dv

b

dr

(v

b

¡p)

2

¡

v

b

v

b

¡p

!

:(A.32)

Notice that the ¯rst three terms are bounded and that r approaches c

p

as ¼® approaches zero.

Substituting c

p

¡r in place of c

p

in (A.11) and re-arranging we obtain

c

p

¡r = (v

b

¡p)

³

v

b

¡p

¼®v

2

b

+1

´

:(A.33)

Therefore

p(c

p

¡r)

dv

b

dp

(v

b

¡p)

2

¡

v

b

v

b

¡p

=

¡¼®v

2

b

¡p

¼®v

2

b

+2(v

b

¡p)

p

v

b

=

dv

b

dr

r

µ

1 +

p

¼®v

2

b

¶

:(A.34)

Now since ¼® <

c

2

p

1+c

p

and p·1,¼®(p ¡(c

p

¡¼®)) < (c

p

¡¼®)

2

,and since p > r > c

p

¡¼®,we

have

¼® <

(c

p

¡¼®)

2

p ¡(c

p

¡¼®)

<

pr

p ¡r

:(A.35)

A.7

From (A.35),and since v

b

·1,it follows that

p ¡r ¡

pr

¼®v

2

b

< 0:(A.36)

Combining (A.32),(A.34) and (A.36),we obtain d¦

r

=dr < 0 and therefore,it is suboptimal for the

vendor to o®er a rebate.This completes the proof.¥

Proof of Proposition 3:

By (4),(A.6) and (A.7),

W

i

g

(p;r) =

1

2

Ã

1¡v

2

b

¡

¼®v

3

b

(v

b

¡p ¡c

p

+r)

2

(v

b

+c

p

¡p ¡r)

(v

b

¡p)

3

+

2c

p

(p ¡v

b

(1 +r ¡c

p

))

v

b

¡p

!

:(A.37)

Taking the total derivative with respect to r,substituting (A.12) and (A.31),utilizing the implicit

function theorem on (A.26),and de¯ning » as in the proof of Proposition 2,by (A.25) and (A.27)

we then obtain

lim

»!0

1

»

dW

¤

g

(r)

dr

=

c

p

(c

p

(12 ¡c

p

) ¡3 ¡16r)

4(1 +c

p

)(c

p

¡r)

2

:(A.38)

Notice that c

p

(12¡c

p

) ¡3 is a concave quadratic expression in c

p

with roots 6¡

p

33 and 6+

p

33.

Since 6 ¡

p

33 < 1 < 6 +

p

33,we conclude that there exists an

!> 0 such that when ¼® >

!,

dW

¤

g

(r)

dr

¯

¯

¯

r=0

¸ 0 if and only if c

p

> 6 ¡

p

33.Hence,in this region,a rebate policy is e®ective

at increasing social welfare if and only if c

p

is large enough as stated in the proposition.By

(A.38),as ¼® becomes large,we have r

¤

g

!(c

p

(12 ¡c

p

) ¡3)=16 and,by substituting into (A.27),

p

¤

g

!(5 ¡c

p

)(1 +c

p

)=16.Clearly,both r

¤

g

and p

¤

g

are strictly increasing in c

p

.

Further,substituting r

¤

g

back into (A.38) we obtain

lim

»!0

r

¤

g

¡(c

p

(12 ¡c

p

) ¡3)=16

»

= f(c

p

);(A.39)

where f(c

p

) is a ¯fth order polynomial with three real roots only one of which (denoted by µ

0

) in

(6¡

p

33;1) and for all c

p

2 (µ

0

;1),f(c

p

) < 0.Thus,for ¼® su±ciently large,r

¤

g

is decreasing in ¼®

if c

p

2 (6¡

p

33;µ

0

) and increasing in ¼® if c

p

2 (µ

0

;1).Substituting r

¤

g

into (A.27) and carrying out

the analysis in a similar way shows that there exists a µ in (6 ¡

p

33;1) such that p

¤

v

is decreasing

in ¼® if c

p

2 (6 ¡

p

33;µ) and increasing in ¼® if c

p

2 (µ;1).This completes the proof of part (i).

