Software vulnerabilities have become a serious concern because unpatched software runs the risk of being exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of software vendors' patch release behavior and test it using a data set compiled from the National Vulnerability Database, United States Computer Emergency Readiness Team, and vendor Web sites. This model helps to understand how factors specific to vulnerabilities, patches, software vendors, and software affect the patch release behavior of software vendors based on their cost structure. This study also analyzes the impact of the presence of multiple vendors and type of vendor on the patch release behavior of software vendors. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type (new release versus update) and type of vendor (open source versus proprietary) are found. Our results illustrate that when there are legislative pressures, vendors react faster in patching vulnerabilities. Thus, appropriate regulations can be an important policy tool to influence vendor behavior toward socially desirable security outcomes.
Organizations are faced with a variety of information security threats and implement several information system security countermeasures (ISSCs) to mitigate possible damage due to security attacks. These security countermeasures vary in their ability to deal with different types of security attacks and, hence, are implemented as a portfolio of ISSCs. A key challenge for organizations is to understand the economic consequences of security attacks relative to the ISSC portfolio implemented. This paper combines the risk analysis and disaster recovery perspectives to build an integrated simulation model of ISSC portfolio value. The model incorporates the characteristics of an ISSC portfolio relative to the threat and business environments and includes the type of attack, frequency of attacks, possible damage, and the extent and time of recovery from damage. The simulation experiments provide interesting insights into the interactions between ISSC portfolio components and characteristics of business and threat environments in determining portfolio value.