Network Software Security and User Incentives

needmorebaitNetworking and Communications

Nov 20, 2013 (3 years and 4 months ago)

217 views

Network Software Security and User Incentives
Terrence August and Tunay I.Tunca
¤
Graduate School of Business
Stanford University
Management Science,2006,52 (11),pp.1703-1720
Abstract
We study the e®ect of user incentives on software security in a network of individual users
under costly patching and negative network security externalities.For proprietary software or
freeware,we compare four alternative policies to manage network security:(i) Consumer self
patching (where no external incentives are provided for patching or purchasing);(ii) Mandatory
patching;(iii) Patching rebate;and (iv) Usage tax.We show that for proprietary software,
when the software security risk and the patching costs are high,for both a welfare maximizing
social planner and a pro¯t maximizing vendor,a patching rebate dominates the other policies.
However,when the patching cost or the security risk is low,self patching is best.We also
show that when a rebate is e®ective,the pro¯t maximizing rebate is decreasing in the security
risk and increasing in patching costs.The welfare maximizing rebates are also increasing in
patching costs but can be increasing in the e®ective security risk when patching costs are high.
For freeware,a usage tax is the most e®ective policy except when both patching costs and
security risk are low,in which case,a patching rebate prevails.Optimal patching rebates and
taxes tend to increase with increased security risk and patching costs but can decrease in the
security risk for high risk levels.Our results suggest that both the value generated fromsoftware
and vendor pro¯ts can be signi¯cantly improved by mechanisms that target user incentives to
maintain software security.
¤
Graduate School of Business,Stanford University,Stanford,CA 94305-5015.e-mails:
taugust@stanford.edu,tunca
tunay@stanford.edu.We thank Barrie Nault (the department editor),the asso-
ciate editor and anonymous referees as well as Mike Harrison,Sunil Kumar,Howard Kunreuther,Haim Mendelson,
Jim Patell,Hal Varian,Larry Wein,Jin Whang,Muhamet Yildiz and seminar participants at Harvard University,
New York University and Stanford University for helpful discussions.Financial support from the Center of Electronic
Business and Commerce at the Graduate School of Business,Stanford University is gratefully acknowledged.
1 Introduction
With approximately 800 million worldwide users,the Internet as a network of interconnected com-
puters is unprecedented in its size,reach and content (InternetWorldStats 2004).One of the most
important issues that arises in such a broad communications environment,in which all systems
share not only the bene¯ts of the ability to communicate with a vast number of other users but
also the vulnerabilities that come with it,is information security.As the recent years have proven,
increased Internet usage brought about increased security attacks,with the number of reported
security incidents reaching 140,000 in 2003,a nearly sixty-fold increase compared to 1995 (CERT
2004).
The cumulative cost of information security breaches has many di®erent implicit and explicit
components,some of which can be di±cult to quantify,including the direct costs of repairing and
rebuilding infected systems,lost sales,and reduced productivity due to loss of reputation (D'Amico
2000,Garg 2003,Timms et al.2004).The cost of system security breaches is intimately tied to
the nature of a ¯rm's business,the ¯rm's reputation,the size of the ¯rm and the signi¯cance
of the attack.These costs vary largely among users and can be substantial.The total world-
wide cost of 14 major attacks between 1999 and 2004 was estimated to be about $36.5 Billion
(ComputerEconomics 2004).
Despite the immense losses due to security vulnerabilities,prevention is di±cult in an open
network environment such as the Internet,which is formed of users with a wide range of motivations
and resources.This becomes especially clear when one considers that maintaining the security of
a local network is a costly endeavor requiring physical and computing resources as well as time
and e®ort of expert system administrators.In addition,software patching imposes risks of system
crashes and instability (MS-Support 2004,Schweitzer 2003).As a result,proper patch maintenance
typically involves a careful system administrator dedicating time toward testing of patch integrity
and application interactions as well as ¯nal installation on a production server.Combining various
dimensions of costs,per server patching costs are estimated to be hundreds of dollars (e.g.,Bloor
2003,Davidson 2004 and Symantec 2004).Unfortunately,for a widely used software product such
as Microsoft IIS,not all consumers have su±cient incentives to undergo these costs.Consequently,
system security as a whole su®ers from users not acting in an optimal way when it comes to
maintaining network security (e.g.,Lemos 2003,2004,Messmer 2004b and Sullivan 2004).
As an example,consider the case of the\Code Red"worm and its successor\Code Red II"
that hit during the summer of 2001.Exploiting a bu®er-over°ow vulnerability in IIS,the worm
replicated 100 times over upon each infection.Code Red II opened up\back-door"access on
a®ected servers providing people with malicious intent full privileges on these servers.Given this
degree of compromise,the requisite corrective action often involved completely reformatting a®ected
servers and re-installing all software to original form.The cost to compromised ¯rms associated
1
with bad service to consumers,public defacement and technical labor hours was substantial.The
most troubling part is that these damages could have been prevented.Microsoft released a patch for
the IIS vulnerability exposed by Code Red one month prior to the attack.Poor patching behavior
in the user community extended the life and spread of these twin worms and caused damages
reaching $2.6 Billion (Moore et al.2002).Code Red is no exception.Most security attacks exploit
known vulnerabilities for which patches are already available.Patches were also available for the
vulnerabilities exploited by major worms such as Nimda,Slammer,Blaster,and Sasser up to six
months in advance of each attack.In virtually all of these cases,large losses could have been mostly
avoided by proper patch maintenance by the consumers (Schweitzer 2003).
As these examples demonstrate,because of network e®ects,the actions that each user takes
in the face of a potential security threat can have important consequences on other users,and
mechanisms to induce the right incentives for patching,both from the point of view of a pro¯t
maximizing vendor and a social welfare maximizing planner need to be considered.In this paper,
we present a model of a market for a software product with a potential security vulnerability to
compare mechanisms aimed to mitigate the security problem by utilizing user incentives.The
consumers who choose to purchase or use the software face a decision whether to undergo patching
costs to maintain the security of their software.If they patch their systems,they avoid the risk of
being hit by worms and do not cause negative externalities on the other users.However,if they
avoid patching,they not only risk being hit but also increase the risk faced by other users.The
equilibrium patching decisions of the users depend on the cost of patching and the overall riskiness
of the software.This,in turn,determines the equilibrium purchasing decisions of the consumers.
We consider two di®erent cases:(a) Proprietary software that is o®ered by a vendor who produces
and sells copies of it for pro¯t (e.g.,Microsoft IIS);(b) Freeware,which is available to users at no
charge and often distributed by open source development projects (e.g.,Apache HTTP Server).
For both cases,we examine four candidate policies:(i) Consumer self patching,where users make
their own decisions on patching (i.e.,the status quo);(ii) Mandatory patching,where users,by
agreement,are required to patch when one is available;(iii) Patching rebate,where users are
compensated by the vendor when a patch is available and they actually patch;and (iv) Usage tax,
where a social planner imposes a tax on the usage of the software in order to control the negative
network externalities caused by low valuation users who are not reliable patchers.
For proprietary software,contractually mandating patching can substantially reduce the vendor
pro¯t and hence is not an appealing policy for a software vendor to apply.Although mandating
patching can improve expected social welfare,for most cases it will reduce the welfare by inducing
the vendor to price at levels that move the network away from the overall socially optimal security
level.We also ¯nd that if the risk that the users are facing is small compared to the patching costs,
patching rebates cannot increase the vendor's expected pro¯t,since it will cost the vendor too much
2
Proprietary Software Freeware
Social Welfare and Vendor Pro¯t Social Welfare
Low High
Low High
security risk security risk
security risk security risk
(a)
Low patching cost
Self Self
Rebate Tax
High patching cost
Self Rebate
Tax Tax
Vendor Price and Vendor Price and
Planner Determined Rebate Vendor Determined Rebate
Proprietary Softw.
Security risk Patching cost
Security risk Patching cost
(b)
Low patching cost
{ +
{ +
High patching cost
+ +
{ +
Planner Determined
Rebate and Tax
Freeware
Security risk Patching cost
Rebate:Med.security risk
0 +
Tax:
Low security risk
+ 0
High security risk
{ +
Table 1:Policy recommendations and comparative statics for optimal rebates,prices and taxes.
Panel (a) provides recommendations to a social welfare maximizing planner and a pro¯t maximizing
vendor.\Self"refers to the self patching policy with no incentives,\Rebate"refers to the patching
rebate policy and\Tax"refers to the usage tax policy.Panel (b) provides comparative statics on
the vendor's optimal price,the optimal rebate and usage tax.All results are given for the ranges
where comparative statics are applicable,i.e.,where the considered policy is e®ective.
3
to induce a desired level of patching behavior.On the other hand,if the security risk is high,the
vendor can increase his pro¯ts through rebates by inducing increased security and consequently
increased value of his product.Similarly,by inducing e±cient patching behavior,rebates can be an
e®ective tool for a social welfare maximizing planner when the security risk and patching costs are
high.However,by signi¯cantly reducing the usage,taxes are not helpful for increasing either vendor
pro¯ts or social welfare even though they may increase the security of the product.We also show
that the optimal patching rebate and the corresponding vendor price tend to increase in patching
costs but decrease in the e®ective riskiness of the software.However,when the patching costs are
high,the optimal planner determined rebate increases with the security risk to reduce the high
network externalities that arise from poor user patching behavior.These results are summarized in
Table 1.Panel (a) gives the policy recommendations,and panel (b) gives the comparative statics
results for the optimal vendor price,rebates and tax.
When software is freeware,we demonstrate that mandating patching reduces welfare by forcing
consumers to make socially ine±cient decisions.However,our conclusions about the impact of
the rebates and taxes change signi¯cantly.Unlike proprietary software,patching rebates have only
limited e®ectiveness for freeware,since they often induce users to patch in cases where doing so is
socially ine±cient.However,taxes can be e®ective since they eliminate low valuation users who
do not patch and cause negative security externalities on other users.When the security risk or
patching costs are low,unlike the case of proprietary software where self patching is preferable,for
freeware,an intervention by a social planner through rebates and taxes increases social welfare.
When both software riskiness and the patching costs are low,rebates are preferable while for high
patching costs or security risk,a tax policy can signi¯cantly increase social welfare and be preferred.
The optimal tax and rebate tend to increase with the security risk and the patching costs except
when the security risk is high,in which case further usage should be encouraged by lowering the
tax.These results are again summarized in Table 1.
The remainder of this paper is organized as follows.Section 2 presents the literature review.
Section 3 presents the basic model and derives the equilibriumpurchasing and patching behavior for
a given set of parameters and price per copy of the software.Section 4 presents the vendor's price
setting problem and compares di®erent incentive mechanisms for the case of a pro¯t maximizing
vendor.Section 5 explores and compares policies for freeware.Section 6 o®ers our concluding
remarks.
2 Literature Review
The role of incentives in software security is a relatively new research subject,but the literature
in the area is growing.Anderson (2001) argues that information security is not simply a technical
problem that can be solved by more sophisticated hardware,software,and strategies.Rather,the
4
problem with information security is due to the fact that the economic incentives are misaligned.
Kunreuther et al.(2002) and Kunreuther and Heal (2002) identify a concept for security inter-
dependence and study security investment decisions made by agents in a computer network when
each agent's decision impacts the risk endured by the other agents.They examine a model where
there is a single shared resource whose security is increased by user investments and proceed to
characterize the equilibrium investment strategies and their dependence upon the cost structure.
They conclude that in order to best induce adoption of security measures,regulation and institu-
tional coordination mechanisms are needed.Varian (2004) considers how the reliability of a public
good is a®ected by the e®ort of individuals working in teams with varying incentives and e®ects on
system security.He ¯nds that when system reliability is based upon total e®ort,it is completely
determined by the agent with the highest bene¯t-cost ratio.On the other hand,when reliability
depends on the weakest link,the agent with the lowest bene¯t-cost ratio contributes the e®ort.
When maximum e®ort is the determinant of system reliability,however,either of these equilibria
can result.Choi et al.(2005) explore a model with negative network security externalities to
examine the optimal software vulnerability disclosure decision of a vendor,¯nding that ¯rms may
announce vulnerabilities when it is not socially optimal.Arora et al.(2005) analyze the optimal
timing for disclosure of software security vulnerabilities and establish that vendors always choose
to release a patch later than a socially optimal disclosure time.Jaisingh and Li (2005) examine the
role of commitment in optimal social policy for disclosure of vulnerabilities when the social planner
commits to a disclosure agenda,and the vendor determines the patch release time after a vulner-
ability is discovered.They ¯nd that the time lag between the decisions of the social planner and
the vendor is important only when the the hacker can accumulate experience from vulnerabilities
over time.Cavusoglu et al.(2005) explore a model to derive the optimal frequency of patching
to balance the operational and damage costs associated with security vulnerabilities.They show
that a ¯rm's patch cycle is not necessarily synchronized with the vendor's patch release cycle and
demonstrate that cost sharing and liability schemes may coordinate these cycles.In our model,
the focus is on the role of externalities in a network environment.We explore policies to maximize
the value generated by software and highlight that consumers'purchase (or usage) decisions play
a fundamental role in our results as does the vendor's pro¯t maximization.
Moore et al.(2002) ¯nd that most of the victims of the Code Red worm were home and small
business users rather than large corporations,while most of the costs in terms of damages were
borne by the large corporations that were hit.This demonstrates that low valuation consumers,
e.g.,home and small business users,do not have as much motivation as high valuation consumers,
e.g.large corporations,to engage in reducing risk on the network by securing their systems.The
equilibrium patching behavior and the loss structure in our model is consistent with these ¯ndings.
Weaver et al.(2003) demonstrate that for a scanning worm,the spread rate is proportional to the
5
size of the vulnerable population.The infection model we use in our paper is consistent with this
observation.
Our work is also related to research in vaccination incentives and the economics of disease
spread control found in the public health literature.Although recognizing the externalities imposed
by unprotected agents on the population as a whole,traditionally,the literature on mathematical
epidemiology (e.g.,Bailey 1975 and Anderson and May 1991) does not consider the role of economic
behavior and incentives of individuals in prevention and control of disease spread.Brito et al.
(1991) is one of the ¯rst papers to consider individual incentives and their role with negative
externalities in a biological disease spread setting.They ¯nd that mandating vaccination reduces
social welfare and that tax/subsidy levers are useful for governmental welfare coordination.Francis
(1997) establishes that under certain assumptions,in a dynamic model of vaccination,government
intervention may not be necessary,i.e.,agents may behave in a manner consistent with the social
objective.Gersovitz (2003) shows,on the other hand,that when one takes into account certain
factors such as recoveries and deaths,the decentralized outcome diverges from the social outcome,
and the necessity of economic intervention through market forces or government is persistent.
Geo®ard and Philipson (1996) highlight the di®erences between economic models and mathe-
matical epidemiological models and their implications.In a model of disease spread with rational
agents choosing between protective and exposed activity,they ¯nd that the hazard rate of infection
may be a decreasing function of disease prevalence,resulting from increased demand for protection
due to rational behavior.This result is contrasted with results from the epidemiological literature
where the hazard rate is typically increasing in prevalence.Kessing and Nuscheler (2003) study the
case of a vaccine monopolist and argue the ine®ectiveness of subsidies to improve social welfare.
Kremer (1996) shows that the behavior of heterogeneous agents increases the e®ectiveness of public
policy intervention in populations of high disease prevalence,stressing that the models of such
epidemics must be fundamentally economic ones.Several other dynamic economic models of dis-
ease spread examining the role of rational individuals'trade-o®s between costly protection and the
risk that is imposed by negative externalities of other individuals and the social planner's welfare
maximization through the use of preventive and therapeutic measures can be found in Goldman
and Lightwood (2002) and Gersovitz and Hammer (2004,2005).
Our result that mandatory patching decreases social welfare in the freeware case is parallel to
the ¯nding of Brito et al.(1991).We also look at rebate and tax mechanisms which a social
planner may use to increase social welfare.However,unlike the biological disease spread literature,
our case of proprietary software involves a pro¯t maximizing vendor who sets a price for the usage
of the activity.Our goal is to better understand how the negative externalities that arise due to
spread of malicious code a®ect the vendor's pro¯t maximization problem and subsequently how
both consumer and vendor behavior together impact social welfare.Further,our results are driven
6
by issues that are di®erent in nature such as the trade-o® between surplus generated by increased
usage of software and the security risks that accompany it.The true analogs of the usage decisions
(for instance an agent's decision to live or die or a vendor\selling life"to people) would not be
reasonable issues to consider in most biological settings,much less their control by a social planner
through incentives such as taxes.
The literature on economics of biological epidemiology demonstrates that in many cases agents'
individual decisions result in misalignment of incentives,and therefore economic intervention by
a social planner is necessary.Although the evolution of the spread of a malicious agent has a
dynamic nature,static models also manage to capture this incentive misalignment (for instance,
heterogeneity of preferences in the population as we have in our model is su±cient to expose this
as also indicated by Francis 1997).Further,there are certain di®erences between the time frames
of most cases of biological epidemics and computer network security attacks,which makes a static
model more suitable in the latter case by comparison.In dynamic models of biological epidemics,
the spread depends on deaths,recoveries and the structural nature of contact among the agents,
and hence the vaccination/prevention decisions evolve in time with the spread of the disease.This
is because the time frame for the spread of a biological disease is several days,weeks or months in
most cases if not longer.Further,individual vaccinations take a small amount of time compared
to the epidemic time frame,and therefore,dynamic control of incentives with the evolution of an
epidemic is possible.On the other hand,for most cases of computer network attacks,the broad
spread of the\infection"may take minutes (e.g.,Moore et al.2003 and Shannon and Moore 2004),
while patching often takes hours or sometimes even a full day or more (e.g.,Nicastro 2005 and
Leung 2005).Speci¯cally,if a user's system is unpatched when an attack breaks on the network
it is usually too late to patch.Therefore,in the computer security context,in order to shield for
a potential attack,a user usually must patch before such an attack occurs.Thus,the patching
decision is not as much related to the speci¯c dynamics of the spread of infection in the network
as the vaccination decisions in the dynamic context of a biological epidemic.Considering these
facts and to keep the analysis simple,we employ a static model that captures the main economic
trade-o®s related to the spread of a computer worm in a network environment.Although our static
approach is simpler compared to the dynamic models in the economics of biological epidemiology,
it allows us to demonstrate the intuition behind our arguments and the e®ects of the incentive
schemes that we analyze and compare.
7


