Description
Impact of Cyberattacks by Malicious Hackers on the Competition in Software Markets Ravi Sena, Ajay Vermab, and Gregory R. Heima
aTexas A&M University, College Station, Texas, USA; bGuidance, Navigation & Control Engineer, Lockheed Martin Missiles and Fire Control, Grand Prairie, Texas, USA
ABSTRACT The number of malicious hacking incidents in our increasingly IT- enabled world has been increasing over the years. Conventional wisdom focuses on negative impacts of these malicious hacker activ- ities. We posit that malicious hacker activities also might lead to some unintended consequences, specifically related to altering of software market structure, and associated stakeholder consequences. In this study, we model the competition between two software platforms in the presence of malicious hackers who perform cyberattacks against one or both software platforms. We compare a benchmark case where malicious hackers are either absent, or if present do not target the software platforms, against a first scenario where only one soft- ware platform is targeted, and a second scenario where both soft- ware platforms are targeted. Interestingly, we find the presence of malicious hackers’ activities is not always detrimental to all software industry stakeholders. In general, the results suggest that the pre- sence of malicious hackers is more likely to result in a competitive market, while their absence is more likely to result in a monopoly. Furthermore, we show that under certain market conditions, the unsecure software platform targeted by hackers potentially can drive its more secure competitor out of the market.
KEYWORDS Software competition; malicious hackers; software markets; cyberattacks; software platforms
Introduction
This paper examines stakeholder implications of cyberattacks performed by malicious software hackers on software platform vendors within a single software market sector. In the good old days of the software industry, the term hacker was used as a compliment to describe very clever programmers, without ascribing ethical or moral valence to the actions of such individuals. More recently, the term has taken on negative connotations. Dictionaries today define a hacker as “a person who uses computers to gain unauthorized access to data” [13], and as “a person who secretly gets access to a computer system in order to get information, cause damage, etc.” [32]. While there have been attempts to use other terms to distinguish hackers having malicious intent (e.g., crackers, Black Hats, Grey Hats,1 unethical hackers), the fact remains that the common understanding of the term hacker is closer to the previously provided definitions. As such, in this paper, the term hacker should be understood to mean malicious hackers. We do not focus on ethical/ white hat hackers, security consultants such as pen-testers, or vulnerability discoverers
CONTACT Ravi Sen [email protected] Texas A&M University, 320S Wehner Building, 4217 TAMU, College Station, TX 77843
Supplemental data for this article can be accessed on the publisher’s website.
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 2020, VOL. 37, NO. 1, 191–216 https://doi.org/10.1080/07421222.2020.1705511
© 2020 Taylor & Francis Group, LLC
because the actions of these individuals are targeted at and requested by their clients. Moreover, these non-malicious hackers do not exploit software users, release malware, or steal data.
Hacking activities are by no means only a contemporary phenomenon, yet anecdotally they often seem to be. With expanding use of new technology variants, the variety of innovations in hacking modes continues to expand [40]. Technology hacking today results in a huge number of hacking incidents (i.e., over 64,000 in 2015) and results in verified data breaches [17, 38]. Hacker related incidents affect a large proportion of individuals and lead to large annual stakeholder costs [10, 11, 34]. Annually over the past decade, verified data breaches have been most frequently caused by several variants of software hacking attacks [20, 38]. Hacking activities are so pervasive globally that one can observe the real-time generation of malicious hacking across the globe via resources such as the Kaspersky Cyberthreat Real-Time Map.2 Yet, neither popular media, nor government studies, nor academic literatures have investigated the role of this malicious hacking activity in shaping the software industry.