For part (ii),when ¼® < c

p

and r = 0,by Lemmas 1 and A.2,the optimal price,p

¤

s

,is found

in Region II.Plugging (A.18) in (A.22),we ¯nd that

lim

¼®!0

¼®

d¦

i

s

dp

¯

¯

¯

¯

p=p

¤

s

=

(c

p

¡r)r

º(1 +8º)

;(A.40)

where,from (A.7),º = lim

¼®!0

(v

b

¡ p)=¼® > 0.Therefore,when a planner imposed rebate is

e®ective,i.e.,when a large enough r < c

p

induces the vendor to price so that there is a patching

population,since the vendor's pro¯t curve is strictly piecewise concave in p,p

¤

g

> p

¤

s

follows.Now

A.8

de¯ne

n

0

= supfn:lim

¼®!0

(p

¤

g

(r) ¡p

¤

s

)

(¼®)

n

< 1g:(A.41)

Further,de¯ne v

s

b

as given in (A.9),which is the purchasing threshold for r = 0 and

n

00

= supfn:lim

¼®!0

(v

b

(p

¤

g

(r);r) ¡v

s

b

)

(¼®)

n

< 1g:(A.42)

By (A.4)

lim

¼®!0

v

p

(p

¤

g

(r);r)

(¼®)

minfn

0

;n

00

g

< 1;(A.43)

and hence,

lim

¼®!0

v

p

(p

¤

g

(r);r) ¡v

b

(p

¤

g

(r);r)

(¼®)

minfn

0

;n

00

g

< 1:(A.44)

Since p

¤

g

(r) > p

¤

s

,it then follows that there exists a µ

> 0 such that when 0 < ¼® < µ

,for any r

such that v

p

(p

¤

g

(r);r) < 1,

W

i

g

(p

¤

g

(r);r) ¡W

ii

g

(p

¤

s

;0) < ¼®(v

p

(p

¤

g

(r);r) ¡v

b

(p

¤

g

(r);r))v

p

(p

¤

g

(r);r) ¡(1 ¡v

p

(p

¤

g

(r);r)c

p

< 0:

(A.45)

This completes the proof.¥

Proof of Proposition 4:

We ¯rst have to consider how the equilibrium region changes when a

rebate is o®ered.By Lemma 1,when ¼® < c

p

¡ r equilibrium outcome is in Region II with all

consumers are purchasing and the expected social welfare is W

ii

g

=

1

2

(1 ¡ ¼®).When c

p

¡ r ·

¼® ·

1

c

p

¡r

,the equilibrium outcome is in Region I with p = 0,all consumers are purchasing,

only consumers with valuations v >

q

c

p

¡r

¼®

are patching,and the expected social welfare is W

i

g

=

1

2

¡c

p

+

c

p

+r

2

q

c

p

¡r

¼®

.Finally,when ¼® >

1

c

p

¡r

,the equilibrium outcome is in Region I with only

the consumers with valuations v > c

p

¡r ¡

1

¼®

purchasing and only the consumers with valuations

v > c

p

¡r are patching.The expected social welfare in this region is W

i

g

=

1

2

(1 ¡c

p

)

2

¡

r

2

2

.

Which of the above regions are reachable is determined by whether ¼® < c

p

,c

p

· ¼® ·

1

c

p

,or

¼® >

1

c

p

.When ¼® >

1

c

p

,for any rebate such that c

p

¡

1

¼®

· r · c

p

,the equilibrium outcome will

be in Region I,with v

b

= 0.For 0 · r < c

p

¡

1

¼®

,on the other hand,the equilibrium outcome

will be in Region I,with v

b

> 0.When ¼® < c

p

,for any rebate such that 0 · r < c

p

¡¼®,the

equilibrium outcome will remain in Region II,while for c

p

¡¼® · r · c

p

,it will move into Region

I with v

b

= 0.Finally,when c

p

· ¼® ·

1

c

p

,the equilibrium outcome will remain in Region I,with

v

b

= 0 for all r in 0 · r · c

p

.

