Skip to Main content Skip to Navigation

Economics of information security and the market for software vulnerabilities

Abstract : This thesis aims at contributing empirically to the research field of information security economics, by referring to traditional tools and knowledge in economics especially in Industrial Organization. It focuses on new and evolving elements in the cybersecurity environment such as the use of free software revenue models in digital markets (Chapter 1), the introduction of crowdsourcing mechanisms to improve software security (Chapter 2), or the increasing involvement of third parties in software security (Chapter 3). I am particularly interested in understanding the incentives of major actors that contribute to software security, such as software vendors, white-hat hackers, security firms, and other third parties. The thesis is organized in three chapters, each addressing a separate research question. In a first chapter, I examine the impact of competition intensity on software vendors' security investment behavior. I study the case of a software at the center of Internet security, namely the web browser, in which the vendors derive their revenue from advertising and compete in quality. I find out that market concentration is not necessarily harmful to security provision: indeed, higher market concentration positively impacts vendors' responsiveness in patching vulnerabilities, although this effect is reduced when a vendor is too dominant. In a second chapter, I focus on the crowdsourcing mechanism of white-hat hackers, which is representative of the market for software vulnerabilities that capitalizes on third parties' contribution. I study how hackers' perception of the uncertainty to be rewarded, determined by the level of information a contest provides about the contractual terms, affects their participation and thus the efficiency of the contest. I show that the self-selection process of participants leads to a trade-off between more numerous, but less performant participants, and higher quality but fewer participants. In a third chapter, I examine how the disclosure of a critical vulnerability affects the contribution of software vendors and third parties in discovering new vulnerabilities. I find that third parties' overall contribution in improving software security is considerable and that their contribution is significantly affected by externalities such as the disclosure of a critical vulnerability.
Document type :
Complete list of metadata

Cited literature [91 references]  Display  Hide  Download
Contributor : ABES STAR :  Contact
Submitted on : Thursday, April 30, 2020 - 3:35:08 PM
Last modification on : Wednesday, June 15, 2022 - 9:04:40 PM


Version validated by the jury (STAR)


  • HAL Id : tel-02559592, version 1


Arrah-Marie Jo. Economics of information security and the market for software vulnerabilities. Economics and Finance. Institut Polytechnique de Paris, 2019. English. ⟨NNT : 2019IPPAT003⟩. ⟨tel-02559592⟩



Record views


Files downloads