In this study, we focus on the activities of malicious hackers and observe that perhaps the net outcome of their hacking efforts is not always bad. The growth of malicious hacking phenomena across major public, private, and governmental organizations moti- vates the research questions behind this study: What is the impact of malicious hackers’ attacks on competition in software markets? Is the presence of malicious hacker attacks in a marketplace all bad? Or are there some positive consequences (intended or unintended) of malicious hackers’ activities? Among the possible consequences of malicious hacking, the most obvious outcome generally concerns changes in the competitive market that may affect stakeholder (e.g., end user, corporate client, or software vendor) utility in some manner. Through a stylized model, we examine impacts of the presence of malicious hackers who perform successful cyberattacks against one or several software vendors in a software industry sector. Thus, from among the potential outcomes of malicious hack- ing, this paper largely focuses on outcomes derived from resultant changes to competition within a software industry sector. Studying this impact of malicious hacker attacks on competition is important because of the wide-ranging and pervasive nature of malicious hacker attacks today, affecting software industry vendors as well as major users of software and, thus, the competitive structure of many industries.
We investigate these research questions in the context of a software market. We model a market consisting of two competing software platforms in the presence of malicious hackers. We set up a benchmark case where the hackers are either absent or do not target any cyberattacks against the competing software platforms. We then compare the bench- mark case against a first scenario where one software platform is targeted by cyberattacks, and a second scenario where both software platforms are targeted by cyberattacks. We assume these malicious hacker attacks are successful attacks, since unsuccessful attacks will not lead to repercussions for software vendors or for software users. Through stylized analytical models, we dig into the conventional wisdom that malicious hackers cause only damages and losses for software industry stakeholders. Doing so fills in a literature gap pertaining to social welfare implications of stakeholders, arising from actions of malicious hackers, and leads to several useful insights concerning the presence of software hacker activities on software market competition.
192 R. SEN ET AL.
Interestingly, we find the presence of malicious hackers in a software market is a double-edged sword and is not always detrimental to software industry stakeholders. We find that the presence of such hackers makes the software market more competitive. As a result, consumers may unintentionally benefit from the presence of malicious hackers, in short because these hackers tend to target actions proportionally with respect to the software platforms having a large numbers of users. We also observe that under certain conditions an unsecure software platform targeted by hackers potentially can drive its more secure competitor out of the software market. This finding illustrates context- specific managerial insights useful to the long-term management of software platforms in the presence of malicious hacker activities.
The paper is organized as follows. The second section provides a brief overview of relevant literature. The third section develops the analytical model. The fourth section presents our analysis of implications for software markets. The final section concludes with contributions, limitations, and future directions.
Literature Review
Competition in a marketplace in general, and among software products in particular, has been studied for a long time. Early studies investigated the impact of network effects on competition between systems [26], competition between standards in a software market [19], and on competition within software markets [8, 18]. More recently, some studies explore the impact of network effects on software completion between open source and proprietary software products [12, 24, and 35]. Lin [29] explores this same competition under the influence of network effects and varying levels of users’ software skills. Lanzi [28] explores the issue under an assumption that the competing software products are compatible. Since software markets experience two-sided network externalities, researchers have incorporated this factor into studies on competition in software markets [33]. In addition to the role of network effects on software competition, researchers have also studied the impact of different channel strategies and product heterogeneity on competition between software products. For example, Bitzer [6] investigated the impact of product heterogeneity on the competition between open source software (OSS) and commercial software, while Fan et al. [14] analyze the competition between Software-as-a-Service (SaaS) and traditional shrink- wrap software. Finally, some studies investigate the impact of piracy on software markets [e.g., 31].
However, the existing literature on competition between software products or systems has a major gap. To the best of our knowledge, no study investigates the impact of malicious hacker attacks on the competition between software products or software plat- forms. Without accounting for hacker actions, extant models examine a software produ- cer’s decision about releasing vulnerable software or patching vulnerabilities so hackers cannot attack them [2]. Models also study liability arising from software vulnerabilities [3, 27] and to what extent known software vulnerabilities can affect software vendor market values [10, 37]. Studies model markets for the generation of software vulnerabilities [25] and competitive market policy aspects of vulnerability discovery and disclosure activities of hackers [9, 36]. Yet, to the best of our knowledge, no prior study examines competitive statics that arise from malicious hacker activity within a software market structure. This
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 193
situation motivates the following question: Why is it important to understand the impact of malicious hacker attacks on competition in software markets?