 

 








 






 
  








 


Figure 1:Model Timeline
3 The Model and the Consumer Market Equilibrium
3.1 Model Description
There is a continuum of consumers whose valuations of a software product lie uniformly on V =
[0;1].There are three periods:In the ¯rst period,given the price of the software,each consumer
makes a decision whether to buy or not to buy the product.The software may have a potential
security vulnerability.If there is a vulnerability,it can be exploited by hackers who write worms
to cause damage to purchasing consumers'systems.In the second period,it is revealed whether
the software has a vulnerability,and if there is a vulnerability,a patch is made available to the
users (either by the vendor if the software is proprietary or by the developers of the freeware).At
this stage,each user makes a decision whether to patch or not,considering the costs of patching
versus value risked by not patching.If a consumer chooses to patch the software,she will incur
an expected cost denoted by c
p
> 0,which we refer to as the e®ective patching cost.This cost
accounts for the money and e®ort that a consumer must exert in order to verify,test,and roll-out
patched versions of existing systems.
1
Finally,if there is a security vulnerability,an attack may
occur in the third period,and the unpatched consumers may get hit and incur losses.However,
the consumers who patched in the second period are fully protected and do not incur any losses.
The timeline is illustrated in Figure 1.
We denote the probability of both a security vulnerability and a worm attack occuring on the
network with ¼.If the mass of the unpatched population in the network is u,then the probability
that the worm will successfully penetrate the network and hit an unpatched user will be ¼u.If
a user's system is unpatched and is hit by the worm,one would expect that she su®ers a loss
positively correlated with her valuation.That is,the consumers with high valuations will su®er
higher losses than the consumers with lower valuations due to opportunity costs,higher criticality
of data and loss of business.For simplicity,we assume that the correlation is of ¯rst order,i.e.,the
expected loss that a consumer with valuation v su®ers if she is hit by a worm is ®v where ® > 0 is
a constant.
2
1
Note that a single decision maker can own multiple hosts (e.g.,servers) on which she makes purchasing and
patching decisions.Technically,the analysis will not be a®ected as long as each decision maker owns at most
countably many hosts.
2
Note that this loss structure is robust to the exact information that the users have about the realizations of their
losses,i.e.,whether the users know exactly what their losses will be if they are hit by an attack or only have an
8
We denote the strategy set for a given consumer with S.We refer to the purchasing decision as
either buy,B,or not buy,NB.Similarly,the patching decision is denoted by either patch,P,or
not patch,NP.The consumer action space then becomes S = fB;NBg£fP;NPg¡(NB;P),the
last exclusion stemming from(NB;P) clearly being infeasible.Given the price p¸0,in a consumer
market equilibrium,each consumer maximizes her expected utility taking the equilibriumstrategies
for all consumers as ¯xed.For a strategy pro¯le ¾:V!S,the expected cost faced by the consumer
with valuation v is then de¯ned by
C(v;¾),
8
<
:
¼u(¾)®v if ¾(v) = (B;NP);
c
p
if ¾(v) = (B;P);
(1)
where u(¾) =
R
V
1
f¾(y)=(B;NP)g
dy and 1
f¾(y)=(B;NP)g
is 1 if ¾(y) = (B;NP) and zero otherwise.
3
The surplus gained by the consumer with valuation v by employing the software will then be
v ¡ C(v;¾),less the price she pays for the software.The consumers who buy but do not patch
cause a negative externality on all users by decreasing the safety of the network and the software.
Clearly,for any v 2 V,C(v;¾) de¯ned by (1) is increasing in u(¾) (i.e.,the unpatched population).
Furthermore,consumers who patch protect themselves from the negative externality caused by
the unpatched population.To avoid trivialities and without loss of generality,we focus on the
parameter space where c
p
2 (0;1),¼ 2 (0;1],and ® 2 (0;1).For convenience,we refer to the
product ¼® as the e®ective security risk.
3.2 Equilibrium
We will consider the software being o®ered by either a vendor (Section 4),in which case the price
of the software will be determined by the vendor,or as freeware (Section 5),in which case the
price will be zero.In this section,we derive the consumer market equilibrium taking the price p
as given.That is,we concentrate on the last two (purchasing and patching) out of three stages of
decision making in the model.In equilibrium,holding all other consumers'actions ¯xed,i.e.,given
the equilibrium strategy pro¯le ¾
¤
,each consumer chooses the action from S that maximizes her
expected payo®.The following lemma gives the consumer market equilibrium.
Lemma 1
Given the parameters ¼,®,c
p
and the consumer price p 2 [0;1],there exists a unique
equilibrium in the consumer market.
4
The equilibrium consumer strategy pro¯le is characterized by
ex-ante probability distribution on those losses.In the latter case,the losses integrate out of the expected payo® to
the users into an expected loss ®v,and the rest of the analysis is una®ected.
3
The notation\,"has the meaning\as a de¯nition"throughout the paper.
4
Uniqueness is naturally up to positive measure.
9
v
b
;v
p
2 [0;1] and v
b
·v
p
such that,for v 2 V,
¾
¤
(v) =
8
>
>
<
>
>
:
(NB;NP) if 0 ·v < v
b
;
(B;NP) if v
b
·v < v
p
;
(B;P) if v
p
·v ·1:
(2)
Let
p,(1 ¡c
p
)(1 ¡
c
p
¼®
)
+
.Given (2),the patching behavior is characterized by two regions in the
parameter space:
Region I:
If ¼® ¸ c
p
and p <
p,then
(i)
When p > 0,in equilibrium,p < v
b
< p +c
p
< v
p
=
c
p
v
b
v
b
¡p
< 1.
(ii)
When p = 0,if c
p
·¼®·
1
c
p
,then v
b
= 0,and v
p
=
q
c
p
¼®
.If ¼® ¸
1
c
p
,then
v
b
= c
p
¡
1
¼®
,and v
p
= c
p
.
Region II:
If ¼® < c
p
or both ¼® ¸ c
p
and p¸
p,then 0 < p < v
b
< v
p
= 1.
As can be seen from Lemma 1,in equilibrium,the population is segmented into three groups,
namely non-buyers,buyers who do not patch in case of a vulnerability and buyers who do patch
in case of a vulnerability.This separation occurs due to the monotonicity of the relative losses
that arise from non-patching behavior in equilibrium:Given the risk that arises from the collective
behavior of the population,if a consumer purchases the product,any consumer with higher val-
uation will prefer to purchase the product.Furthermore,if a consumer patches the product,any
consumer with a higher valuation,who is facing a higher security risk,will also ¯nd it preferable
to patch the product.This three-tier structure is consistent with observations that indicate higher
valuation users (such as larger corporations and institutions) are more likely to be patchers,while
the lower valuation users (such as small companies and home users) are less likely to patch and
thus contribute to the faster spread of malicious code such as worms (Moore et al.2002).
A patching population will exist only if the e®ective security risk is su±ciently high and the
price is su±ciently low.If the price is su±ciently high,the patching population will be small,and
no user will patch (i.e.,v
p
= 1).This remains true even as ¼® goes to in¯nity:The size of the
patching population will shrink until it reaches a level where the equilibrium risk is ¯nite and some
users ¯nd it worthwhile to purchase the software and bear the risk (i.e.,as ¼®!1,the purchasing
population shrinks in the order of 1=¼®).
The case when p = 0 is noteworthy.As can be seen from Lemma 1,when the e®ective security
risk is low compared to the patching cost (i.e.,when the market is in Region II),all consumers
\buy"the product and no consumer patches.When expected security losses are moderate (i.e.,
when c
p
·¼®·1=c
p
),all users still choose to employ the product,but in this case,since potential
losses are high,some of them ¯nd it worthwhile to patch.When the e®ective security risk is high
10
however (i.e.,when ¼® > 1=c
p
),some consumers do not employ the software even though it is
available for free.
Since v
b
< p +c
p
in Region I,by Lemma 1,there is always a group of consumers who do not
patch.Thus,the software always comes with a certain amount of risk unless the user patches it.
Therefore,as can also be seen from the lemma (unless p = 0 and ¼® < 1=c
p
),the condition v
b
> p
always holds and hence there is a population of users whose valuations are higher than the price
but end up not purchasing the product,resulting in ine±ciencies in product usage.
Thus far,we have focused our attention on self patching where consumers decide whether or not
to patch in self-interest.Henceforth,we will denote this policy with the subscript\s"to separate it
from the other policies we will be examining later in the paper.Further,we will utilize superscripts
i and ii to indicate whether the measure of interest has an equilibrium outcome in Region I or
Region II as described in Lemma 1,respectively.
4 Proprietary Software
Suppose that the software is o®ered by a pro¯t maximizing vendor who sets the price.Without
loss of generality,we assume that the marginal cost of production for each copy of the software is
zero.Under self patching,given e®ective patching cost (c
p
),e®ective security risk (¼®),and the
consumer market equilibrium outcome of Lemma 1,the vendor faces the following optimization
problem
max
p
¦
s
(p),p(1 ¡v
b
)
s:t:0 · p · 1
(3)
where v
b
is as described in Lemma 1.This problem has a well de¯ned solution and depending
on the parameters,under optimal vendor pricing,the consumer market equilibrium may or may
not yield a patching population.Speci¯cally,when the e®ective security risk is high,the vendor
must price the software low to increase the purchasing population,and as a result,higher valuation
customers will elect to patch,moving the equilibrium to Region I as speci¯ed in Lemma 1.On
the other hand,when the security risk is low with respect to the patching costs,the vendor can
optimally price the product high enough without reducing the buyer population,even driving the
equilibrium to Region II of Lemma 1,where no consumer patches (see Lemma A.2 in the appendix
for details on the vendor's optimal pricing behavior).
In this section,we will investigate the e®ects of security policies on social welfare.Therefore,
before proceeding,we de¯ne the measure of social welfare.Adding the expected surpluses for the
consumers and the vendor,we obtain the expected social welfare as
W(p),
Z
fv2V:v>v
b
g
(v ¡C(v;¾
¤
)) dv:(4)
11
Notice that,in e®ect,W(p) measures the expected social welfare generated by the policy under
consideration by subtracting the security costs induced from the value generated by that policy.
4.1 Mandatory Patching
Under network e®ects,when consumers make self patching decisions,the population of consumers
who purchase and choose not to patch can decrease the value of the product and consequently reduce
vendor pro¯ts and social welfare.Therefore,one might suggest that mandating patching might be
helpful by eliminating the unpatched population and hence reducing security losses associated with
the product,as has been voiced and discussed by some experts and government authorities (e.g.,
Middleton 2001,Geer 2004 and Bragg 2004).In the context of computer networks,the monitoring
and enforcement of the patching of software is easily technically implementable.Software that
detects installation of updates for various applications (e.g.,spyware protection de¯nition ¯les or
even plain updates to Internet software such as media players) and practices such as disabling
certain functionalities of machines that fail to demonstrate such installations in certain cases (as it
is sometimes called\blackholing") are in broad use today.Further,the fully observable nature of
the technology also enables the contractibility of mandatory patching,and such a condition can be
easily made part of a licensing agreement.
The questions then are:Can the vendor increase his pro¯t by contractually mandating patching
to the buyers?Can mandating patching increase social welfare?To answer these questions,we
next consider a mandatory patching policy o®ered by the vendor to the consumers.That is,
the purchase of the software involves a binding commitment to patch the software if a security
vulnerability emerges.We will be using the subscript\m"to denote the mandatory patching
policy.
Unlike with self patching,when patching is mandated,all consumers must decide whether to
buy the software given that they must patch the software at an e®ective cost of c
p
due to security
vulnerabilities.Consumers will purchase and patch the software per the purchase agreement with
the vendor,and since there is no risk,it follows that v
b
= v
p
= p + c
p
,which says that a consumer
only buys the software if her valuation is higher than the price plus the e®ective patching cost.
Thus,the equilibrium is characterized by a single threshold valuation v
m
,p + c
p
.Consumers
with valuations v ¸ v
m
purchase and patch the software.Consequently,the pro¯t function for the
vendor is given by ¦
m
(p),p(1 ¡v
m
) = p(1 ¡p ¡c
p
),which is maximized at p
¤
m
= (1 ¡c
p
)=2,
with optimal pro¯t ¦
m
(p
¤
m
) = (1 ¡c
p
)
2
=4.Then,by Lemma 1,the purchasing threshold under self
patching satis¯es v
b
< v
m
for any p.Speci¯cally,this inequality holds at p
¤
m
.Thus,
¦
s
(p
¤
s
) ¸ ¦
s
(p
¤
m
) = p
¤
m
(1 ¡v
b
(p
¤
m
)) > ¦
m
(p
¤
m
):(5)
Intuitively,the vendor is better o® by employing a self patching decision policy and charging the
12
optimal price he charges under mandatory patching.Under such an action,all users who employed
the product under mandatory patching would still be users.If the user with valuation p
¤
m
+ c
p
patches under self patching,then the marginal consumer at this valuation level will purchase the
product since her valuation is higher than p
¤
m
and there is no security risk.If the user with valuation
p
¤
m
+ c
p
does not patch,it follows that the patching cost must be higher than the risk that the
marginal user is facing and she will again ¯nd the product attractive without patching in case a
security vulnerability arises.In both cases,the user population will increase,i.e.,the vendor can
improve his pro¯ts by allowing users to make their own patching decisions and charging the same
price as he would with a mandatory patching policy.
From the vendor's standpoint,consumers assuming risk in an incentive compatible way,by
resolving their own trade-o® between the risk of not patching and the cost of patching,is pro¯table.
As a result,self patching yields higher pro¯t for the vendor,i.e.,mandatory patching strictly
decreases vendor pro¯ts.As we mentioned above,this result is consistent with what is seen in
the software industry.Although it is technologically feasible,vendors typically do not require the
purchasing consumers to patch their systems when vulnerabilities arise.
While contributing to increased vendor pro¯ts,consumers assuming security risks as opposed
to undergoing patching costs may increase total risk for the population through network e®ects and
ultimately reduce social welfare.Therefore,one might argue that mandating patching can increase
social welfare,and this possibility needs to be explored.The following proposition examines the
e®ect of mandatory patching on the expected social welfare and shows that mandatory patching
may in fact be undesirable.
Proposition 1
If (i) ¼® < c
p
;or (ii) ¼®¸c
p
and there is a population of users who are patching
the software under the vendor's optimal pricing decision,then mandating patching decreases social
welfare.
When the e®ective security risk is low compared to the patching cost (i.e.,when ¼® < c
p
),
mandating consumers to patch not only reduces the number of buyers but also forces some buying
consumers to make socially ine±cient decisions by undertaking high patching costs when it is
unnecessary.Consequently,expected social welfare decreases with mandatory patching for such
cases as stated in part (i) of Proposition 1 and illustrated in panel (a) of Figure 2.When the
security risk is high and there is a patching population under the vendor's optimal pricing (i.e.,the
market is in equilibrium Region I described in Lemma 1),the existence of a patching population
makes the software safer and increases the value of the software.As a result,we again see that
mandating patching decreases social welfare,as indicated in part (ii) of Proposition 1 and illustrated
in panel (b) of Figure 2.
When ¼® ¸ c
p
and no consumer is patching in equilibrium,mandating patching can either de-
crease or increase the social welfare.If the patching cost and the security risk are both moderate,
13
0
0.2
0.4
0.6
0.8
1
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
(a) c
p
= 0.60,  = 0.50,  = 1
p
Expected Profit / Social Welfare
0
0.2
0.4
0.6
0.8
1
0
0.02
0.04
0.06
0.08
0.1
(b) c
p
= 0.60,  = 0.50,  = 7
p
Expected Profit / Social Welfare
0
0.2
0.4
0.6
0.8
1
0
0.02
0.04
0.06
0.08
0.1
0.12
(c) c
p
= 0.60,  = 0.50,  = 5
p
Expected Profit / Social Welfare
0
0.2
0.4
0.6
0.8
1
0
2
4
6
8
x 10
-3
(d) c
p
= 0.88,  = 0.50,  = 100
p
Expected Profit / Social Welfare

