Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search

View all Portals

Scheduled Events

White Paper Library
Research Papers

View Job Listings
Post a job


DM Review Home
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

Buyer's Guide
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

About Us
Press Releases
Advertising/Media Kit
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Stanford Business School Study Finds Strategies for Getting Users to Adopt Computer Software Security Patches

    Online News published in DMReview.com
December 19, 2005

In the summer of 2001, a computer worm called Code Red II invaded hundreds of thousands of computers, giving hackers unauthorized access to systems and nearly shutting down the White House Web site. This type of malicious hacker-authored code spreads like smallpox through unprotected computers and networks. The most recent high-profile case hit the Internet in mid-August just this year. Users who take a chance by not downloading a program patch to keep out the worm or who fail to upgrade their software risk spreading such Internet infections.

"The best way to stop this kind of malicious code is for software vendors to spend the time and money necessary to produce reliable, easy-to-install protection programs and make them readily available to users," says Tunay Tunca, assistant professor of operations, information and technology at the Stanford Graduate School of Business.

"The total worldwide cost of major computer security attacks between 1999 and 2004 was estimated to be about $36.5 billion, so this is a significant problem," says Tunca, the 2005 Moghadam Family Faculty Fellow at the Stanford Graduate School of Business. Worms and other kinds of security threats, he says, can harm home machines and larger computer networks by triggering annoying operational glitches, destroying data or putting personal information in the hands of strangers. Hackers do their damage by writing code that seeks software vulnerabilities in individual computers and then spreads globally through the Internet by finding and attacking machines with similar holes.

Software vendors generally catch weaknesses in their programs before hackers do, says Tunca, and make special protective programs known as "patches" that they provide free for users to download. Microsoft, for example, saw the hole in its Internet Information Services product in 2001 and made a patch immediately available. However, not enough people installed the patch and less than a month later the Code Red worm was eating its way into households, corporate computer systems and the White House Web site.

"It's often not easy to install these patches, so users accrue costs such as time spent trying to fix problems or money spent on hiring or channeling the IT people to do it," Tunca says. "That means a significant percentage of Internet users don't apply patches in a timely manner, so worms spread." And when that happens, he says, users blame software vendors - creating bad public relations and affecting sales.

In their paper, "Network Software Security and User Incentives," Tunca and Stanford Business School doctoral student Terrence August developed several mathematical models to figure how software vendors - as well as providers of freeware made available to users at no cost - can coax consumers into applying patches. By running analyses on various scenarios, they determined that what does not work is mandating patching as a part of a user contract agreement or having the government apply special taxes to software likely to experience vulnerabilities. Both options turn off users and turn them away from a vendor's software.

Offering patch users rebates on future purchases is a somewhat better solution, but the best and most practical approach, Tunca has found, is simply for the company to spend the resources necessary to make their patches more easy to use and reliable. "That makes patching costs lower for the consumers and increases the likelihood they will use them," he says. The more users apply patches, the more security improves. The result can be a win-win: Both users and software vendors benefit, despite the resources and money it takes the latter to "assume" part of users' patching costs in this way.

The situation is slightly different in the case of freeware, however. Since the altruistic creators of such software do not financially benefit from their work, rebates or spending the time and money to create better patches are impractical and ineffective solutions. In this case, says Tunca, a security fee on the free software could be helpful because it could turn away some users - generally the very consumers who treat such software cavalierly and are therefore least likely to use patches.

Software companies that want to both improve Internet security and protect their own bottom lines, says Tunca, are best off letting the free market system operate without mandates or taxes. "Spending resources on creating good remedies and leaving people to their own decisions pays off and benefits everyone involved," he advises.

For more information on related topics visit the following related portals...

This piece has been brought to you by the DM Review Editorial staff.

Solutions Marketplace
Provided by IndustryBrains

Autotask: The IT Business Solution
Run your tech support, IT projects and more with our web-based business management. Optimizes resources and tracks billable project and service work. Get a demo via the web, then try it free with sample data. Click here for your FREE WHITE PAPER!

Data Quality Tools, Affordable and Accurate
Protect against fraud, waste and excess marketing costs by cleaning your customer database of inaccurate, incomplete or undeliverable addresses. Add on phone check, name parsing and geo-coding as needed. FREE trial of Data Quality dev tools here.

Design Databases with ER/Studio: Free Trial
ER/Studio delivers next-generation data modeling. Multiple, distinct physical models based on a single logical model give you the tools you need to manage complex database environments and critical metadata in an intuitive user interface.

Email Regulatory Compliance
E-Trail Digital Archive is a feature rich, turnkey Electronic Communications Retention, Retrieval and Supervisory system.

Free EII Buyer's Guide
Understand EII - Trends. Tech. Apps. Calculate ROI. Download Now.

Click here to advertise in this space

E-mail This Online News E-Mail This Online News
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.