Malicious hacker attacks on technology are not a modern phenomenon. One of the earliest examples of malicious hacking was the disruption of John Ambrose Fleming’s public demonstration of Guglielmo Marconi’s wireless telegraphy technology by Nevil Maskelyne [30]. In 1903, Maskelyne managed to “hack” the demonstration and send insulting Morse code messages through the auditorium’s projector during this demonstra- tion [30]. More recently, in January 2016 account information for at least 500 million Yahoo users was hacked,3 and in May 2017, data on 143 million Americans was exposed by Equifax.4
It has been established that security breaches caused by malicious hackers lead to disruptions and downtime in the targeted systems, causing financial loss for the users of these systems. The users of the software systems incur other costs as well. For instance, industrial users may have to pay additional insurance premiums [22] for using software known to have weak security. As a result, potential users are more likely to favor software that has stronger security. Moreover, existing software users can punish a vendor of vulnerable software by switching to a competing vendor, or delaying their software upgrade purchases, while potential customers may avoid buying the vulnerable software product [37]. Finally, Wright [39] argues that users of software will act rationally, which implies that all else held equal (e.g., similar features and functionality), a user should choose more secure software over less secure software. Since malicious hackers often intentionally draw attention to software security (or a lack thereof), it is reasonable to assume that the presence of malicious hackers should impact competition in a software market.
The question remains as to the nature of the malicious hacker impact on market competition. In this study, we address this issue. We contribute by modeling a software market as a duopoly, with malicious hackers targeting either one or both of the competing software platforms. The results show that in the absence of malicious hackers, the most likely equilibrium market structure is a monopoly. Interestingly, when hackers target at least one of the competing software products, the resulting market structure is more competitive. As such, malicious hackers can be seen to play a potentially useful role in ensuring more competitive software marketplaces. We contribute by demonstrating potential software industry outcomes under different sets of possible market conditions.
Software Market Model
In this section, we first develop a model of competition within a software market where competing software platforms are targeted by malicious hackers. In the following section, we then analyze this model for equilibrium outcomes, followed by a discussion of the results.
Software Market
For any software category, we assume that two broad software platforms (e.g., Android vs. iOS; Apache vs. IIS) reflect the software market structure sufficiently accurately. We will refer to these software platforms by the terms Software X and Software Y, or just X and Y for
194 R. SEN ET AL.
simplicity. Also, we will use the term software, software product, and software platform interchangeably. We assume X and Y compete for the same users (both individuals and organizations). Competition ensures that X and Y vendors behave in such a manner as to prevent the competitor from monopolizing the market. Finally, both X and Y are assumed to contain the essential functional software features sought by potential users, and both software platforms are assumed to meet the usability criteria of all users. This latter assumption is required to ensure that any change in software industry market share that we observe over the long run can be attributed primarily to hacker activities targeted at X and Y. These assumptions are realistic when seen within the context of several software platform markets (e.g., mobile operating systems, mobile communications networks, gaming platforms).
Market Share
The model assumes X’s and Y’smarket share growth is a function of new users who decide to adopt the software, switch from the competing software, and switch to the competing soft- ware. This growth rate is restrained by the number of malicious hackers who target each of the software platforms. The generic conceptual model for this growth rate is as follows:
Rate of Change of Market Share
0 BB@
1 CCA ¼
Rate of New Users Adopting the Software
0 BBBBBB@
1 CCCCCCA
�
Rate of Existing Users Switching to Competition
0 BBBB@
1 CCCCAþ
Rate of Users Switching from Competition
0 BBBB@
1 CCCCA
� Restraining Effect of Hackers
0 @
1 A (1)
We now develop this equation by making some assumptions, and then under these assump- tions, we mathematically describe the various components of the conceptual model.