With these ranges in mind,we ¯rst address the case where ¼® >

1

c

p

.For r such that 0 ·

r < c

p

¡

1

¼®

,the expected social welfare is W

i

g

=

1

2

(1 ¡c

p

)

2

¡

r

2

2

and is decreasing in r.Thus,the

highest expected social welfare achievable under this rebate range is

1

2

(1¡c

p

)

2

.For r 2 [c

p

¡

1

¼®

;c

p

],

expected social welfare is given by W

i

g

=

1

2

¡c

p

+

c

p

+r

2

q

c

p

¡r

¼®

.Let g(r),

1

2

¡c

p

+

c

p

+r

2

q

c

p

¡r

¼®

.Then,

A.9

we have dg(r)=dr =

c

p

¡3r

4

p

¼®(c

p

¡r)

and hence g is increasing on r 2 [0;

c

p

3

] and decreasing on r 2 [

c

p

3

;c

p

].

Since r

¤

g

=

c

p

3

maximizes this function,it remains to ¯nd when r

¤

g

is feasible,i.e.c

p

¡

1

¼®

·

c

p

3

.

This condition is equivalent to ¼® ·

3

2c

p

and when it holds along with

1

2

(1 ¡ c

p

)

2

¸ g(

c

p

3

),then

there does not exist an r > 0 such that the expected social welfare can be increased by o®ering a

rebate of r.The latter holds if and only if

1

2

(1 ¡c

p

)

2

¡

Ã

1

2

¡c

p

+

2c

p

3

r

2c

p

3¼®

!

¸ 0;(A.46)

which,in turn,is satis¯ed if and only if ¼® ¸

32

27c

p

.Now if ¼® >

3

2c

p

then r

¤

g

is not feasible.

However,g(r

¤

g

) ¸ g(r) for any other r.Thus when ¼® ¸

32

27c

p

,there is no r > 0 such that the

expected social welfare can be increased by o®ering a rebate r,while when for ¼® 2 [

1

c

p

;

32

27c

p

),

o®ering a rebate of r

¤

g

= c

p

=3 maximizes the expected social welfare.

Second,when ¼® 2 [c

p

;

1

c

p

] as we showed above,for all r,the equilibrium outcome will be in

Region I,with v

b

= 0,and the expected social welfare will be g(r) as described above.Clearly,in

this range,it is optimal to o®er a rebate precisely equal to r

¤

g

= c

p

=3.

Finally,when ¼® < c

p

as we have shown above,for all rebates such that 0 · r < c

p

¡¼® we are

still operating in Region II.Thus,the expected social welfare is unchanged as no consumer elects

to patch even with the rebate.We focus our attention on r such that c

p

¡¼® · r · c

p

in which

case the equilibrium outcome will be in Region I,with v

b

= 0.In order for r

¤

g

to be feasible,we

require that c

p

¡¼® · r

¤

g

=

c

p

3

which can be equivalently written as ¼® ¸

2c

p

3

.

For ¼® ·

2c

p

3

,we compare the expected social welfare W

ii

g

=

1¡¼®

2

against g(c

p

¡¼®) as g(¢)

is decreasing in this range of rebates.However,it can be easily seen that g(c

p

¡¼®) = W

ii

g

and

hence,for ¼® ·

2c

p

3

it is clearly suboptimal to o®er a rebate.

For ¼® >

2c

p

3

,we must compare g(r

¤

g

) = g(

c

p

3

) against W

ii

g

.Let h(¼®),g(

2c

p

3

) ¡

1¡¼®

2

=

2c

p

3

q

2c

p

3¼®

¡c

p

+

¼®

2

.We ¯rst establish that h is increasing in ¼®.Taking the ¯rst derivative,we

obtain dg(¼®)=d(¼®) =

1

2

¡

p

6

9

(

c

p

¼®

)

3=2

.Taking the second derivative,we obtain d

2

h(¼®)=(d¼®)

2

=

(

c

p

¼®

)