s
i

s
ii
W
s
W
m
Figure 2:Expected social welfare and vendor pro¯t as a function of price.The parameters are
c
p
= 0:60,¼ = 0:50,and ® = 1 for panel (a);c
p
= 0:60,¼ = 0:50,and ® = 7 for panel (b);c
p
= 0:60,
¼ = 0:50,and ® = 5 for panel (c);and c
p
= 0:88,¼ = 0:50,and ® = 100 for panel (d).
14
mandating patching can reduce the expected social welfare as shown in panel (c) of Figure 2 by
reducing the consumer base.However,when both the patching cost and the e®ective security risk
are high,the vendor might ¯nd it optimal to price the product in such a way that the buying pop-
ulation is small,and no consumer ¯nds it optimal to patch if a security vulnerability emerges.In
such a case,mandating patching can increase the number of buyers since it forces the vendor to re-
duce prices signi¯cantly,which makes the software attractive to a higher number of consumers even
when those consumers are forced to bear patching costs.As a consequence,mandating patching
can increase social welfare.Such a case is illustrated in panel (d) of Figure 2.
5
4.2 Patching Rebates
We have seen in Section 4.1 that contractually mandating consumers to patch does not improve
vendor pro¯t and is usually not helpful in increasing social welfare.The primary reason for the
ine®ectiveness of mandatory patching is that consumers are forced to bear the potential patching
costs when they purchase the product,which negatively in°uences their purchasing behavior.This
observation suggests that leaving the patching decision to the consumers is preferable,and other
ways to improve users'patching behavior should be investigated.One way of doing so is to provide
users with increased incentives to patch by o®ering rebates to patching customers.Such a mecha-
nism can improve vendor pro¯t by increasing the patching consumer population,thereby lowering
the security risk of the software and allowing the vendor to charge a higher price to remaining
consumers.
Based upon this intuition,we next consider an incentive scheme in which the vendor o®ers
a compensation to consumers contingent upon their patching of the software product in case a
security vulnerability arises.Speci¯cally,each consumer who patches when a security vulnerability
arises receives,in expectation,an e®ective rebate 0·r ·c
p
.We consider two cases:(i) The vendor
determines the rebate to give to the patching customers by jointly optimizing the rebate amount
and the price;and (ii) a social planner determines the rebate amount,and taking that rebate
amount as given,the vendor determines the price of the software.We use a subscript\v"to denote
that the rebate is determined by the vendor and a subscript\g"(for government) to denote that
the rebate is determined by a social planner.
4.2.1 Vendor Determined Rebate
We ¯rst examine the incentives for a vendor to o®er patching rebates.The expected pro¯t for the
vendor with an e®ective rebate r can be written as ¦
v
(p;r),p(1 ¡v
b
) ¡r(1 ¡v
p
),and the vendor
5
This also demonstrates the di®erence in the e®ect of negative network externalities in the contexts of vendor
intermediated software security and disease control.For instance,Brito et al.(1991) demonstrate that in the case
of disease spread,where there is no intermediating vendor,mandating patching always decreases social welfare.In
our case,however,mandating patching can make the vendor radically decrease the price of the software and cause
an increase in usage,which in turn increases social welfare.
15
needs to optimize with respect to both price and the rebate amount,i.e.,he solves the following
maximization problem:
max
p;r
¦
v
(p;r)
s:t:0 · r · c
p
0 · p · 1;
(6)
where v
b
and v
p
satisfy the conditions given in Lemma 1 with parameters ¼®,c
p
¡r and p.Here,
the vendor is facing a trade-o®:The higher the rebate paid to the consumers,the larger the
population of consumers who patch.A larger patching population e®ectively increases the security
of the software,thus allowing the vendor to increase his optimal price in such a way to increase
his expected pro¯t.On the downside,if a security vulnerability arises,the vendor must assume a
larger portion of the consumers'patching costs.Whether o®ering such a rebate can ever strictly
increase the vendor's pro¯t is an open question.The following proposition demonstrates that this
is possible.Further,the proposition establishes the parameter ranges where the o®ering of such a
rebate is desirable and not desirable for the vendor as well as providing comparative statics for the
optimal rebate and price.
Proposition 2
Consider a patching rebate o®ered by a software vendor.
(i)
There exists a threshold
!> 0 such that if ¼® ¸
!,
(a)
A rebate policy can strictly increase the vendor's expected pro¯t if and only if c
p
> 1=3.
(b)
The optimal rebate (r
¤
v
) and the optimal price (p
¤
v
) are decreasing in ¼®.
(c)
As ¼® becomes large,r
¤
v
!(3c
p
¡1)=4 and p
¤
v
!(1 +c
p
)=4.
(ii)
If ¼® < c
2
p
=(1 +c
p
),then there does not exist a patching rebate,r > 0,that will increase the
vendor's expected pro¯t,i.e.,the self patching policy is optimal for the vendor.
When both the patching cost and the e®ective security risk are high,the vendor must price
low to induce purchases,and the consumer population consists of high valuation consumers who
are sensitive to security of the software.In such a case,by o®ering a rebate,he can induce an
increased patching population and increase the security of the product.As a result,and because
of the sensitivity of his users to the security of the software,he can then increase his price and
consequently his pro¯ts.However,when the patching costs are su±ciently low,the vendor can price
relatively high.Further,in that case,a larger patching population exists,and rebates may not help
to further increase the patching population as signi¯cantly while making the vendor unnecessarily
provide incentives to users who would patch even without rebates.Consequently,o®ering rebates
can back¯re and reduce the vendor's pro¯ts as stated in part (i) of Proposition 2.
When the expected security risk is su±ciently large,the optimal rebate amount and the optimal
price decrease with increased security risk.In this region,a further increase in risk signi¯cantly
16
reduces the purchasing population,and by reducing prices (which come with reduced rebates),the
vendor can increase his sales.An increase in patching costs,however,reduces incentives to patch
and pro¯t maximization calls for additional incentives to be provided to the consumers.When the
expected security risk is low compared to the patching costs,it becomes relatively expensive for
the vendor to incentivize consumers to patch,and rebates can result in losses for the vendor,as
implied by part (ii) of Proposition 2.
Importantly,Proposition 2 is not about the weak increase in pro¯ts that comes with the addition
of a degree of freedom to the vendor with the availability of a rebate o®er.This proposition veri¯es
that a rebate policy can indeed be e®ective under certain conditions due to network e®ects and
characterizes these conditions.Further,it characterizes the e®ect of the problemparameters on the
optimal rebate and price when a rebate is e®ective and hence gives insights about optimal network
security risk sharing with the consumers from the point of view of the vendor.
4.2.2 Social Planner Determined Rebate
We next examine the case where a social planner chooses the amount of patching rebate to maximize
social welfare:That is,the planner decides the socially optimal amount of risk and responsibility
that the vendor should assume for his product's security.Hence,the social planner's optimization
problem can be written as
max
r
W
g
(p(r);r)
s:t:0 · r · c
p
p(r) = arg max
0·p·1
¦
g
(p;r);
(7)
where W
g
(p(r);r) =
R
v
p
v
b
v(1 ¡¼®(v
p
¡v
b
)) dv+
R
1
v
p
(v ¡c
p
) dv,¦
g
(p;r) = p(1¡v
b
)¡r(1¡v
p
) with
r chosen by the social planner rather than the vendor,and v
b
and v
p
are as given in Lemma 1 for
parameters ¼®,c
p
¡ r and p(r).The following proposition characterizes the optimal rebate and
price under this structure.
Proposition 3
Consider the social planner's problem given above.
(i)
There exists a threshold
!> 0 such that if ¼® ¸
!,
(a)
A patching rebate policy strictly increases social welfare if and only if c
p
> 6 ¡
p
33.
(b)
There exist threshold values µ,µ
0
such that 6 ¡
p
33 < µ < µ
0
< 1 and the optimal rebate
(r
¤
g
) and vendor's optimal price (p
¤
g
) are strictly increasing in ¼® if and only if c
p
> µ
0
and c
p
> µ,respectively.
6
(c)
As ¼® becomes large,r
¤
g
!(c
p
(12 ¡c
p
) ¡3)=16 and p
¤
g
!(5 ¡c
p
)(1 +c
p
)=16.
6
6 ¡
p
33 = 0:2554,µ = 0:3692,and µ
0
= 0:4347 up to four signi¯cant digits.Details for the derivations are given
in the proof of the proposition in appendix.
17
(ii)
There exists a threshold!
> 0 such that if ¼® <!
,then there does not exist a patching rebate,
r > 0,that will increase the social welfare,i.e.,patching rebates are ine®ective.
When the software security risk is high and patching costs are high,under vendor's optimal
pricing,the patching population is small.Therefore,forcing the vendor to assume part of the risk
by paying a rebate to the patching consumers may increase social welfare.Further,Proposition 3
indicates that when the cost of patching is low,forcing the vendor to o®er a rebate can decrease
social welfare by inducing ine±cient patching behavior.When the patching costs are high enough
to make rebates desirable,the optimal rebate and the corresponding vendor price decrease with in-
creased security risk.On the other hand,when the patching costs are high,the patching population
shrinks and as the security risk increases,social welfare optimization requires increased rebates,and
consequently,increased software price.Further,both the optimal rebate and the induced vendor
price are increasing in patching costs.Notice however that the optimal price can be increasing
while the optimal rebate is decreasing in the security risk.Finally,when the security risk is too low
compared to the patching costs,it is socially ine±cient to induce a patching population through
rebates.
In addition,when r = c
p
,i.e.,when a social planner imposes that the vendor cover all patching
costs,it is easy to see that W
g
= W
m
= 3(1 ¡c
p
)
2
=8.Moreover,evaluating the ¯rst derivative of
W
g
(r;p(r)) in (7) at r = c
p
,it follows that
dW
g
(r;p(r))
dr
¯
¯
¯
r=c
p
= ¡
c
p
(1+3c
p
)
4¼®v
2
b
< 0.Therefore we have
W
g
> W
m
.
Panels (a) and (b) of Figure 3 illustrate the two possibilities for the vendor determined rebate.
Panel (a) presents a scenario with low security risk.As can be seen from the ¯gure and indicated
in Proposition 2,in such a case,o®ering a rebate reduces the pro¯ts of the vendor.On the other
hand,when the patching costs and the security risk are both high,the vendor can increase his
expected pro¯t by o®ering a rebate of r
¤
= 0:282 o® the patching cost as illustrated in panel (b),
thereby increasing expected pro¯ts.Panels (c) and (d) of the ¯gure show the two possibilities for
a social planner determined rebate case.When the security risk is low,requiring the vendor to
assume part of the responsibility through patching rebates is not helpful,as demonstrated in panel
(c),since the increased network security induced by these rebates cannot compensate for reduced
usage resulting from the vendor's increased prices.The same conclusion holds when the security
risk is high but the patching cost is su±ciently low,as the welfare curve for c
p
= 0:21 in panel
(d) demonstrates.However,when both patching costs and the security risk are su±ciently high,
rebates can help to increase social welfare substantially,e.g.,for c
p
= 0:70 as can also be seen in
panel (d).
18
0
0.2
0.4
0.6
0.8
1
-0.1
-0.05
0
0.05
0.1
(b) Vendor Det. Rebate (High  )
p
Expected Profit
r* = 0.282
r = 0.65
r = 0
0
0.2
0.4
0.6
0.8
1
-0.6
-0.4
-0.2
0
0.2
0.4
(a) Vendor Det. Rebate (Low  )
p
Expected Profit
r = 0.60
r = 0
r = 0.75
0
0.235
0.237
0.239
0.241
(d) Government Det. Rebate (High  )
r
Expected Social Welfare
c
p
= 0.21
0
0.2
0.4
0.6
0.03
0.038
0.046
0.054
0
0.2
0.4
0.6
0.8
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
(c) Government Det. Rebate (Low  )
r
Expected Social Welfare
 = 0.3
 = 1.2
c
p
= 0.70
Figure 3:The e®ect of patching rebates on vendor pro¯ts and social welfare.Panels (a) and (b)
are for the vendor determined rebate,and panels (c) and (d) are for the planner determined rebate
case.For panel (a),c
p
= 0:80,¼ = 0:30 and ® = 1;for panel (b),c
p
= 0:70,¼ = 0:50 and ® = 10;
for panel (c),c
p
= 0:80;and for panel (d),¼ = 0:50,® = 20,the left y-axis is scaled for the
c
p
= 0:21 case,and the right y-axis is scaled for the c
p
= 0:70 case.
4.3 Usage Tax
As we have seen in the previous sections,poor patching behavior by the users introduces security
risks on the entire user population.Further,the direction of this negative externality is from lower
value consumers to higher value consumers since lower value consumers are less likely to patch,
which gets re°ected as increased e®ective losses for higher value consumers.Therefore,one might
argue that imposing a tax can improve the security of the network,vendor pro¯ts,or social welfare
by eliminating a segment of lower value consumers from the user pool.In this section,we analyze
this issue.
Suppose that each consumer is charged a tax ¿ > 0 for a copy of the software.Taking this
tax as given,the vendor optimizes the price he charges for the product.We use a subscript\t"
to denote this tax policy.The purchasing threshold v
b
is now a function of the aggregate price,
p +¿,faced by the consumer.The pro¯t for the vendor will then be ¦
t
(p;¿),p(1 ¡v
b
(p +¿)).
Additionally,for given ¿,we denote p
¤
s
and p
¤
t
as the maximizers of ¦
s
and ¦
t
,respectively.
Figure 4 shows the e®ects of a tax policy.As can be seen from the ¯gure,imposing a tax
decreases the vendor's optimal price (p
¤
t
),but the price plus the tax (p
¤
t
+ ¿),i.e.the e®ective
19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0
0.2
0.4
0.6
0.8
1
Tax ( )
Optimal Price and Tax
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0
0.1
0.2
0.3
0.4
0.5
Optimal Expected Profit and Social Welfare