Rate of New Users Adopting the Software
The net growth rate of any software is modeled as a function of its intrinsic growth rate (i.e., the growth rate in the absence of any competition), and any restraining effects of the market share of the competing software and the total market size for this type of software. The conceptual model for the rate of new users adopting each software platform is as follows:
Rate of New Users Adopting the Software
0 BBBBBB@
1 CCCCCCA
¼ Intrinsic Growth Rate of the Software
� � �
Restraining Effect of the Total Installation Base
0 @
1 A
� Restraining Effect of the Market Share of Competing Software
0 @
1 A (2)
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 195
Intrinsic Growth in Market Share
Intrinsic growth is the growth rate of a software platform in the absence of any competi- tion or malicious hackers. We assume this intrinsic growth to follow an exponential function. We further assume that the population of potential software users for a platform is sufficiently large. As a result, the random fluctuations between individual users are small when compared against the whole population size. Therefore, it is safe to assume each potential user has an equal chance of adopting, say for example, Software X. We denote the probability that a new user adopts Software X as “a” and a new user adopts Software Y as “b.” At any time t, the market share or user installation base (as a percentage of the total market size) of Software X is X(t) and of Software Y is Y(t). To account for positive network effects, we assume that the number of new users of any software platform is proportional to its user installation base at any time “t.” Therefore, the intrinsic growth rates of X and Y are defined as follows:
Intrinsic Growth Rate of the Software Xð Þ ¼ aXðtÞ Intrinsic Growth Rate of the Software Yð Þ ¼ bYðtÞ
� (2a)
Restraining Effect of the Maximum Market Potential
The growth rates of X and Y are adversely affected by a crowding effect. This crowding effect is the effect of the total potential user installation base of Software X and Software Y. The crowding effect results in a slower pace of adoption as the combined market share of the two competing software platforms moves closer to the maximum market potential. In fact, when the combined market share of the competing software platforms reaches the maximum market potential, the growth of both of the software platforms should be reduced to zero. This crowding effect is captured in the model as follows:
Restraining Effect of XðtÞ þ YðtÞ on growth of Xð Þ ¼ aXðtÞðXðtÞ þ YðtÞÞ Restraining Effect of XðtÞ þ YðtÞ on growth of Yð Þ ¼ bYðtÞðXðtÞ þ YðtÞÞ
� (2b)
Restraining Effect of the Competing Software’s Market Share
The growth rates of the software platforms are adversely affected by the presence of competition. Since the two software platforms are competing for the same pool of potential software users, the market share of the competing software has a restraining effect, proportional to its own market share, on the growth rate of the competing software. If we denote the constant of proportionality (i.e. competition coefficient) as “c” for Software Y and “d” for Software X, then the restraining effect of Software Y on Software X is given by ½cYðtÞ�XðtÞ and the restraining effect of X on Y is given by½dXðtÞ�YðtÞ.
Restraining Effect of YðtÞ on the growth of Xð Þ ¼ cXðtÞYðtÞ Restraining Effect of XðtÞ on the growth of Yð Þ ¼ dYðtÞXðtÞ
� (2c)
Substituting Equations 2a, 2b, and 2c into Equation 2 gives us the rate of growth of X and Y:
196 R. SEN ET AL.
dXðtÞ dt ¼ ½a� aðXðtÞ þ YðtÞÞ � cYðtÞ�XðtÞ
dYðtÞ dt ¼ ½b� bðXðtÞ þ YðtÞÞ � dXðtÞ�YðtÞ
) (2d)
Users Switching to or from Competition’s Software
Software users are known to benefit from network effects [8, 12, 15, 26]. Therefore, any switching behavior is assumed to be a consequence of positive network effects. We assume that the likelihood of a user switching to the competing software increases with the market share of the competing software. For example, as the market share of Software X increases, the probability of a user of Y switching to X increases. If the constant of proportionality of a current user switching (or switching coefficient) is assumed to be sI > 0;where : I ¼ ðX;YÞ, then the market-share dependent probability of a user switching from X to Y is sXYðtÞ and that of a user switching from Y to X is sYXðtÞ. Therefore, the expected number of users switching from X to Y is sXYðtÞXðtÞ and from Y to X is sYXðtÞYðtÞ, as captured in Equation 3.
