Network Software Security and User Incentives

We study the effect of user incentives on software security in a network of individual users under costly patching and negative network security externalities. For proprietary software or freeware, we compare four alternative policies to manage network security: (i) Consumer self patching (where no external incentives are provided for patching or purchasing); (ii) Mandatory patching; (iii) Patching rebate; and (iv) Usage tax. We show that for proprietary software, when the software security risk and the patching costs are high, for both a welfare maximizing social planner and a profit maximizing vendor, a patching rebate dominates the other policies. However, when the patching cost or the security risk is low, self patching is best. We also show that when a rebate is effective, the profit maximizing rebate is decreasing in the security risk and increasing in patching costs. The welfare maximizing rebates are also increasing in patching costs but can be increasing in the effective security risk when patching costs are high. For freeware, a usage tax is the most effective policy except when both patching costs and security risk are low, in which case, a patching rebate prevails. Optimal patching rebates and taxes tend to increase with increased security risk and patching costs but can decrease in the security risk for high risk levels. Our results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security. ∗Graduate School of Business, Stanford University, Stanford, CA 94305-5015. e-mails: [email protected], tunca [email protected]. We thank Barrie Nault (the department editor), the associate editor and anonymous referees as well as Mike Harrison, Sunil Kumar, Howard Kunreuther, Haim Mendelson, Jim Patell, Hal Varian, Larry Wein, Jin Whang, Muhamet Yildiz and seminar participants at Harvard University, New York University and Stanford University for helpful discussions. Financial support from the Center of Electronic Business and Commerce at the Graduate School of Business, Stanford University is gratefully acknowledged.