W
t
(p
t
*, )

t
(p
t
*, )
p
t
*+ 
p
t
*
Figure 4:The e®ect of a tax on proprietary software.Parameters are c
p
= 0:70 and ¼® = 0:30.
amount that the consumers have to pay to use the software,is larger than the optimal vendor price
with no tax.This is because the vendor's pro¯t under a given tax ¿ > 0 can be written as ¦
t
(p;¿) =
¦
s
(p +¿) ¡¿(1 ¡v
b
(p +¿)).The ¯rst order condition is then ¦
0
t
(p
¤
t
) = ¦
0
s
(p
¤
t
) +¿ ¢ v
0
b
(p
¤
t
) = 0.
Since v
b
is increasing in p,we then have ¦
0
s
(p
¤
t
) < ¦
0
s
(p
¤
s
¡ ¿) = 0,and since the vendor's pro¯t
function is concave,it follows that p
¤
t
+¿ > p
¤
s
.As a result,the vendor's pro¯t declines as can be
seen in the ¯gure.Further,a positive tax also decreases social welfare since welfare is decreasing
in the e®ective consumer price in this region as well.
In summary,taxes do not increase vendor pro¯ts,and due to the vendor's endogenous price
setting at a level where decreasing the user population decreases welfare,taxes do not increase the
social welfare for proprietary software.However,with freeware,taxes can be a powerful tool to
improve social welfare as we will discuss in Section 5.3.
4.4 Policy Comparison Summary for Proprietary Software
In this section,we summarize how the di®erent policies considered thus far perform relative to one
another,highlighting the results,comparisons,and the recommendations that emerge from them.
When the expected security risk and the patching costs are high,a social welfare maximizing
planner should employ patching rebates.Speci¯cally,for such cases we have found that W
g
>
W
s
> W
m
;W
t
.Under high security risk,a planner may choose to force the software vendor to
assume part of the users'patching costs via rebates.In response,the vendor will increase the price
of the software which decreases usage and hurts welfare.However,the net e®ect is a strict increase
in welfare if the patching is costly beyond a threshold.Further,under self patching,the vendor
prices the software in a way that a patching population exists,which ensures higher welfare than
20
under mandatory patching.Additionally,under high security risk,taxes are ine®ective.
On the other hand,for low patching cost and regardless of security risk,patching rebates hurt
social welfare.We ¯nd that W
s
> W
g
;W
m
;W
t
and conclude that it is advisable to keep the status
quo,i.e.,self patching.For low e®ective security risk,an imposed rebate results in socially ine±cient
patching decisions.Further,mandatory patching,though increasing the security of the product,
ine±ciently reduces the user population and yields a decrease in expected social welfare.
From the vendor's point of view,mandating patching,although increasing software security,
decreases pro¯ts.For high security risk,the value of the product for the consumers is low.Therefore,
it may be desirable for the vendor to o®er patching rebates to increase usage.However,paying
patching rebates also decreases vendor pro¯ts,and the net e®ect can be negative.We show that,
under high security risk,rebates increase pro¯ts if and only if the patching costs are higher than a
threshold level.That is,under high security risk and patching costs,¦
v
> ¦
s
> ¦
m
,and hence,
a rebate policy is preferable.When the security risk is low,on the other hand,o®ering a rebate
becomes too costly.Therefore,under such conditions,¦
s
> ¦
v

m
,and a self patching policy is
more pro¯table (note also that a planner imposed usage tax always decreases vendor pro¯ts).
5 Freeware
We next turn our attention to a software product o®ered to consumers as freeware.Freeware is often
open source software which is typically developed and maintained by a group of software enthusiasts.
These developers share the product with the public for free and hope to make it increasingly feature
rich and more secure with broader public participation.Freeware products have governing bodies
that promote development and distribution as well as providing organizational,legal,and ¯nancial
support.For instance,Free Software Foundation (FSF),which was founded in 1985,promotes the
development and use of free software and documentation.The FSF is closely tied to the GNU
Project and the GNU General Public License (GNU GPL).In essence,the GNU GPL keeps all
software that comes out of the FSF and GNU Project free to the public domain.Furthermore,any
modi¯cations to that software must remain free to the public domain.When a security vulnerability
arises within an open source software product,patches are typically readily made available by the
developers of the software or possibly even third party support companies in light of the fact that
open source software is transparent (Maguire 2004).Another example of such a governing body is
the Apache Software Foundation (ASF),which oversees the Apache projects.
Freeware is also vulnerable to security attacks and such attacks can be as damaging and costly
as they would be for proprietary software (US-CERT 2004).Security of freeware as perceived by
the potential users naturally a®ects the usage and consequently the value derived by the software
in the user community.In this section,we compare policies that can be implemented by a social
planner or the governing body of a freeware product to improve social welfare.
21
5.1 Mandatory Patching
Since freeware is available to consumers at zero price,a large population of users may develop.This
increase in the number of users leads to an increased population of non-patching users,which in
turn increases the negative network security externalities and consequently hurts social welfare.The
governing body for a freeware product (such as ASF for Apache projects) has authority on managing
licenses for the software supported by these projects.Therefore,the technical mechanisms that
enable the implementation of mandatory patching for proprietary software,described in Section
4.1,can also be used for freeware,and such policies can be included as a part of the license
agreement if the governing body or a social planner sees ¯t.However,there is a critical trade-o®
here:If patching is mandated to users,only the consumers whose valuations justify the costs of
patching would employ the product.As a result,some of the current population of consumers would
be lost while the remaining population would enjoy a secure product.Thus,surplus generation
from usage would decrease along with the expected security losses,and the net e®ect on social
welfare needs to be determined.
By (1),C(v;¾
¤
) ·c
p
holds and hence,(v ¡C(v;¾
¤
))
+
¸(v ¡c
p
)
+
for all v 2 V.Noting that
p = 0,it then follows that
W
s
(0) =
Z
V
(v ¡C(v;¾
¤
))
+
dv ¸
Z
V
(v ¡c
p
)
+
dv = W
m
(0);(8)
that is,mandating patching for freeware reduces social welfare.
7
In short,mandating patching
induces users to take actions that are welfare-inferior to their self patching decisions,and therefore
cannot be helpful.Intuitively,and similar to the case for proprietary software,all consumers who
use the product under the mandatory patching policy would still be users under the self patching
policy since their expected security losses are bounded by c
p
.If the user with valuation c
p
patches
under self patching (assuming the user population stays the same),the product will be attractive
to the marginal non-user under mandatory patching since there will be no risk associated with the
product.If the user with valuation c
p
does not patch under the self patching policy,then the risk
associated with the product must be lower than c
p
,and hence the product will again be attractive
to the marginal non-user.In both cases,the welfare will (at least weakly) increase since a larger
population of users,including those with valuations below the threshold under mandatory patching,
non-negatively contribute to the welfare.
8
7
Notice that each user has two separate e®ects on social welfare:First,she contributes her own surplus,i.e.,
(v ¡C(v;¾
¤
))
+
.Second,because of negative network externalities,her decision also impacts other users'surpluses
by a®ecting the term C(v;¾
¤
) in the corresponding expressions.When calculating welfare,the latter e®ect shows
itself in other users'surpluses and hence is also included in the calculation of the surplus given in (8).
8
This result is parallel to the result in Brito et al.(1991),which states that for the case of an infectious disease,
mandating vaccination cannot increase social welfare.Speci¯cally,both results state that with negative network
externalities,self-protection decisions are socially more e±cient compared to forced protection.However the two
results are di®erent.In our case,each consumer makes a usage decision by comparing the type dependent losses from
being infected by a worm(that increase with the size of the unpatched population) to the constant patching costs and
22
5.2 Patching Rebates
As we have seen in Section 5.1,mandatory patching is ine®ective at increasing social welfare associ-
ated with freeware since such a policy improves the security of the product but results in consumers
making socially ine±cient decisions.Therefore,policies that can improve network security while
leaving the patching decisions to consumers should be investigated.Hence,we next consider a
policy in which a patching rebate is o®ered by a social planner to the consumers of the freeware.
That is,similar to the rebate policy we discussed in Section 4.2,in the face of a security vulnera-
bility,with a patch made available by the freeware developers,consumers who patch will receive
an e®ective rebate r > 0,as an incentive.In this case,the rebate is given by a social planner.
There is a growing call for and discussion on government intervention for software security.The
recommendations invite the government to play a more active role in improving software security
by the implementation of a mix of market and regulatory e®orts.The aimof these suggested e®orts
is to induce vendors to write more secure software as well as to induce computer users and network
operators to better maintain the security of their own systems (see,e.g.,Mimoso 2003,Krim 2004,
Joyce 2005).The patching rebates for freeware can be implemented as corporate or individual tax
rebates or credits.Such tax rebates are employed as tools in many other cases when the government
wants to regulate compliance of good behavior in cases with negative externalities (Lyne 2001).
The following proposition explores the e®ectiveness of such a rebate policy.
Proposition 4
Consider a patching rebate o®ered by a social planner to users of a freeware product.
(i)
If ¼® · 2c
p
=3 or ¼® ¸ 32=(27c
p
),then for all r > 0,o®ering a patching rebate r decreases
the expected social welfare.
(ii)
If 2c
p
=3 < ¼® < 32=(27c
p
),then it is possible to improve the expected social welfare with a
positive patching rebate.Further,the social welfare maximizing rebate is given by r
¤
g
= c
p
=3.
As in the case of proprietary software,patching rebates increase the security of freeware as
well.However,some users may be induced to patch when it is not socially e±cient.The main
trade-o® is between the welfare loss endured by inducing such users to patch and the welfare gain
obtained by the network e®ects of increased security.Part (i) of Proposition 4 states that when the
software security risk is low,rebates are ine®ective.In such cases,the social value of the network
e®ects is relatively low,and the losses from ine±cient patching dominate.In addition,when the
security risk is high,the patching population is small and as rebates increase the size of the patching
population,new non-patching users join and wipe out the positive network e®ects gained.When
the security risk is at a moderate level,however,rebates can be e®ective as stated in part (ii)
subsequently comparing the minimum of these two quantities to the type dependent bene¯t of using the software.
This usage decision by the consumers plays a particularly key role for the other policies we consider (Sections 5.2,
5.3) and for proprietary software (Section 4).
23
of Proposition 4.In summary,a patching rebate policy can improve social welfare generated by
freeware for a moderate risk level,but for su±ciently low or high levels of risk,such a policy may
end up decreasing social welfare.
5.3 Usage Tax
In Section 5.2,we presented a rebate based policy that was able to induce patching behavior and
yield higher social welfare for certain cases.However,in Proposition 4,we saw that such a policy
can be ine®ective for the two ends of the security spectrum where the expected security losses
are small or large.Since consumers acting in self-interest are causing a security risk on other
consumers through network e®ects,a mechanism that drives out some of the consumers,who have
low valuations but create negative externalities on other users by not patching,can be helpful.
This mechanism can be achieved by imposing a small\price"or a\tax"on the freeware.Such a
policy,by forcing certain low valuation consumers out of the system,can eliminate the negative
security externalities that they cause and can help improve the net social welfare obtained from
the freeware.Notably,this policy aims at the opposite e®ect achieved by a patching rebate policy
since a rebate mechanism intends to encourage non-users of the product to reconsider its use.From
the consumers'point of view,a tax imposed by a social planner is identical to a price charged by a
vendor.However,in this case,the tax payment that the consumers must make in order to use the
freeware is set to maximize social welfare.Therefore,the relevant region is the lower end of the
tax (or price) spectrum with decisions focusing on whether or not to impose such a small payment.
The following proposition explores the e®ectiveness of a tax policy.
Proposition 5
(i)
There exists a ¿ > 0,such that the expected social welfare can be increased by imposing a user
tax of ¿ on the freeware product.
(ii)
There exist threshold values!
and
!such that 0 <!
·
!and when ¼® <!
,the optimal user
tax increases with ¼® and is not a®ected by increases in c
p
;and when ¼® >
!,the optimal
user tax increases with c
p
and decreases with ¼®.
Proposition 5 states that a certain level of usage tax can always improve the expected social
welfare for freeware under network e®ects by eliminating consumers whose valuations are low but
cause negative security externalities on all users by not patching.This result is in contrast to the
corresponding case for proprietary software (Section 4.3).The reason for the e®ectiveness of a
tax policy with freeware is the lack of a pro¯t maximizing vendor who reduces social welfare by
limiting usage through a price set to maximize pro¯t.With proprietary software,the vendor is
already endogenously pricing the product at a range where the network e®ects from elimination of
part of the user population through additional taxation is ine±cient.Imposing a tax in that case
24
makes the vendor respond by decreasing the price but the e®ective price the customers perceive
(i.e.,the vendor price plus tax) increases,thus eliminating users and decreasing social welfare.
However,Proposition 5 states that when the price is zero,the usage threshold is always low enough
that a usage tax can su±ciently reduce negative network externalities to improve social welfare.
Proposition 5 also states that when ¼® is low enough,the optimal tax,though eliminating some
low valuation users,will not induce a patching population and hence will not depend on c
p
.But for
such cases,increased security risk makes it optimal for a social planner to increase the tax since the
e®ect of network externalities dominates the value loss.On the other hand,when the security risk is
large,the usage levels fall and the proposition states that the optimal tax decreases with increased
security risk.However,in this region,increased patching costs impose heavy security risks due to
reduced patching which,in turn,makes it optimal to increase the usage tax to compensate.
5.4 Policy Comparison Summary for Freeware
In this section,we give a comparison and summary of our policy analysis for freeware.First,
we have shown that mandatory patching is always inferior to self patching.In contrast,we have
seen that rebates and taxes can help to increase welfare.We have found that taxes can strictly
increase social welfare for all parameter values,but rebates are ine®ective when ¼® · 2c
p
=3 or
¼® ¸ 32=(27c
p
).For these parameter ranges,taxes are strictly better than rebates.The question
then becomes whether rebates can ever be recommended over taxes.The following proposition
answers this question.
Proposition 6
There exists a threshold µ
2 (0;1) such that when c
p
< µ
and 2c
p
=3 · ¼® · µ
,
social welfare is greater under the optimal rebate policy compared to that of the optimal tax policy.
Figure 5 demonstrates the di®erence between the expected welfare that can be obtained by the
optimal tax and rebate policies,i.e.,the di®erence between the expected social welfare under the
optimal tax ¿
¤
t
(W
t
(0;¿
¤
t
)) and the optimal rebate r
¤
g
(W
g
(0;r
¤
g
)) for these two policies,respectively.
As can be seen from the ¯gure,the tax policy is dominant for most of the parameter space and is
especially dominant when security risk is high,i.e.,when ¼® is large.When the patching cost and
the e®ective security risk are low,taxes have less impact since the negative network externalities
are relatively less important.On the other hand,in this region,rebates are e®ective since it is
relatively cheaper to induce users to patch and therefore a rebate policy,which by its nature keeps
all willing users active,can achieve better results than a tax policy.
Recall that,for proprietary software,usage taxes are detrimental to social welfare,and hence
rebates are preferred whenever they are e®ective (Sections 4.2 and 4.3).However,a usage tax is
quite e®ective for freeware and is the dominant instrument for a social planner in that case.As we
discussed in detail in Section 5.3,the main reason for this di®erence is the vendor's pricing response
25
0
0.5
1
0
0.5
1
1.5
2
-0.02
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
c
p
W
t
(0,
t
*)-W
g
(0,r
g
*)