Rate of Switching From Software X to Software Yð Þ ¼ sXYðtÞXðtÞ Rate of Switching From Software Y to Software Xð Þ ¼ sYXðtÞYðtÞ
� (3)
Combining Equations (2d) and (3) gives us the expression for the rate of change in the market share of the two competing software platforms.
dXðtÞ dt ¼ að1� XðtÞ � YðtÞÞ � cYðtÞ þ sYðtÞ½ �XðtÞ
dYðtÞ dt ¼ bð1� XðtÞ � YðtÞÞ � dXðtÞ � sXðtÞ½ �YðtÞ
) (4)
Here, s ¼ sY � sX , where � 1< s< 1.
Restraining Effect of Hackers
Malicious hackers could be individuals (e.g., Grey Hats, hactivists), organized groups (e.g., Lulz security, LulzRaft, the Hacker Encrypters, Team Appunity, Swagg Security, or other groups), loosely federated groups of like-minded individuals (e.g., Anonymous), or organized criminals. We model the impact of any of these forms of malicious hackers on the growth rate of competing software as follows. Z(t) represents the number of malicious hackers at any time “t.” We assume “e” to be the probability that the malicious hackers will successfully target Software X and “f” to be the prob- ability that malicious hackers will successfully target Software Y. We will also call these probabilities the Restraining Coefficients due to their restraining effects on the growth of X and Y users, respectively. The value of these coefficients can be affected by factors such as the type of vulnerability being targeted, the complexity of the exploit needed to target the vulnerability, the skills set of the hacker, and the resources available to the hackers. We do not explicitly include these factors in the model, because we are interested in only modeling the expected number of malicious hackers actively targeting X and Y. The expected number of hackers targeting X at time t is then eZ(t), while the expected number of hackers targeting Y is fZ(t).
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 197
We assume that each successful malicious hack results in encouraging more individuals to become malicious hackers. For the sake of simplicity, we assume this conversion rate to be 1. Prior research has established that hacking attempts against a software product or platform appear proportional to the software’s installed user base [21]. Therefore, we assume that the success of each hack is proportional to the number of X and Y users (i.e., the growth in the total number of hackers at any time “t” is proportional to X(t) and Y(t), respectively). Thus, the overall hacker growth rate at time t is the sum of eZ(t)X(t) and fZ(t)Y(t). Furthermore, we assume malicious hackers will leave hacking with a probability of w. Therefore, the number of malicious hackers leaving hacking is wZ(t). The overall growth rate of these hackers is then given as follows:
dZðtÞ dt
¼ ½eXðtÞ þ fYðtÞ � w�ZðtÞ (5)
The restraining effect of malicious hackers on the overall market share growth rates of Software X and Software Y is proportional to the number of hackers targeting X and Y and the installation base of X and Y. For example, if more malicious hackers are targeting X, and X has a higher installation user base, then a relatively higher number of X users will be affected by these hacking attacks. Therefore, the market share growth of X will be restrained. The restraining effect of malicious hackers on X is eX(t)Z(t) and on Y is fY(t)Z(t). Substituting these values into Equation 4b gives the net rate of growth for X and Y in the presence of these hackers.
dXðtÞ dt ¼ a 1� XðtÞ þ YðtÞð Þ½ � � cYðtÞ þ sYðtÞ � eZðtÞ½ �XðtÞ
dYðtÞ dt ¼ b 1� XðtÞ þ YðtÞð Þ½ � � dXðtÞ � sXðtÞ � fZðtÞ½ �YðtÞ
) (6)
The parameters used in Equations 5 and 6 are summarized in Table 1. The set of equations (Equations 5 and 6) modeling the growth of Software X and
Software Y in the presence of malicious hackers is given as follows:
Table 1. Variables used in Equations 5 and 6. Parameter Meaning Values
a Intrinsic growth rate of X or the probability of adoption of Software X (i.e. total number of new users divided by total number of users in a unit time period) in the absence of competition and hackers.