3=2

¼®

p

6

¸ 0.Hence,h is convex and a lower bound on dh(¼®)=d(¼®) is dh(¼®)=d(¼®)j

¼®=2c

p

=3

,

which is positive.Therefore,h is increasing as well.Again since ¼®¸2c

p

=3,we obtain that h(¼®) ¸

0 for all ¼® in this range.Therefore when ¼® 2 (

2c

p

3

;c

p

],o®ering a rebate of r

¤

g

=

c

p

3

increases (and

maximizes) the expected social welfare.¥

Proof of Proposition 5:

For part (i),¯rst suppose ¼® >

1

c

p

.Then

W

i

s

(p) =

1

2

µ

1 ¡v

2

b

+

¼®(p +c

p

¡v

b

)

2

v

3

b

(c

p

¡p +v

b

)

(p ¡v

b

)

3

¡2c

p

µ

1 +

c

p

v

b

p ¡v

b

¶¶

:(A.47)

A.10

Taking the derivative with respect to p,we obtain

dW

i

s

(p)

dp

= ¼®(c

p

+p ¡v

b

)

2

µ

3c

p

v

2

b

dv

b

dp

¡v

3

b

¡3pv

2

b

dv

b

dp

+4v

3

b

dv

b

dp

¶

(A.48)

¡ v

b

dv

b

dp

+

1

2(p ¡v

b

)

3

µ

2¼®(c

p

+p ¡v

b

)

µ

1 ¡

dv

b

dp

¶

v

3

b

(c

p

¡p +v

b

)

¡

3¼®(c

p

+p ¡v

b

)

2

v

3

b

(c

p

¡p +v

b

)

³

1 ¡

dv

b

dp

´

2(p ¡v

b

)

4

¡

c

2

p

dv

b

dp

p ¡v

b

+

c

2

p

v

b

³

1 ¡

dv

b

dp

´

(p ¡v

b

)

2

:

Furthermore,since ¼® >

1

c

p

and p = 0,by Lemma 1,we have v

b

= c

p

¡

1

¼®

.Evaluating at

v

b

= c

p

¡

1

¼®

,we obtain

dv

b

dp

= 1 +

2

¼®v

b

.Simplifying,we obtain

dW

i

s

(p)

dp

¯

¯

¯

¯

p=0

=

1 ¡2¼®c

p

2¼®(1 ¡¼®c

p

)

> 0:(A.49)

Next suppose c

p

· ¼® ·

1

c

p

.From (A.11),we see that v

b

approaches

p

1¡

p

¼®c

p

as p approaches zero.

Plugging (A.12) into (A.48) and taking the limit as p!0,we have

lim

p!0

dW

i

s

(p)

dp

=

c

p

4

¡

1 ¡

p

¼®c

p

¢

> 0:(A.50)

Finally let ¼® < c

p

,i.e.,the market can only be in Region II as described in Lemma 1.Consequently

W

ii

s

(p) =

1

2

(1 ¡v

2

b

)(1 ¡¼®(1 ¡v

b

)) =

(¼® +p)(1 ¡¼®) +(¼® ¡p)

p

(1 ¡¼®)

2

+4¼®p

4¼®

:(A.51)

Taking the derivative,we obtain

dW

ii

s

(p)

dp

¯

¯

¯

¯

p=0

=

1 ¡¼®

4¼®

¡

p

(1 ¡¼®)

2

+4¼®p

4¼®

+

¼® ¡p

2

p

(1 ¡¼®)

2

+4¼®p

¯

¯

¯

¯

¯

p=0

=

¼®

2(1 ¡¼®)

> 0:

(A.52)

Therefore for all ¼® > 0,there exists a ¿ > 0 such that the expected social welfare can be increased

by imposing a tax ¿.

For part (ii),¯rst consider ¼® < c

p

.By Region II of Lemma 1,v

p

= 1 and v

b

is given by (A.9).

