Working Paper: CEPR ID: DP5269
Authors: Jay Pil Choi; Chaim Fershtman; Neil Gandal
Abstract: In this paper, we examine how software vulnerabilities affect firms that license software and consumers that purchase software. In particular, we model three decisions of the firm: (i) an upfront investment in the quality of the software to reduce potential vulnerabilities; (ii) a policy decision whether to announce vulnerabilities; and (iii) a price for the software. We also model two decisions of the consumer: (i) whether to purchase the software; and (ii) whether to apply a patch.
Keywords: internet security; network effects; software; vulnerabilities
JEL Codes: L86; O3
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| Ease of hacker attacks (K24) | Firm's investment in software quality (L15) |
| Ease of hacker attacks (K24) | Firm's announcement of vulnerabilities (L17) |
| Difficulty of hacker attacks (K24) | Firm's investment in security (G31) |
| Difficulty of hacker attacks (K24) | Firm's announcement of vulnerabilities (L17) |
| Firm's incentives do not align with social welfare (L21) | Firm's decision-making inefficiencies (D21) |