0< a< 1
b Intrinsic growth rate of Y or the probability of adoption for Software Y (i.e. total number of new users divided by total number of users in a unit time period) in the absence of competition and hackers.
0< b< 1
s Switching Coefficient. s < 0 implies Y is gaining net users due to switching; s>0 means that X is gaining net users due to switching; and s=0 implies that neither X nor Y gain any additional users due to switching.
� 1< s< 1
c Competition Coefficient for the restraining effect of Y on the growth of X 0< c< 1 d Competition Coefficient for the restraining effect of X on the growth of Y 0< d< 1 e Restraining Coefficient for the restraining effect of hackers on the growth of X 0< e< 1 f Restraining Coefficient for the restraining effect of hackers on the growth of Y 0< f < 1 w Probability of hackers going mainstream, i.e. becoming legitimate, consulting, becoming white
hats, etc. 0<w< 1
Notes: High Restraining Coefficient (i.e., e and f) implies poorly secured software. Hackers attack one or the other software, i.e., e + f = 1. In any time period X(t) + Y(t) ≤ 1. Therefore, in equilibrium X + Y = 1.
198 R. SEN ET AL.
dX dt ¼ a� a X þ Yð Þ þ sY � cY � eZ½ �X dY dt ¼ b� b X þ Yð Þ � sX � dX � fZ½ �Y dZ dt ¼ ½eX þ fY � w�Z
9= ;: (7)
Notes: In Equation 7, we replace X(t), Y(t), and Z(t) with X, Y, and Z for simplicity and readability.
The complex system of equations presented in Equation 7 is intractable, that is, the equations do not yield general solutions. Thus, we next analyze this equation system by identifying the system’s equilibrium points and then performing a stability analysis of these equilibrium points.
Model Analysis — Equilibrium Outcomes
To analyze the stability of the system, following Barnes and Fulford [5] of equations (Equation 7) near the equilibrium points, a linear model about the equilibrium point is used. The linearized model about an equilibrium point xe; ye; zeð Þ is given as follows:
dX dt dY dt dZ dt
8< :
9= ; ¼
a 1� 2xeð Þ � aþ c� sð Þye � eze � aþ c� sð Þxe �exe � aþ dþ sð Þye b 1� 2yeð Þ � bþ dþ sð Þxe � fze �fye
eze fze exe þ fye � w
2 4
3 5 X � xeY � ye
Z � ze
8< :
9= ;
(8)
We next analyze this linearized model (Equation 8) for three key scenarios: (a) when both software platforms are fully secure, that is, they are impervious and thus not targeted by hackers; (b) when only one software is secure, and thus only one software can be targeted by hackers; and (c) when neither of the software platforms are completely secure, and thus both are targeted by hackers.