Figure 5:Expected social welfare di®erence between optimal tax and rebate policies for freeware.
to a usage tax.Hence,we conclude that it may be advisable for social planners to consider usage
taxes only in the case of freeware.
In summary,for freeware,when the security risk or patching cost is su±ciently high,W
t
> W
s
>
W
g
;W
m
,i.e.,a tax policy dominates.On the other hand,when the security risk and patching costs
are low and the security risk is not too low compared to the patching costs,W
g
> W
t
> W
s
> W
m
,
i.e.,a rebate policy is most e®ective.
6 Concluding Remarks
In this paper,we presented a model of network software security to demonstrate that in a net-
work environment,where the software security maintenance of each user a®ects the riskiness and
consequently the value of the software for other users,incentives can be a useful tool for both
a pro¯t maximizing vendor and a social welfare maximizing planner.In particular,we explored
and compared four policies to manage network software security in both proprietary software and
freeware contexts:(i) Consumer self patching;(ii) Mandatory patching;(iii) Patching rebate;and
(iv) Usage tax.We have compared the preferability of these policies for a vendor (in the case
of proprietary software) and a social planner (in the cases of both proprietary software and free-
ware).We have demonstrated that rebates and self patching are dominant for proprietary software
whereas for freeware,taxes compete with rebates,and self patching becomes strictly dominated.
Mandatory patching is found to be suboptimal across the board.The main di®erence between the
results for the cases of proprietary software and freeware stems from the fact that for proprietary
software,the vendor internalizes the e®ect of any policy on the users and re°ects it in his price.
26
This is because changes in users'incentives directly a®ect the vendor's pro¯ts,and induces him to
provide a feedback loop by adjusting his price in response.As a result,the social planner's role is
more direct and critical in the case of freeware.
Another method of improving user patching behavior would be to directly reduce the patching
costs that users face.One way of achieving this is the software vendor's development of an auto-
mated patching solution.Automated patching aims to lower patching costs for users,ideally to a
zero level.If such an idealized scenario were possible,i.e.,if the patching costs were zero,all users
would patch immediately after the release of a patch for a vulnerability.This would eliminate any
e®ective security risk and negative network e®ects,and no issues related to the spread of malicious
code in the network would be present.However,achieving an e®ective automated patching solution
is not an easy task since each patching problem has unique aspects and each user's system has a
more or less unique con¯guration.Therefore e®ective patch management is a highly time and re-
source consuming activity and a\one-size-¯ts-all"approach is unlikely to be an immediate remedy
as it is also widely acknowledged by practitioners (see,e.g.,Messmer 2004a,Bentley 2005).Also
note that an automated patching solution only a®ects the portion of the patching costs associated
with the actual deployment of the security patch.The larger portion of the patching costs is due
to the labor needed to verify that the security patch works as advertised without breaking any
application interaction.Such testing of a security patch usually takes place on a staging server
before deployment of the patch to a production server.If a user patches,she must go through these
necessary steps to ensure that the security patch works without causing the production server to
fail.Therefore,patching costs are an innate part of network software security maintenance and
should not be neglected as determinants of user patch behavior and ultimately network security.
Our model applies to cases where there is a window for patching between the time a security
patch is made available and when an attack occurs,as was the case for most major worms in
the past.However,in some cases\zero day"attacks also occur before or right as patches are
released (Shannon and Moore 2004).Analyzing the e®ect of such cases on user incentives would
be an interesting future research topic.In addition,our main concern in this paper is the spread of
malicious code that exploits a patchable vulnerability in a common software product,over a network
of interconnected users.However,certain high pro¯le users can be speci¯cally targeted for attacks
such as the DoS attack experienced by Yahoo in 2000 (Williams 2000).These speci¯c risks are
essentially separate fromthe risks associated with the spread of a wormin characteristic.Examining
the security threats for such attacks under network environments would be an interesting future
research topic.Also,in our model we assume a uniform distribution of valuations.Although most
of our results (such as the threshold valuation characterization of the equilibrium and inferiority of
mandatory patching) are robust to the distributional assumption,one future avenue for research
could be extending our results to general distributions.
27
Another interesting extension of our model could be analyzing the vendor's problem of inducing
optimal patching activity levels based on the users'valuations by o®ering a non-linear patching
rebate schedule.Given that the users have di®erent valuations and correlated losses in case of
an attack,there may be gains from allowing users to decide the level of their patching activity
and receive rebates accordingly.In a separating equilibrium,a software vendor can then o®er a
non-linear schedule of patching rebates to induce a target level of patching activity for each\type"
of customer and monitor the patching levels (something he can observe),and use them as a proxy
to award rebates based on consumer valuations (something he cannot directly observe or price
discriminate on).The employment of such a price/rebate schedule may not only bene¯t the vendor
but also improve social welfare by allowing users to choose patching activities at socially e±cient
levels.
One might also investigate the vendor's incentives for disclosure of vulnerabilities to the public.
It is typically the case that vulnerabilities in software are discovered by either the vendor or benev-
olent users before hackers.In such instances,the vendor usually has a grace period to develop and
release patches before the existence of these vulnerabilities are publicly announced.The length of
that grace period may have implications on the incentives for patch development by the vendor,
and these issues are topics for ongoing research (e.g.,Arora et al.2005,Choi et al.2005,and
Jaisingh and Li 2005).Mechanisms that target user incentives used in conjunction with control of
the vulnerability disclosure grace period can prove to be powerful at improving software security
and is an interesting topic for future research.
Our goals in this paper were ¯rst to establish that when dealing with network security issues,
policies targeting user incentives can be e®ective tools;and second to gain insights into the types
of incentive mechanisms that may be helpful in increasing the value generated by network software
in the face of security vulnerabilities.In today's highly interconnected environment where many
consumers still do not maintain the security of their software adequately,resulting in losses from
hacker attacks that amount to billions of dollars,policies that can induce increased consumer
security by taking user incentives into account are needed.Our results may give guidance and
insight to software companies and policy-makers to work on such strategies and ultimately help
reduce the tremendous losses that occur from computer security incidents every year.
References
Anderson,R.J.(2001).Why information security is hard { an economic perspective.In Proc.of
the 17th Annual Computer Security Applications Conf.,pp.358{365.IEEE Computer Soc.
Anderson,R.M.and R.M.May (1991).Infectious Diseases of Humans:Dynamics and Control.
Oxford Univ.Press.
28
Arora,A.,R.Telang,and H.Xu (2005).Optimal policy for software vulnerability disclosure.
Working Paper,Carnegie Mellon Univ.
Bailey,N.T.(1975).The Mathematical Theory of Infectious Diseases and its Applications.Oxford
Univ.Press.
Bentley,A.(2005,October).Developing a patch and vulnerability management strategy.http:
//www.scmagazine.com.
Bloor,B.(2003).The patch problem:It's costing your business real dollars.Baroudi Bloor.http:
//www.baroudi.com/pdfs/patch.pdf.
Bragg,R.(2004,February).The perils of patching.Redmondmag.com.
Brito,D.L.,E.Sheshinski,and M.D.Intriligator (1991,June).Externalities and compulsory
vaccinations.J.Public Econ.45(1),69{90.
Cavusoglu,H.,H.Cavusoglu,and J.Zhang (2005,September).Security patch management:Share
the burden or share the damage.Working Paper,Univ.of British Columbia.
CERT (2004).CERT/CC statistics 1988-2003.CERT Coordination Center.http://www.cert.
org/stats.
Choi,J.P.,C.Fershtman,and N.Gandal (2005,April).Internet security,vulnerability disclosure
and software provision.Extended Abstract.
ComputerEconomics (2004,February).The cost impact of major virus attacks since 1995.Computer
Economics.
D'Amico,A.D.(2000,September).What does a computer security breach really cost?Secure
Decisions,Applied Visions Inc.
Davidson,M.A.(2004,June).Automatic software patching:Boon or bane?GlobeAndMail.com.
Francis,P.J.(1997).Dynamic epidemiology and the market for vaccinations.J.Public Econ.63(3),
383{406.
Garg,A.(2003,Spring).The cost of information security breaches.CrossCurrents,Ernst & Young.
Geer,D.E.(2004,May).The economics of shared risk at the national scale.Available at http:
//www.dtc.umn.edu/weis2004/weis-geer.pdf.
Geo®ard,P.-Y.and T.Philipson (1996).Rational epidemics and their public control.Int.Econ.
Rev.37(3),603{624.
Gersovitz,M.(2003).Births,recoveries,vaccinations and externalities.In Economics for an Im-
perfect World:Essays in Honor of Joseph E.Stiglitz,Cambridge,MA,pp.469{483.MIT Press.
Gersovitz,M.and J.S.Hammer (2004).The economical control of infectious diseases.Econ.
J.114(492),1{27.
29
Gersovitz,M.and J.S.Hammer (2005).Tax/subsidy policies toward vector-borne infectious dis-
eases.J.Public Econ.89(4),647{674.
Goldman,S.M.and J.Lightwood (2002).Cost optimization in the SIS model of infectious disease
with treatment.Top.Econ.Anal.Policy 2(1),1{22.
InternetWorldStats (2004,September).World internet usage and population statistics.Internet-
WorldStats.com.http://www.internetworldstats.com/stats.htm.
Jaisingh,J.and Q.Li (2005,November).The optimal time to disclose software vulnerability:
Incentive and commitment.Working Paper,Hong Kong Univ.of Science and Technology.
Joyce,E.(2005,February).More regulation for the software industry?EnterpriseITPlanet.com.
http://www.enterpriseitplanet.com/security/news/article.php/3483876.
Kessing,S.and R.Nuscheler (2003,June).Monopoly pricing with negative network e®ects:The
case of vaccines.Working Paper,Social Science Research Center Berlin.
Kremer,M.(1996).Integrating behavioral choice into epidemiological models of AIDS.Quart.J.
Econ.111(2),549{573.
Krim,J.(2004,April).U.S.goals solicited on software security.WashingtonPost.com.
Kunreuther,H.and G.M.Heal (2002).Interdependent security:The case of identical agents.
Working Paper,Columbia Univ.
Kunreuther,H.,G.M.Heal,and P.R.Orszag (2002).Interdependent security:Implications for
homeland security policy and other areas.The Brookings Institution,Policy Brief#108.
Lemos,R.(2003,August).Squashing the next worm.CNET News.com.
Lemos,R.(2004,March).Witty worm proves patching`not viable'.CNET News.com.
Leung,L.(2005,January).Patching takes over IT for a day.Techworld.com.
Lyne,J.(2001,May).EPA o®ers incentives to ¯rms that adopt telecommuting in ¯ve U.S.metros.
Online Insider.http://www.conway.com/ssinsider/incentive/ti0105.htm.
Maguire,J.(2004,January).Who's patching open source?Enterprise Linux IT.
Messmer,E.(2004a,May).Can software patching be automated?Network World Fusion.http:
//www.nwfusion.com/weblogs/security/005182.html.
Messmer,E.(2004b,May).Sasser worm exposes patching failures.Network World Fusion.http:
//www.nwfusion.com/news/2004/0510sasser.html.
Middleton,J.(2001,December).U.S.government calls for enforced patches.Vnunet.com.
Mimoso,M.(2003,September).Regulation,bad software,new threats fodder for Congress.Search-
Security.com.
30
Moore,D.,V.Paxson,S.Savage,C.Shannon,S.Staniford,and N.Weaver (2003).The spread of
the Sapphire/Slammmer worm.http://www.cs.berkeley.edu/
»
nweaver/sapphire/.
Moore,D.,C.Shannon,and J.Brown (2002).Code-red:a case study on the spread and victims of
an internet worm.In Proc.of the Second ACMSIGCOMMWorkshop on Internet Measurement,
pp.273{284.
MS-Support (2004,June).IIS problems after applying a security patch.Microsoft Corporation.
Nicastro,F.(2005,September).Network security tactics.Step-by-step guide:How to deploy a
successful patch.Searchsecurity.techtarget.com.
Schweitzer,D.(2003,August).Emerging technology:Patch me if you can!NetworkMagazine.com.
Shannon,C.and D.Moore (2004,August).The spread of the witty worm.IEEE Security and
Privacy 2(4),46{50.
Sullivan,B.(2004,May).`Sasser'infections begin to subside.MSNBC.com.http://www.msnbc.
msn.com/id/4890780/.
Symantec (2004,July).Automating patch management.Symantec Corporation.
Timms,S.,C.Potter,and A.Beard (2004,April).Information security breaches survey 2004.UK
Department of Trade and Industry.
US-CERT (2004).US-CERT vulnerability notes database.Carnegie Mellon Univ.http://www.
kb.cert.org/vuls/.
Varian,H.(2004).System reliability and free riding.Working Paper,Univ.of California,Berkeley.
Weaver,N.,V.Paxson,S.Staniford,and R.Cunningham (2003).A taxonomy of computer worms.
In Proc.of the 2003 ACM Workshop on Rapid Malcode,pp.11{18.
Williams,M.(2000,February).Attack takes down Yahoo for three hours.IDG News Service.
31
Appendix for
Network Software Security and User Incentives
Terrence August and Tunay I.Tunca
¤
Graduate School of Business
Stanford University
Proofs
Proof of Lemma 1:
In order to characterize the equilibrium,we ¯rst start with the second period
decisions for the consumers who purchased the product in the ¯rst period.If,in the second period,
no vulnerabilities arise then there is no decision to make for a consumer.Suppose a vulnerability
arises.If a consumer with valuation v decides to patch the software,her expected total payo® is
v¡p¡c
p
.Notice that the consumer only incurs a patching cost when vulnerabilities actually occur.
Suppose she decides not to patch and the total mass of unpatched population is u.In this case,
her expected payo® is v ¡p ¡¼u®v.Therefore,a consumer who buys the product patches in the
second period in case a security vulnerability is revealed if and only if
v ¸
c
p
¼u®
:(A.1)
Consequently,in equilibrium,if a buyer with valuation v
0
patches the software,then every buyer
with valuation v > v
0
will patch and hence there exists a v
p
2[0;1],such that when a vulnerability
arises,a consumer with valuation v 2V will patch if and only if v ¸v
p
.
Next,we examine the buying decision in the ¯rst period.If a consumer with valuation v decides
to buy the product,she will incur a cost p.Her expected security losses are C(v;¾
¤
).Then she
will buy the software if and only if
v ¡C(v;¾
¤
) ¸p:(A.2)
Now ¯rst,suppose v
p
< 1.Then v
p
¸p+c
p
,and hence,in equilibrium,since (1) implies C(v;¾
¤
) =
minf¼u®v;c
p
g and by (A.2),for all v > v
p
,we have ¾
¤
(v) = (B;P).Now let 0·v
1
·1 and
¾
¤
(v
1
) = (B;NP).Then,by (A.2),
v
1
¸
p
1 ¡¼u®
;(A.3)
and therefore for all v > v
1