Substituting into (4),the ¯rst order condition yields

¿

¤

t

=

¡1 +2¼®(1 +¼®) +

r

(1 ¡¼®)

2

³

1 ¡2¼® +4 (¼®)

2

´

9¼®

;(A.53)

which is clearly increasing in ¼® in this range.By Lemma 1 and continuity of the welfare function,

there exists a µ

> c

p

such that for all c

p

< ¼® < µ

,the optimal tax is given by (A.53).De¯ning »

as in the proof of Proposition 2 and by (A.48),we obtain ¿

¤

t

= » ¡

3

2c

p

»

2

+O

¡

»

3

¢

.Therefore,for

large enough ¼®,¿

¤

t

is decreasing in ¼® and increasing in c

p

.¥

A.11

Proof of Proposition 6:

By part (ii) of Proposition 4,the social welfare under the optimal

rebate is given by W

¤

g

,W

g

(

c

p

3

) =

1

2

¡c

p

+

1

p

¼®

³

2c

p

3

´

3=2

.When a tax is imposed the resulting

equilibrium is either in Region I or Region II as given in Lemma 1.Suppose that the equilibrium

falls in Region II.By Lemma 1,v

p

= 1 and v

b

is given by (A.9).Substituting into (4),the social

welfare is given by

W

ii

t

(¿) =

(¼® +¿)(1 ¡¼®) +(¼® ¡¿)

p

(1 ¡¼®)

2

+4¼®¿

4¼®

:(A.54)

W

ii

t

(¢) is concave and the optimal tax given by

¿

¤

t

=

¡1 +2¼®(1 +¼®) +

p

(1 ¡¼®)

2

(1 ¡2¼® +4¼®

2

)

9¼®

:(A.55)

De¯ne W

¤

t

,W

ii

t

(¿

¤

t

) and let ¼® = kc

p

.We then have

W

¤

g

=

1

2

¡

Ã

1 ¡

2

3

r

2

3k

!

c

p

+O(c

2

p

);(A.56)

and W

¤

t

=

1

2

¡

kc

p

2

+O(c

2

p

).Comparing the two expressions,it follows that for su±ciently small c

p

,

W

¤

g

> W

¤

t

if and only if k > 2=3.Now suppose that the optimal tax induces Region I equilibrium

behavior.In this case,the social welfare is given by

W

i

t

(¿) =

1

2

µ

1 ¡v

2

b

¡

¼®v

3

b

(v

b

¡¿ ¡c

p

)

2

(v

b

¡¿ +c

p

)

(v

b

¡¿)

3

¡2c

p

µ

1 ¡

c

p

v

b

v

b

¡¿

¶¶

;(A.57)

where v

b

solves (A.7) with p = ¿.By (A.7),as c

p

!0,z

1

,lim

c

p

!0

(v

b

¡¿)=c

2

p

is constant.Further,

taking the derivative with respect to ¿,substituting ¼® = kc

p

,writing the ¯rst order condition and

by (A.12),it follows that for the optimal tax ¿

¤

t

,z

2

,lim

c

p

!0

¿

¤

t

=c

p

is constant.Substituting in

(A.7) and taking the limit of both sides as c

p

!0,we obtain z

2

= z

1

=

p

k.Further,substituting

these two limits back into the ¯rst order condition and by taking the limit as c

p

!0,we ¯nd that

for the optimal tax

lim

c

p

!0

¿

¤

t

c

p

=

27z

3

2

16

+

81k

4

z

9

2

256z

8

1

+

81k

2

z

6

2

64z

4

1

+

z

2

1

k

+

3z

4

1

4k

2

:(A.58)

Substituting in z

2

= z

1

=

p

k in (A.58) and solving for z

1

,we obtain z

1

=

p

k=4.It follows that z

2

=

1=4.Substituting back into (A.57) yields W

¤

t

,W

i

t

(¿

¤

t

) =

1

2

¡

³

1 ¡

1

2

p

k

´

c

p

+O(c

2

p

).Comparing

with (A.56),we see that W

¤

g

> W

¤

t

,which completes the proof.¥

A.12

## Σχόλια 0

Συνδεθείτε για να κοινοποιήσετε σχόλιο