Scenario 1 (Benchmark): Both Fully Secured; Hackers Attack Neither Platform
The assumption that malicious hackers target neither software platform enables one to eliminate all terms pertaining to the restraining effect of hacker activity. The system of equations (see Equation 7) is thus reduced as follows:
dX dt ¼ a� aðX þ YÞ þ sY � cY½ �X; dY dt ¼ b� bðX þ YÞ � sX � dX½ �Y
� (9)
Solving the set of equations in Equation 9, we identify four equilibrium solutions in this scenario:
Equilibrium 1 is ðxe; yeÞ ¼ ð0; 0Þ; Equilibrium 2 is ðxe; yeÞ ¼ ð1; 0Þ (i.e. monopoly of Software X); Equilibrium 3 is ðxe; yeÞ ¼ ð0; 1Þ (i.e. monopoly of Software Y); Equilibrium 4 is ðxe; yeÞ ¼ b c�sð Þa dþsð Þþ bþðdþsÞ½ � c�sð Þ ; a dþsð Þaþðc�sÞ½ � dþsð Þþb c�sð Þ
� � (i.e. competitive
market). The reduced linear model for this system (from Equation 8) is then given as:
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 199
dX dt dY dt
� � ¼ a 1� 2xeð Þ � aþ c� sð Þye � aþ c� sð Þxe� bþ d þ sð Þye b 1� 2yeð Þ � bþ d þ sð Þxe
� X � xe Y � ye
� �
The stability of the equilibrium values is analyzed in Appendix A. The results are summar- ized in Table 2. As one can see from the stability analysis, the long-term stable equilibriums result in a monopoly market (Equilibrium 2 or 3). From Table 2, we also notice that if the amount of user switching to one software platform overcomes the restraining effect of the competitor (s> c or s< � d), then the competitor cannot have a monopoly. Otherwise (� d< s< c), the initial market share will dictate the monopoly outcome. Given a market share of each software platform at the initial condition (say, Y 0ð Þ), there is a particular tipping market share point for software X 0ð Þ either to win and monopolize the market, or to get obliterated. The only equilibrium in which both of the software platforms can co-exist in the market is Equilibrium 4. However, this equilibrium is unstable and therefore unsustainable mainly due to the destabilizing restraining factors from the competitor software.
This result should not be surprising. Existing literature on software competition has investi- gated these issues at length. For example, in markets with a network effect and incompatible software platforms (as is the case in this study), there is a natural tendency towards de facto standardization, which means that everyone tends to use the same software platform [26]. This resulting monopoly can be explained by “tipping,” which is the tendency of one system to gain substantial market share relative to its competition once it has gained an initial edge.
For example, simulation of this equation system (Figure 1) with parameters (a = 0.36, b = 0.36, c = 0.64, d = 0.19, s = 0.45) and initial market share Y(0) = 0.86 results in a tipping value of 0.25 for X(0). In static competition models, this tipping phenomenon is reflected in equilibria in which a single system dominates [26]. In dynamic competition
Table 2. Equilibrium values when both Software X and Software Y are secure. Condition Equilibrium 1 Equilibrium 2 Equilibrium 3 Equilibrium 4
s< � d Unstable Unstable Stable Unstable � d< s< c Unstable Stable Stable Unstable c< s Unstable Stable Unstable Unstable
Figure 1. Initial market edge effect when switching not enough to overcome competition.
200 R. SEN ET AL.
models, tipping is reflected in equilibria where adoption of the losing system simply stops once a rival system is introduced or accepted in the marketplace [15, 26]. Consumer heterogeneity and product differentiation tend to limit this tipping phenomenon and to sustain multiple networks. If the rival systems have distinct features sought by certain consumers, two or more systems may be able to survive by catering to consumers who care more about product attributes rather than about network size. In this situation, market equilibrium with multiple incompatible products reflects the social value of variety. However, in our case, we assume the competing software platforms offer similar functionality, features, and usability to the users. As a result, in the absence of malicious hackers, monopoly is the most likely long-term equilibrium outcome in the market.
Scenario 2: One Software Is Targeted by Hackers
The assumption that malicious hackers will only target one software platform eliminates from (Equation 7) the hacking activity terms for one of the software platforms. Without loss of generality, we assume X is targeted by the hackers. Hence, we assume that e ¼ 1; f ¼ 0, which gives the following reduced set of equations (see Equation 7):
dX dt ¼ a� aðX þ YÞ þ sY � cY � Z½ �X dY dt ¼ b� bðX þ YÞ � sX � dX½ �Y dZ dt ¼ ½X � w�Z:
9= ; (10)
The linear model for this system (from Equation 8) is now given as:
dX dt dY dt dZ dt
8< :
9= ; ¼
a 1� 2xeð Þ � aþ c� sð Þye � ze � aþ c� sð Þxe �xe � aþ dþ sð Þye b 1� 2yeð Þ � bþ dþ sð Þxe 0
ze 0 xe � w
2 4
3 5 X � xeY � ye
Z � ze
8< :
9= ;
Scenario 2 has six equilibrium points, where four of the equilibrium points are shared with Scenario 1 (with hacker state at zero). However, the malicious hackers’ activities influence the stability of some of the common equilibrium points. The equilibrium values for the Scenario 2 system of equations (Equation 10) now are as follows.