¤
(v) 2f(B;P);(B;NP)g,and hence there exists a v
b
2[0;1],such that
a consumer with valuation v 2V will purchase if and only if v ¸v
b
.By de¯nition v
p
¸v
b
.Suppose
0 < v
p
= v
b
< 1 and c
p
> 0.But then,there exists 0 < v < v
p
such that v ¸p + C(v;¾
¤
) = p,
which is a contradiction.Therefore,we conclude that,when c
p
> 0 and 0 < p < 1 there exist
¤
Graduate School of Business,Stanford University,Stanford,CA 94305-5015.e-mails:
taugust@stanford.edu,tunca
tunay@stanford.edu
A.1
0·v
b
< v
p
·1 satisfying (2),from which,it follows that
¼®(v
p
¡v
b
)v
p
= c
p
;(A.4)
and
v
b
= p +¼®(v
p
¡v
b
)v
b
:(A.5)
Substituting (A.4) into (A.5) yields
v
p
=
c
p
v
b
v
b
¡p
;(A.6)
which,in turn,by substituting into (A.5) gives
¼®v
3
b
+(1 ¡¼®(c
p
+p))v
2
b
¡2pv
b
+p
2
= 0:(A.7)
Now,for v
p
< 1 to hold,by (A.6),we must have v
b
>
p
1¡c
p
.Plugging this in equation (A.7) and
since 0·v
b
·1,we obtain that for v
p
< 1,we must have p <
p.When p <
p,it can be shown
that (A.7) has a single root v
b
that satis¯es 1 > v
b
> p,which is satis¯ed by (A.2).Further,when
p > 0,again from (A.7),v
b
< p +c
p
follows,which by plugging in (A.6) con¯rms p +c
p
< v
p
.
When p = 0 and ® ¸
c
p
¼
,since
p > 0 (A.7) is valid and substituting,p = 0 into (A.7) yields
v
2
b
¡
v
b
¡
¡
c
p
¡
1
¼®
¢¢
= 0,which has two roots,namely v
b
= 0 and v
b
= c
p
¡1=¼®.If c
p
< 1=¼®,
then the only possible solution in [0;1] is v
b
= 0,and when v
b
= 0,by (A.4),it follows that
v
p
=
r
c
p
¼®
:(A.8)
If ® >
1
c
p
¼
,however,under (A.8),(A.2) cannot be satis¯ed.Therefore,the only valid root for this
region is v
b
= c
p
¡1=¼® and by (A.6),the statement follows.
Finally when,p¸
p,on the other hand,substituting v
p
= 1 in (A.5),we obtain ¼®v
2
b
+ (1 ¡
¼®)v
b
¡p = 0,which has a unique positive root that satis¯es v
b
·1 and is given by
v
b
= ¡
1 ¡¼®
2¼®
+
1
2¼®
p
(1 ¡¼®)
2
+4¼®p:(A.9)
This completes the proof.¥
Before we move on to the next proposition,we ¯rst state and prove the following lemmas that
will be useful for the remaining proofs:
Lemma A.1
The purchasing threshold v
b
is strictly increasing in price.Further,in Region I,
dv
b
dp
> 1.
Proof:The statement for Region II is immediate from (A.9).For Region I,from (A.7) and by the
implicit function theorem,we obtain
dv
b
dp
=
¼®v
2
b
+2(v
b
¡p)
3¼®v
2
b
+2(1 ¡¼®c
p
¡¼®p)v
b
¡2p
=
1
1 +
2¼®v
b
(v
b
¡c
p
¡p)
¼®v
2
b
+2(v
b
¡p)
:(A.10)
A.2
Re-arranging equation (A.7),we have
¼®v
2
b
(v
b
¡c
p
¡p) = ¡(v
b
¡p)
2
:(A.11)
From (A.10) and (A.11),it then follows that
dv
b
dp
=
¼®v
2
b
+2(v
b
¡p)
¼®v
2
b
+2
p
v
b
(v
b
¡p)
> 1:¤ (A.12)
Lemma A.2
(i)
There exists a solution,p
¤
s
2[0;1],to the pro¯t maximization problem of the vendor.The pro¯t
function for the vendor is piece-wise strictly concave in price,i.e.,it is concave when restricted
to price regions [0;
p) and [
p;1],where
p is as given in Lemma 1.
(ii)
Let c
p
2 (0;1) be given.There exist c
p
< µ
<
µ such that
(a)
When ¼® >
µ,the software vendor's pro¯t is maximized by pricing in Region I;
(b)
When 0 < ¼® < µ
,the software vendor's pro¯t is maximized by pricing in Region II.
Proof:By Lemma 1,¦
s
(¢) is continuous on compact [0;1].Therefore,the vendor's problem has
an optimal solution on this price range.For strict concavity,we ¯rst consider Region II.By (A.9),
we have
¦
ii
s
(p) =
p
2¼®
³
1 +¼® ¡
p
(1 ¡¼®)
2
+4¼®p
´
:(A.13)
In order to circumvent having the ¯rst derivative ill-de¯ned,we break the analysis into two cases
in which the product ¼® = 1 and ¼® 6= 1.When ¼® = 1,we have ¦
ii
s
(p) = p(1 ¡
p
p).Thus
we have d¦
ii
s
(p)=dp = 1 ¡
3
2
p
p and d
2
¦
ii
s
(p)=dp
2
= ¡
3
4
p
p
.When ¼® 6= 1,we have d¦
ii
s
(p)=dp =
1
2¼®
µ
1 +¼® ¡
p
(1 ¡¼®)
2
+4¼®p

¡
p
p
(1¡¼®)
2
+4¼®p
,and d
2
¦
ii
s
(p)=dp
2
=
¡2(1¡¼®)
2
¡6¼®p
((1¡¼®)
2
+4¼®p)
3=2
< 0.
Hence,we conclude that ¦
ii
s
(¢) is indeed strictly concave.
Nowconsider Region I.Notice that d¦
i
s
(p)=dp = 1¡v
b
¡p
dv
b
dp
and d
2
¦
i
s
(p)=dp
2
= ¡
¡
2
dv
b
dp
+p
d
2
v
b
dp
2
¢
.
By di®erentiating equation (A.12) and rearranging we obtain
d
2
v
b
dp
2
=
dv
b
dp
³
2®v
b
+
4p
¼v
b
´
¡
³
dv
b
dp
´
2
³
2p
2
¼v
2
b
+2®v
b
´
¡
2
¼
®v
2
b
+
2p
¼v
b
(v
b
¡p)
:(A.14)
Substituting back into the second derivative of the pro¯t function,we have
d
2
¦
i
s
(p)
dp
2
= ¡
2
µ
®v
2
b
+
2(v
b
¡p)
¼
+p
dv
b
dp
³
®v
b
+
2
¼
p
v
b
´
¡p
³
dv
b
dp
´
2
³
1
¼
p
2
v
2
b
+®v
b
´
¡
p
¼

®v
2
b
+
2p
¼v
b
(v
b
¡p)
:(A.15)
A.3
Now,by (A.12) and Lemma A.1,we have
dv
b
dp
®v
b
(v
b
+p)¡p®v
b
µ
dv
b
dp

2
= ®v
b
dv
b
dp
µ
v
b
+p
µ
1 ¡
dv
b
dp
¶¶
= ®v
b
dv
b
dp
0
@
®v
3
b
+
2
¼
p
2
v
b
(v
b
¡p)
®v
2
b
+
2
¼
p
v
b
(v
b
¡p)
1
A
> 0:
(A.16)
Further,again by Lemma A.1 and rearranging
2p
¼
¢
dv
b
dp
¡
p
¼
Ã
µ
p
v
b
¢
dv
b
dp

2
+1
!
=
p
¼
Ã
2
dv
b
dp
¡
µ
p
v
b
¢
dv
b
dp

2
¡1
!
=
p
¼
0
@
®v
2
b
(
v
b
p
¡1)
®v
3
b
p
+
2
¼
(v
b
¡p)
µ
1 +
p
v
b
¢
dv
b
dp

+2
µ
dv
b
dp
¡1

1
A
> 0:
(A.17)
Combining (A.16),(A.17) and the fact that v
b
> p,we ¯nd that the right hand side of (A.15) is
strictly negative and therefore,¦
i
s
is strictly concave.This completes the proof of part (i).
To see part (ii),¯rst by part (i),there exists an optimal price that solves the vendor's pro¯t
maximization problem.To see part (a),notice that by (A.9),in Region II,lim
¼®!1
v
b
= 1.
Therefore as ¼®!1,pro¯t in Region II for any feasible p approaches zero.By (A.7),v
b
< p +c
p
is always satis¯ed.Therefore for any given p2[0;
p),¦
i
s
(p) > p(1 ¡c
p
¡p),which has a maximum
at p = (1 ¡c
p
)=2,which is in [0;
p) for su±ciently large ¼® as desired.For part (b),notice that by
Lemma 1,the feasible price range for Region I is p 2 [0;
p).At ¼® = c
p
,this range gets reduced to
f0g and as ¼® approaches this threshold the vendor's pro¯t vanishes on [0;
p).For any ¼® · c
p
,
there is no feasible price for Region I.On the other hand,Region II becomes feasible for all values of
¼® in this range and by (A.9),for any given p¸
p,the pro¯t in Region II increases as ¼® decreases.
Hence,there exists an µ
¸c
p
> 0 such that the vendor's pro¯t is maximized in Region II for ¼® < µ
.
This completes the proof.¤
Lemma A.3
For the proprietary software,if v
b
·v
m
then W
s
> W
m
.
Proof:Consider each consumer v 2 [v
m
;1].Under self patching decisions,each of these consumers
contributes v ¡C(v;¾
¤
) to the expected social welfare.Note that this contribution incorporates
the externalities created by all other users in equilibrium.Under the mandatory patching policy,
each of these consumers contributes v ¡c
p
.However,C(v;¾
¤
) · c
p
for all these consumers since
c
p
is the greatest loss that any purchaser will accept.Each consumer v 2 [v
b
;v
m
] will purchase
only if they make a positive contribution to the welfare.Furthermore,by (A.4) and since v
p
> v
b
,
¼®(v
p
¡v
b
)v
b
< c
p
.Thus,the expected social welfare under self patching is strictly greater than
the expected social welfare under mandatory patching when v
b
·v
m

