Let the Pirates Patch? An
Economic Analysis of Software
Security Patch Restrictions
Terrence August
*Joint work with Tunay I. Tunca

Internet Server Software Market
Motivation

Motivation
Code Red and the Problem
 Code Red / Code Red II

Worm that attacks web servers running IIS

Installs back door and propagates 100 times over per infection

Distributed Denial of Service (DDoS) attack on www1.whitehouse.gov

Patch issued by Microsoft on June 18, 2001

Code Red worm strikes on July 19, 2001
 $2.75 Billion in damages

Worm Date
Code Red 7.19.2001
Vulnerability
Notice
Motivation
Estimated Cost
($)
1 month 2.75 Billion
Slammer 1.25.2003
Blaster
Sasser
Zotob
8.11.2003
5.1.2004
8.13.2005
6 months
1 month
2 weeks
4 days
1.5 Billion
750 Million
14.8 Billion
$98K/company
(on average)

US-CERT Coordination Center
CERT Reported Incidents
160
140
120
100
80
60
40
20
0
1988 1993
Year
1998 2003
Motivation

Motivation
Microsoft (Windows Genuine Advantage)
Microsoft issues statement
Mike Nash (VP, Security Business and
Permit
Pirates
SP2
Restrict
Pirates counterfeit keys for obtain security patches
SP2 SP2
SP2 update
WGA
Permit
Pirates
Apr-04
May-04
Late
May-04
Jul-04 Sept-04
Feb-05
May-05

Motivation

Two Options

Make security patches available to all users

Network is more secure
 Sasser worm: $14.8B

Slammer worm: $1.5B

Network effects

Restrict security patches only to legitimate users

Network is less secure

Curb piracy
Motivation

Motivation
Piracy in the Software Industry
 Business Software Alliance (BSA) and International
Data Corporation (IDC)

Piracy rates
 35% in 2004

Exceeds 75% in 24 countries

Economic Losses (globally)

$59B spent on packaged software
 $90B+ installed

Motivation
Research Questions

Under high network security risk, should a software vendor make security patches readily available to all users?

Why might a vendor such as Microsoft allow pirates to patch security vulnerabilities?

Can piracy lead to less secure software products?

Are the arguments made by the security community that software vendors should “do the right thing” valid?

Literature Review
Economics of Info. Security and Piracy
Information Security Piracy
• Interdependent Security e.g., Kunreuther et al. (2002),
Kunreuther and Heal (2003, 2005),
Varian (2004), August and Tunca
(2006)
• Quantification of Losses e.g., Moore and Shannon (2002),
Cavusoglu (2004)
• Worm Spread Dynamics e.g., Weaver et al (2003) e.g., Peitz and
Waelbroeck (2003)

Key Observations

Software patching is costly

Losses from security breaches are positively correlated with valuations

Piracy tendencies vary across users
Model

Timeline
Vendor sets price and policy
Consumers make usage decisions
Vendor releases security patches /
Consumers make patching decisions
Worm attack realizes on network t = 0 t = 1 t = 2 t = 3
Model

Consumer Model

Consumer valuation space:

Consumer heterogeneity in regard to piracy:

Consumer action space:
Model

Costs and Losses
 Effective cost of patching:

Loss from attack:

Expected cost of piracy:
Model

Consumer’s Problem

Consumer Market Structure



Consumer Market Structure
Equilibrium Characteristics

There is always a group of consumers who use but do not patch

There is always a population of users whose valuations are higher than the price but end up not purchasing the software

Users impose negative externalities on:

Other users

The software vendor

Consumer Market Structure
Pricing and Piracy

Pricing to deter piracy:

Two regions – August and Tunca (2006)
Region 1:
• Low price
1
Region 2:
• High price
1
0 0

vb
Consumer Market Structure
Threshold Characterization

Consumer Market Structure
Pricing and Piracy

Two policies which the firm can enforce:

Permissive policy:
 “Let” the pirates patch

Restrictive policy:
 Do “not let” the pirates patch

Let the Pirates Patch:
 Unpatched population:
Consumer Market Structure

Consumer Market Structure
Let the Pirates Patch:
 Four possible equilibrium market structures
Increasing security risk

Consumer Market Structure
Don’t Let the Pirates Patch:
 Unpatched population:

Consumer Market Structure
Don’t Let the Pirates Patch:
 Six possible equilibrium market structures
Increasing security risk

Vendor Profit Maximization
Profit Functions and the Vendor’s Problem:

Optimal Policy Decision for the Vendor
 When to restrict security patches?

When to let pirates patch?
Results

Proposition 1: When to be restrictive

When the effective security risk is high, a software vendor can strictly increase his profit by restricting pirates from receiving security patches.
 Common perception

Reduce the risk on the network

A more secure product benefits all users
Results

Don’t let them patch when…
Results
Let Do not Let

Proposition 2: When to be permissive

When the patching cost is not too high and the effective security risk is below a threshold value, a software vendor should permit pirates with access to security patches.

Contrast

Strong incentives to patch

Vendor wants to price high

Not willing to provide incentives for conversion

Increased usage due to reduction in negative network effects
Results

Let them patch when…
Results
Do not Let Let

Proposition 3

When the potential for piracy in a market is high, a software vendor should enforce a restrictive policy.
 Candidates: Vietnam, Ukraine, China, …
 Small size of low piracy tendency (Type L) population

When the potential for piracy in a market is high, a software vendor prefers a less secure product to a more secure product.
Results

Lack of Incentives for Secure Software
Results

Proposition 4

When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement.
Security Risk
Low High
Piracy
Enforcement
Low
High
Increasing
Increasing
Results

0.22
0.21
0.2
0.19
0.18
0.17
I
I'
0.16
0.15
0.14
0.13
0.12
0
II
0.1
Increasing Returns to Enforcement
III
0.4
0.2
 d c d
0.3
0.5
Results

Proposition 4

When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement.
Security Risk
Low High
Decreasing
Piracy
Enforcement
Low
High
Increasing
Increasing Increasing
Results

Results
0.196
0.17
0.194
0.16
0.192
0.15
0.19
0.14
0.188
0.13
0.186
0.12
I
I'
II
II
III
III
0.15
0.14
0.13
0.12
0
0.22
0.21
0.2
0.19
0.18
0.17
I
I'
0.16
II
0.1
Increasing Returns to Enforcement
III
0.4
0.2
 d c d
0.3
0.5

0.22
0.21
0.2
0.19
0.18
0.17
I
I'
0.16
0.15
0.14
0.13
0.12
0
II
0.1
Increasing Returns to Enforcement
III
0.4
0.2
 d c d
0.3
0.5
Results

0.4
0.38
0.36
I
0.34
Impact of Piracy Enforcement on Social Welfare
II III
0.32
0.3
I'
0 0.1
0.2
 d c d
0.3
0.4
0.5
Results

Decreasing Returns to Enforcement
0.206
0.204
0.202
0.2
0.198
0.196
0.194
0.192
0.19
0.188
0.186
0
II III
0.1
0.2
 d c d
0.3
0.4
0.5
Results

0.33
0.32
0.31
0.3
0
0.36
0.35
0.34
Impact of Piracy Enforcement on Social Welfare
0.1
II
0.2
 d c d
0.3
0.4
III
0.5
Results

Proposition 5
Security patch restrictions can be welfare superior to a permissive approach

When the patching cost and the effective security risk is low, social welfare can increase under a restrictive policy.
Results

Let the Pirates Patch?
Results

Concluding Remarks
Summary

Model of network software security with piracy

Role of incentives in setting security patch restriction policies
 Explain patch restrictions under high security risk
 Microsoft’s permissive policy

Security risk can be strategically used by vendors as a tool to convert pirates into legitimate users

Security patch restrictions do not necessarily reduce welfare