How to encourage security-patch use

Software vendors must spend time, money necessary to produce protection programs that are readily available, professor says

In the summer of 2001, a computer worm called Code Red II invaded hundreds of thousands of computers; it gave hackers unauthorized access to systems and nearly shut down the White House website.

The malicious hacker-authored code spreads like smallpox through unprotected computers and networks. Users who take a chance by not downloading a program patch to keep out the worm or who fail to upgrade their software risk spreading such Internet infections.

The best way to stop this kind of malicious code is for software vendors to spend the time and money necessary to produce reliable, easy-to-install protection programs and make them readily available to users, says Tunay Tunca, assistant professor of operations, information and technology.

"The total worldwide cost of major computer security attacks between 1999 and 2004 was estimated to be about $36.5 billion, so this is a significant problem," says Tunca, the 2005 Moghadam Family Faculty Fellow at the Graduate School of Business.

Worms and other kinds of security threats, he says, can harm home machines and larger computer networks by triggering annoying operational glitches, destroying data or putting personal information in the hands of strangers. Hackers do their damage by writing code that seeks software vulnerabilities in individual computers and then spreads globally through the Internet by finding and attacking machines with similar holes.

Software vendors generally catch weaknesses in their programs before hackers do, Tunca says, and make special protective programs known as "patches" that they provide free for users to download. Microsoft, for example, saw the hole in its Internet Information Services product in 2001 and made a patch immediately available. However, not enough people installed the patch and, less than a month later, the Code Red worm was eating its way into households, corporate computer systems and the White House website.

"It's often not easy to install these patches, so users accrue costs such as time spent trying to fix problems or money spent on hiring or channeling the IT people to do it," Tunca says. "That means a significant percentage of Internet users don't apply patches in a timely manner, so worms spread." And when that happens, he says, users blame software vendors—creating bad public relations and affecting sales.

Tunca and Stanford doctoral student Terrence August developed several mathematical models to figure how software vendors, as well as providers of freeware made available to users at no cost, can coax consumers into applying patches. By running analyses on various scenarios, they determined that what does not work is mandating patching as a part of a user contract agreement or having the government apply special taxes to software likely to experience vulnerabilities. Both options turn off users—and turn them away from a vendor's software.

Offering patch users rebates on future purchases is a somewhat better solution, but the best and most practical approach, Tunca has found, is simply for the company to spend the resources necessary to make their patches more easy to use and reliable. "That makes patching costs lower for the consumers and increases the likelihood they will use them," he says. The more users apply patches, the more security improves. The result can be a win-win: Both users and software vendors benefit, despite the resources and money it takes the latter to "assume" part of users' patching costs in this way.

However, the situation is slightly different in the case of freeware. Since the altruistic creators of such software do not financially benefit from their work, rebates or spending the time and money to create better patches are impractical and ineffective solutions. In this case, says Tunca, a "security fee" on the free software could be helpful because it could turn away some users—generally the very consumers who treat such software cavalierly and are therefore least likely to use patches.

Software companies that want to both improve Internet security and protect their own bottom lines, says Tunca, are best off letting the free market system operate without mandates or taxes. "Spending resources on creating good remedies and leaving people to their own decisions pays off and benefits everyone involved," he advises.