Proof of Proposition 1:
To see part (i),¯rst note that v
m
= p
¤
m
+c
p
= (1 +c
p
)=2 and consider
the associated purchasing threshold as a function of c
p
,i.e.v
m
(c
p
) = (1 +c
p
)=2.Since ¼® < c
p
A.4
and v
m
(¢) is increasing in c
p
,it follows that v
m
(¼®) < v
m
(c
p
).
Now from (A.9),we have that v
b
(¼®) = ¡
1¡¼®
2¼®
+
1
2¼®
p
(1 ¡¼®)
2
+4¼®p
¤
s
.By Lemma A.2,
¦
ii
s
is concave and since ¦
ii
s
(0) = ¦
ii
s
(1) = 0 the optimal price can be found through the ¯rst order
condition,which yields
p
¤
s
=
1
9¼®
q
¡1 +4¼® ¡(¼®)
2
+(1 +¼®)
p
1 ¡¼® +(¼®)
2
:(A.18)
Plugging (A.18) into (A.9),we obtain
v
m
(¼®) ¡v
b
(¼®) =
3 +3(¼®)
2
¡
q
5 ¡2¼® +5(¼®)
2
+4(1 +¼®)
p
1 ¡¼® +(¼®)
2
6¼®
¸0:(A.19)
(A.19) can be easily established by rearranging the inequality and taking the square of both sides
twice.Therefore v
b
· v
m
and the result follows from Lemma A.3.
To see part (ii),suppose that v
b
> v
m
.De¯ne p
c
> 0 as the price such that
¼®v
3
m
+(1 ¡¼®(c
p
+p
c
)) v
2
m
¡2p
c
v
m
+p
2
c
= 0:(A.20)
Plugging v
m
= (1 +c
p
)=2 in (A.20) and solving for p
c
,we ¯nd that
p
c
=
1
8
µ
4 +4c
p
+¼®(1 +c
p
)
2
¡
q
¼®(1 +c
p
)
2
(16c
p
+¼®(1 +c
p
)
2
)

:(A.21)
By Lemma A.2,at the optimal price for Region I,p
¤
s
,we have

i
s
(p)
dp
¯
¯
¯
p=p
¤
s
¸0.Then,by Lemma
A.1 and again by Lemma A.2,

i
s
(p)
dp
¯
¯
¯
p=p
c
> 0 also holds.Now,

i
s
(p)
dp
= 1 ¡v
b
¡p
Ã
v
2
b
+
2
¼®
(v
b
¡p)
v
2
b
+
2
¼®
p
v
b
(v
b
¡p)
!
=
¼®v
3
b
(1 ¡p) +2p(v
b
¡p)(1 ¡2v
b
) ¡¼®v
4
b
¼®v
3
b
+2p(v
b
¡p)
:(A.22)
Plugging (A.20) in (A.22),we ¯nd that

i
s
(p)
dp
¯
¯
¯
p=p
c
> 0 if and only if
¼
2
®
2
(1 +c
p
)
3
(¡1 +3c
p
) +32c
2
p
¼®(1 +c
p
)
¡(8c
p
¡¼®(1 +c
p
)(1 ¡3c
p
))
q
¼®(1 +c
p
)
2
(16c
p
+¼®(1 +c
p
)
2
) > 0:(A.23)
Suppose that c
p
¸ 1=3.Moving the radical in (A.23) and squaring yields the equivalent condition,
¼®c
2
p
(1 +c
p
)
2
(16c
p
+¼®(3 ¡c
p
)(3c
p
¡1)) < 0;(A.24)
and hence (A.23) is not satis¯ed.Now suppose c
p
< 1=3 and de¯ne s(¼®),¼®(1 + c
p
)
3
(¡1 +
3c
p
) +32c
2
p
(1 +c
p
) and t(¼®),(8c
p
+¼®(1 +c
p
)(¡1 +3c
p
)).Notice that s(¼®) > 0 if and only
if ¼® < a
s
,
32c
2
p
(1+c
p
)
2
(1¡3c
p
)
and t(¼®) > 0 if and only if ¼® < a
t
,
8c
p
(1+c
p
)(1¡3c
p
)
.Further (A.24)
A.5
is violated if and only if ¼®¸a
¿
,
16c
p
(3¡c
p
)(1¡3c
p
)
.Notice that,c
p
< 1=3 implies a
s
< a
t
.When
a
s
·¼® < a
t
,(A.23) does not hold.It then follows that when ¼®¸a
t
,(A.23) is violated if and
only if (A.24) is violated,which is true since a
t
¸a
¿
.Further,when ¼® < a
s
(A.23) is violated if
and only if (A.24) is violated which is true since a
s
·a
¿
.Therefore v
b
·v
m
and,again by Lemma
A.3,the result follows.¥
Proof of Proposition 2:
For any given p > 0,v
b
> p and 0 < r < c
p
,by (A.11)
p +c
p
¡r ¡v
b
=
1
¼®
µ
v
b
¡p
v
b

2
:(A.25)
De¯ne » =
1
¼®
³
v
b
¡p
v
b
´
2
.By Lemma A.2,for su±ciently large ¼® the vendor will price in Region I.
The ¯rst order condition for ¦
v
(p;r) is given by

v
(p;r)
@p
= 1 ¡v
b
¡p
dv
b
dp
+
r(c
p
¡r)
(v
b
¡p)
2
µ
v ¡p
dv
b
dp

= 0;(A.26)
which,by combining with (A.12) and (A.25) yields
p
¤
v
=
1 ¡c
p
2
+r +c
p
µ
2
1 +c
p
¡
1
2(c
p
¡r)

» +O(»
2
):(A.27)
Therefore,combining (A.25) and (A.27),for
¼®
su±ciently large,
p
¤
v
<
p
and the unconstrained
optimum of ¦
i
v
will be feasible for Region I.
Now consider the optimal price as a function of the rebate denoted p(r) and de¯ne the optimal
expected vendor pro¯t as a function of the rebate by ¦
¤
v
(r) = ¦
v
(r;p(r);v
b
(p(r);r)).By Lemma
A.2 and the envelope theorem,we obtain the ¯rst order condition for the optimal rebate as

¤
v
(r)
dr
=

v
³
r;p(r);v
b
(p(r);r)
´
@r
+

v
³
r;p(r);v
b
(p(r);r)
´
@v
b
@v
b
(p(r);r)
@r
= ¡1 +
v
b
v
b
¡p
(c
p
¡2r) +
µ
1 +
r(c
p
¡r)
(v
b
¡p)
2

pv
2
b
v
2
b
+
2
¼®
(v
b
¡p)
p
v
b
= 0:(A.28)
Substituting in for (A.25),

¤
v
(r)
dr
= ¡1 +
p +c
p
¡r ¡»
c
p
¡r ¡»
(c
p
¡2r) +
µ
1 +
r(c
p
¡r)
(c
p
¡r ¡»)
2

p(c
p
¡r ¡»)
c
p
¡r ¡» +
2p»
p+c
p
¡r¡»
;
which,evaluated at (A.27),yields

¤
v
(r)
dr
=
c
p
(3c
p
¡1 ¡4r)
2(c
p
¡r)
2
» +O(»
2
):(A.29)
Hence there exists an
!> 0 such that when ¼® >
!,

¤
v
(r)
dr
¯
¯
¯
r=0
¸ 0 if and only if c
p
>
A.6
1
3
.Therefore,a rebate policy will be e®ective if and only if c
p
> 1=3.By (A.29),we have
r
¤
v
!(3c
p
¡1)=4 and hence,by (A.27),p
¤
v
!(1 +c
p
)=4.Further,there exists a constant k
such that lim
»!0
r
¤
v
¡(3c
p
¡1)=4
»
= lim
»!0
p
¤
v
¡(1+c
p
)=4
»
= k.Substituting into (A.29),it follows that
k = (1 ¡c
p
)=(8c
p
) > 0.Therefore,r
¤
v
and p
¤
v
are increasing in »,and hence decreasing in ¼®.This
completes the proof of part (i).
To see part (ii) ¯rst notice that under the hypothesis ¼® < c
p
holds and in this region,for a
rebate r > 0 to be e®ective,by Lemma 1,we must have c
p
¡¼® < r < c
p
,since,only in this case
the consumers will face a patching cost that will induce at least some of them to patch.For a ¯xed
p,let v
b
(r) and v
p
(r) denote the purchasing and patching thresholds when a rebate r is o®ered,
respectively.Clearly,when r > c
p
¡¼®,v
b
(r) < v
b
(0),since otherwise ¦
v
(p;r) < ¦
v
(p;0) holds.
But then,by (A.5),
v
b
(r) =
p
1 ¡¼®(v
p
(r) ¡v
b
(r))
<
p
1 ¡¼®(1 ¡v
b
(0))
= v
b
(0);(A.30)
which implies 1 ¡v
p
(r) > v
b
(0) ¡v
b
(r) and therefore,for ¦
v
(p;r) > ¦
v
(p;0),p > r has to hold.
When the vendor o®ers such a rebate,r,his expected pro¯t function can be written as ¦
v
(p;r) =
p(1¡v
b
) ¡r(1¡v
p
) where p 2 [0;(1¡(c
p
¡r))(1¡
c
p
¡r
¼®
)].Also note that the purchasing threshold
is now governed by the equation ¼®v
3
b
+
¡
1¡¼®(c
p
¡r+p)
¢
v
2
b
¡2pv
b
+p
2
= 0.then,by the implicit
function theorem,we obtain:
dv
b
dr
= ¡
v
2
b
v
2
b
+
2
¼®
(v
b
¡p)
p
v
b
;(A.31)
and hence ¡1 ·
dv
b
dr
· 0.Di®erentiating the expected pro¯t function,we obtain

r
dr
= ¡p
dv
b
dr
¡1 +v
p
+r
dv
p
dr
= ¡p
dv
b
dr
¡1 +v
p
+r
Ã
¡
p(c
p
¡r)
dv
b
dr
(v
b
¡p)
2
¡
v
b
v
b
¡p
!
:(A.32)
Notice that the ¯rst three terms are bounded and that r approaches c
p
as ¼® approaches zero.
Substituting c
p
¡r in place of c
p
in (A.11) and re-arranging we obtain
c
p
¡r = (v
b
¡p)
³
v
b
¡p
¼®v
2
b
+1
´
:(A.33)
Therefore
p(c
p
¡r)
dv
b
dp
(v
b
¡p)
2
¡
v
b
v
b
¡p
=
¡¼®v
2
b
¡p
¼®v
2
b
+2(v
b
¡p)
p
v
b
=
dv
b
dr
r
µ
1 +
p
¼®v
2
b

:(A.34)
Now since ¼® <
c
2
p
1+c
p
and p·1,¼®(p ¡(c
p
¡¼®)) < (c
p
¡¼®)
2
,and since p > r > c
p
¡¼®,we
have
¼® <
(c
p
¡¼®)
2
p ¡(c
p
¡¼®)
<
pr
p ¡r
:(A.35)
A.7
From (A.35),and since v
b
·1,it follows that
p ¡r ¡
pr
¼®v
2
b
< 0:(A.36)
Combining (A.32),(A.34) and (A.36),we obtain d¦
r
=dr < 0 and therefore,it is suboptimal for the
vendor to o®er a rebate.This completes the proof.¥
Proof of Proposition 3:
By (4),(A.6) and (A.7),
W
i
g
(p;r) =
1
2
Ã
1¡v
2
b
¡
¼®v
3
b
(v
b
¡p ¡c
p
+r)
2
(v
b
+c
p
¡p ¡r)
(v
b
¡p)
3
+
2c
p
(p ¡v
b
(1 +r ¡c
p
))
v
b
¡p
!
:(A.37)
Taking the total derivative with respect to r,substituting (A.12) and (A.31),utilizing the implicit
function theorem on (A.26),and de¯ning » as in the proof of Proposition 2,by (A.25) and (A.27)
we then obtain
lim
»!0
1
»
dW
¤
g
(r)
dr
=
c
p
(c
p
(12 ¡c
p
) ¡3 ¡16r)
4(1 +c
p
)(c
p
¡r)
2
:(A.38)
Notice that c
p
(12¡c
p
) ¡3 is a concave quadratic expression in c
p
with roots 6¡
p
33 and 6+
p
33.
Since 6 ¡
p
33 < 1 < 6 +
p
33,we conclude that there exists an
!> 0 such that when ¼® >
!,
dW
¤
g
(r)
dr
¯
¯
¯
r=0
¸ 0 if and only if c
p
> 6 ¡
p
33.Hence,in this region,a rebate policy is e®ective
at increasing social welfare if and only if c
p
is large enough as stated in the proposition.By
(A.38),as ¼® becomes large,we have r
¤
g
!(c
p
(12 ¡c
p
) ¡3)=16 and,by substituting into (A.27),
p
¤
g
!(5 ¡c
p
)(1 +c
p
)=16.Clearly,both r
¤
g
and p
¤
g
are strictly increasing in c
p
.
Further,substituting r
¤
g
back into (A.38) we obtain
lim
»!0
r
¤
g
¡(c
p
(12 ¡c
p
) ¡3)=16
»
= f(c
p
);(A.39)
where f(c
p
) is a ¯fth order polynomial with three real roots only one of which (denoted by µ
0
) in
(6¡
p
33;1) and for all c
p
2 (µ
0
;1),f(c
p
) < 0.Thus,for ¼® su±ciently large,r
¤
g
is decreasing in ¼®
if c
p
2 (6¡
p
33;µ
0
) and increasing in ¼® if c
p
2 (µ
0
;1).Substituting r
¤
g
into (A.27) and carrying out
the analysis in a similar way shows that there exists a µ in (6 ¡
p
33;1) such that p
¤
v
is decreasing
in ¼® if c
p
2 (6 ¡
p
33;µ) and increasing in ¼® if c
p
2 (µ;1).This completes the proof of part (i).
For part (ii),when ¼® < c
p
and r = 0,by Lemmas 1 and A.2,the optimal price,p
¤
s
,is found
in Region II.Plugging (A.18) in (A.22),we ¯nd that
lim
¼®!0
¼®

i
s
dp
¯
¯
¯
¯
p=p
¤
s
=
(c
p
¡r)r
º(1 +8º)
;(A.40)
where,from (A.7),º = lim
¼®!0
(v
b
¡ p)=¼® > 0.Therefore,when a planner imposed rebate is
e®ective,i.e.,when a large enough r < c
p
induces the vendor to price so that there is a patching
population,since the vendor's pro¯t curve is strictly piecewise concave in p,p
¤
g
> p
¤
s
follows.Now
A.8
de¯ne
n
0
= supfn:lim
¼®!0
(p
¤
g
(r) ¡p
¤
s
)
(¼®)
n
< 1g:(A.41)
Further,de¯ne v
s
b
as given in (A.9),which is the purchasing threshold for r = 0 and
n
00
= supfn:lim
¼®!0
(v
b
(p
¤
g
(r);r) ¡v
s
b
)
(¼®)
n
< 1g:(A.42)
By (A.4)
lim
¼®!0
v
p
(p
¤
g
(r);r)
(¼®)
minfn
0
;n
00
g
< 1;(A.43)
and hence,
lim
¼®!0
v
p
(p
¤
g
(r);r) ¡v
b
(p
¤
g
(r);r)
(¼®)
minfn
0
;n
00
g
< 1:(A.44)
Since p
¤
g
(r) > p
¤
s
,it then follows that there exists a µ
> 0 such that when 0 < ¼® < µ
,for any r
such that v
p
(p
¤
g
(r);r) < 1,
W
i
g
(p
¤
g
(r);r) ¡W
ii
g
(p
¤
s
;0) < ¼®(v
p
(p
¤
g
(r);r) ¡v
b
(p
¤
g
(r);r))v
p
(p
¤
g
(r);r) ¡(1 ¡v
p
(p
¤
g
(r);r)c
p
< 0:
(A.45)
This completes the proof.¥
Proof of Proposition 4:
We ¯rst have to consider how the equilibrium region changes when a
rebate is o®ered.By Lemma 1,when ¼® < c
p
¡ r equilibrium outcome is in Region II with all
consumers are purchasing and the expected social welfare is W
ii
g
=
1
2
(1 ¡ ¼®).When c
p
¡ r ·
¼® ·
1
c
p
¡r
,the equilibrium outcome is in Region I with p = 0,all consumers are purchasing,
only consumers with valuations v >
q
c
p
¡r
¼®
are patching,and the expected social welfare is W
i
g
=
1
2
¡c
p
+
c
p
+r
2
q
c
p
¡r
¼®
.Finally,when ¼® >
1
c
p
¡r
,the equilibrium outcome is in Region I with only
the consumers with valuations v > c
p
¡r ¡
1
¼®
purchasing and only the consumers with valuations
v > c
p
¡r are patching.The expected social welfare in this region is W
i
g
=
1
2
(1 ¡c
p
)
2
¡
r
2
2
.
Which of the above regions are reachable is determined by whether ¼® < c
p
,c
p
· ¼® ·
1
c
p
,or
¼® >
1
c
p
.When ¼® >
1
c
p
,for any rebate such that c
p
¡
1
¼®
· r · c
p
,the equilibrium outcome will
be in Region I,with v
b
= 0.For 0 · r < c
p
¡
1
¼®
,on the other hand,the equilibrium outcome
will be in Region I,with v
b
> 0.When ¼® < c
p
,for any rebate such that 0 · r < c
p
¡¼®,the
equilibrium outcome will remain in Region II,while for c
p
¡¼® · r · c
p
,it will move into Region
I with v
b
= 0.Finally,when c
p
· ¼® ·
1
c
p
,the equilibrium outcome will remain in Region I,with
v
b
= 0 for all r in 0 · r · c
p
.
With these ranges in mind,we ¯rst address the case where ¼® >
1
c
p
.For r such that 0 ·
r < c
p
¡
1
¼®
,the expected social welfare is W
i
g
=
1
2
(1 ¡c
p
)
2
¡
r
2
2
and is decreasing in r.Thus,the
highest expected social welfare achievable under this rebate range is
1
2
(1¡c
p
)
2
.For r 2 [c
p
¡
1
¼®
;c
p
],
expected social welfare is given by W
i
g
=
1
2
¡c
p
+
c
p
+r
2
q
c
p
¡r
¼®
.Let g(r),
1
2
¡c
p
+
c
p
+r
2
q
c
p
¡r
¼®
.Then,
A.9
we have dg(r)=dr =
c
p
¡3r
4
p
¼®(c
p
¡r)
and hence g is increasing on r 2 [0;
c
p
3
] and decreasing on r 2 [
c
p
3
;c
p
].
Since r
¤
g
=
c
p
3
maximizes this function,it remains to ¯nd when r
¤
g
is feasible,i.e.c
p
¡
1
¼®
·
c
p
3
.
This condition is equivalent to ¼® ·
3
2c
p
and when it holds along with
1
2
(1 ¡ c
p
)
2
¸ g(
c
p
3
),then
there does not exist an r > 0 such that the expected social welfare can be increased by o®ering a
rebate of r.The latter holds if and only if
1
2
(1 ¡c
p
)
2
¡
Ã
1
2
¡c
p
+
2c
p
3
r
2c
p
3¼®
!
¸ 0;(A.46)
which,in turn,is satis¯ed if and only if ¼® ¸
32
27c
p
.Now if ¼® >
3
2c
p
then r
¤
g
is not feasible.
However,g(r
¤
g
) ¸ g(r) for any other r.Thus when ¼® ¸
32
27c
p
,there is no r > 0 such that the
expected social welfare can be increased by o®ering a rebate r,while when for ¼® 2 [
1
c
p
;
32
27c
p
),
o®ering a rebate of r
¤
g
= c
p
=3 maximizes the expected social welfare.
Second,when ¼® 2 [c
p
;
1
c
p
] as we showed above,for all r,the equilibrium outcome will be in
Region I,with v
b
= 0,and the expected social welfare will be g(r) as described above.Clearly,in
this range,it is optimal to o®er a rebate precisely equal to r
¤
g
= c
p
=3.
Finally,when ¼® < c
p
as we have shown above,for all rebates such that 0 · r < c
p
¡¼® we are
still operating in Region II.Thus,the expected social welfare is unchanged as no consumer elects
to patch even with the rebate.We focus our attention on r such that c
p
¡¼® · r · c
p
in which
case the equilibrium outcome will be in Region I,with v
b
= 0.In order for r
¤
g
to be feasible,we
require that c
p
¡¼® · r
¤
g
=
c
p
3
which can be equivalently written as ¼® ¸
2c
p
3
.
For ¼® ·
2c
p
3
,we compare the expected social welfare W
ii
g
=
1¡¼®
2
against g(c
p
¡¼®) as g(¢)
is decreasing in this range of rebates.However,it can be easily seen that g(c
p
¡¼®) = W
ii
g
and
hence,for ¼® ·
2c
p
3
it is clearly suboptimal to o®er a rebate.
For ¼® >
2c
p
3
,we must compare g(r
¤
g
) = g(
c
p
3
) against W
ii
g
.Let h(¼®),g(
2c
p
3
) ¡
1¡¼®
2
=
2c
p
3
q
2c
p
3¼®
¡c
p
+
¼®
2
.We ¯rst establish that h is increasing in ¼®.Taking the ¯rst derivative,we
obtain dg(¼®)=d(¼®) =
1
2
¡
p
6
9
(
c
p
¼®
)
3=2
.Taking the second derivative,we obtain d
2
h(¼®)=(d¼®)
2
=
(
c
p
¼®
)
3=2
¼®
p
6
¸ 0.Hence,h is convex and a lower bound on dh(¼®)=d(¼®) is dh(¼®)=d(¼®)j
¼®=2c
p
=3
,
which is positive.Therefore,h is increasing as well.Again since ¼®¸2c
p
=3,we obtain that h(¼®) ¸
0 for all ¼® in this range.Therefore when ¼® 2 (
2c
p
3
;c
p
],o®ering a rebate of r
¤
g
=
c
p
3
increases (and
maximizes) the expected social welfare.¥
Proof of Proposition 5:
For part (i),¯rst suppose ¼® >
1
c
p
.Then
W
i
s
(p) =
1
2
µ
1 ¡v
2
b
+
¼®(p +c
p
¡v
b
)
2
v
3
b
(c
p
¡p +v
b
)
(p ¡v
b
)
3
¡2c
p
µ
1 +
c
p
v
b
p ¡v
b
¶¶
:(A.47)
A.10
Taking the derivative with respect to p,we obtain
dW
i
s
(p)
dp
= ¼®(c
p
+p ¡v
b
)
2
µ
3c
p
v
2
b
dv
b
dp
¡v
3
b
¡3pv
2
b
dv
b
dp
+4v
3
b
dv
b
dp

(A.48)
¡ v
b
dv
b
dp
+
1
2(p ¡v
b
)
3
µ
2¼®(c
p
+p ¡v
b
)
µ
1 ¡
dv
b
dp

v
3
b
(c
p
¡p +v
b
)
¡
3¼®(c
p
+p ¡v
b
)
2
v
3
b
(c
p
¡p +v
b
)
³
1 ¡
dv
b
dp
´
2(p ¡v
b
)
4
¡
c
2
p
dv
b
dp
p ¡v
b
+
c
2
p
v
b
³
1 ¡
dv
b
dp
´
(p ¡v
b
)
2
:
Furthermore,since ¼® >
1
c
p
and p = 0,by Lemma 1,we have v
b
= c
p
¡
1
¼®
.Evaluating at
v
b
= c
p
¡
1
¼®
,we obtain
dv
b
dp
= 1 +
2
¼®v
b
.Simplifying,we obtain
dW
i
s
(p)
dp
¯
¯
¯
¯
p=0
=
1 ¡2¼®c
p
2¼®(1 ¡¼®c
p
)
> 0:(A.49)
Next suppose c
p
· ¼® ·
1
c
p
.From (A.11),we see that v
b
approaches
p

p
¼®c
p
as p approaches zero.
Plugging (A.12) into (A.48) and taking the limit as p!0,we have
lim
p!0
dW
i
s
(p)
dp
=
c
p
4
¡
1 ¡
p
¼®c
p
¢
> 0:(A.50)
Finally let ¼® < c
p
,i.e.,the market can only be in Region II as described in Lemma 1.Consequently
W
ii
s
(p) =
1
2
(1 ¡v
2
b
)(1 ¡¼®(1 ¡v
b
)) =
(¼® +p)(1 ¡¼®) +(¼® ¡p)
p
(1 ¡¼®)
2
+4¼®p
4¼®
:(A.51)
Taking the derivative,we obtain
dW
ii
s
(p)
dp
¯
¯
¯
¯
p=0
=
1 ¡¼®
4¼®
¡
p
(1 ¡¼®)
2
+4¼®p
4¼®
+
¼® ¡p
2
p
(1 ¡¼®)
2
+4¼®p
¯
¯
¯
¯
¯
p=0
=
¼®
2(1 ¡¼®)
> 0:
(A.52)
Therefore for all ¼® > 0,there exists a ¿ > 0 such that the expected social welfare can be increased
by imposing a tax ¿.
For part (ii),¯rst consider ¼® < c
p
.By Region II of Lemma 1,v
p
= 1 and v
b
is given by (A.9).
Substituting into (4),the ¯rst order condition yields
¿
¤
t
=
¡1 +2¼®(1 +¼®) +
r
(1 ¡¼®)
2
³
1 ¡2¼® +4 (¼®)
2
´
9¼®
;(A.53)
which is clearly increasing in ¼® in this range.By Lemma 1 and continuity of the welfare function,
there exists a µ
> c
p
such that for all c
p
< ¼® < µ
,the optimal tax is given by (A.53).De¯ning »
as in the proof of Proposition 2 and by (A.48),we obtain ¿
¤
t
= » ¡
3
2c
p
»
2
+O
¡
»
3
¢
.Therefore,for
large enough ¼®,¿
¤
t
is decreasing in ¼® and increasing in c
p

A.11
Proof of Proposition 6:
By part (ii) of Proposition 4,the social welfare under the optimal
rebate is given by W
¤
g
,W
g
(
c
p
3
) =
1
2
¡c
p
+
1
p
¼®
³
2c
p
3
´
3=2
.When a tax is imposed the resulting
equilibrium is either in Region I or Region II as given in Lemma 1.Suppose that the equilibrium
falls in Region II.By Lemma 1,v
p
= 1 and v
b
is given by (A.9).Substituting into (4),the social
welfare is given by
W
ii
t
(¿) =
(¼® +¿)(1 ¡¼®) +(¼® ¡¿)
p
(1 ¡¼®)
2
+4¼®¿
4¼®
:(A.54)
W
ii
t
(¢) is concave and the optimal tax given by
¿
¤
t
=
¡1 +2¼®(1 +¼®) +
p
(1 ¡¼®)
2
(1 ¡2¼® +4¼®
2
)
9¼®
:(A.55)
De¯ne W
¤
t
,W
ii
t
(¿
¤
t
) and let ¼® = kc
p
.We then have
W
¤
g
=
1
2
¡
Ã
1 ¡
2
3
r
2
3k
!
c
p
+O(c
2
p
);(A.56)
and W
¤
t
=
1
2
¡
kc
p
2
+O(c
2
p
).Comparing the two expressions,it follows that for su±ciently small c
p
,
W
¤
g
> W
¤
t
if and only if k > 2=3.Now suppose that the optimal tax induces Region I equilibrium
behavior.In this case,the social welfare is given by
W
i
t
(¿) =
1
2
µ
1 ¡v
2
b
¡
¼®v
3
b
(v
b
¡¿ ¡c
p
)
2
(v
b
¡¿ +c
p
)
(v
b
¡¿)
3
¡2c
p
µ
1 ¡
c
p
v
b
v
b
¡¿
¶¶
;(A.57)
where v
b
solves (A.7) with p = ¿.By (A.7),as c
p
!0,z
1
,lim
c
p
!0
(v
b
¡¿)=c
2
p
is constant.Further,
taking the derivative with respect to ¿,substituting ¼® = kc
p
,writing the ¯rst order condition and
by (A.12),it follows that for the optimal tax ¿
¤
t
,z
2
,lim
c
p
!0
¿
¤
t
=c
p
is constant.Substituting in
(A.7) and taking the limit of both sides as c
p
!0,we obtain z
2
= z
1
=
p
k.Further,substituting
these two limits back into the ¯rst order condition and by taking the limit as c
p
!0,we ¯nd that
for the optimal tax
lim
c
p
!0
¿
¤
t
c
p
=
27z
3
2
16
+
81k
4
z
9
2
256z
8
1
+
81k
2
z
6
2
64z
4
1
+
z
2
1
k
+
3z
4
1
4k
2
:(A.58)
Substituting in z
2
= z
1
=
p
k in (A.58) and solving for z
1
,we obtain z
1
=
p
k=4.It follows that z
2
=
1=4.Substituting back into (A.57) yields W
¤
t
,W
i
t
(¿
¤
t
) =
1
2
¡
³
1 ¡
1
2
p
k
´
c
p
+O(c
2
p
).Comparing
with (A.56),we see that W
¤
g
> W
¤
t
,which completes the proof.¥
A.12