Equilibrium 1 is ðxe; ye; zeÞ ¼ ð0; 0; 0Þ; Equilibrium 2 is ðxe; ye; zeÞ ¼ ð1; 0; 0Þ; (i.e. monopoly of Software X) Equilibrium 3 is ðxe; ye; zeÞ ¼ ð0; 1; 0Þ; (i.e. monopoly of Software Y) Equilibrium 4 is ðxe; ye; zeÞ ¼ b c�sð Þa dþsð Þþ bþðdþsÞ½ � c�sð Þ ; a dþsð Þaþðc�sÞ½ � dþsð Þþb c�sð Þ ; 0
� � ; (i.e. a competitive
market consisting of both X & Y) Equilibrium 5 is ðxe; ye; zeÞ ¼ w; 0; að1� wÞð Þ; (i.e., monopoly of Software X, with hackers
targeting X) Equilibrium 6 is ðxe; ye; zeÞ ¼ w; wb δ � sð Þ; � 1� wð Þðc� sÞ þ wðaþc�sÞðdþsÞb
� � (i.e., a
competitive market consisting of both X & Y, with hackers targeting X) We examine the stability of the above equilibrium values in Appendix B. Based on this
stability analysis, we observe that the stability of the first five equilibrium points is determined by the value of the switching constants “s” relative to two factors: the restraining factor c of software Y on the growth of X; and the modified growth δ of software Y in the presence of malicious hackers, where δ is defined as δ ¼ b 1w � 1
�� d� .
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 201
Note that δ is inversely correlated to the restraining effect of X on the growth of Y (i.e. d) and the rate at which malicious hackers leave the market (i.e. w). Since the two factors (i.e. c and δ) are independent, the analysis of various equilibriums can be divided into two major groups: (1) s > δ; and (2) s< δ. The results for both groups are summarized in Table 3 and Table 4. We first analyze the two cases in Table 3, followed by the analysis of Case 3 and Case 4 provided in Table 4.
Case 1 (Table 3)
Unlike with Scenario 1, which was defined by a complete monopoly of X (X has all the market to itself), in this scenario, Equilibrium 2 has become unsustainable for all condi- tions. This outcome is the direct result of the hackers’ activity and the vulnerability of the platform X. Instead, we have Equilibrium 5 (i.e., monopoly of the unsecure software X) but with market share less than the maximum potential market size that is sustainable (see Case 1 in Table 3). This equilibrium is the only stable equilibrium when the switching rate (from Y to X) is greater than the modified growth rate of software Y (s > δ) and the restraining effect of Y on the growth of X is less than the switching rate from Y to X (c< s). What this means is that (a) users are leaving Y and moving to X at a higher rate than new users are joining Y, and (b) Y’s restraining effect on the growth of X is not strong enough to overcome the number of users of Y switching to X. In short, software X has a higher intrinsic growth rate and is attracting more users from software Y than the other way around. As a result, software X tends to end up in a monopoly market state (in the long run) despite being an unsecure software platform. Note that, in this case, it does not matter whether software X is an early or late entrant.
This outcome was exemplified by the dominance of the Windows OS against its rival Apple in the desktop operating systems market in the 1990s. MS Windows was perceived to be the less secure of the two operating systems. As per our results, the other determi- nant of this outcome is the relationship between Apple’s restraining effect on the growth of the Windows OS and the rate at which users switched from Apple to the Windows OS. The equilibrium in which the Windows OS dominates the market is feasible and stable irrespective of the aforementioned relationship. If we assume that Apple’s restraining
Table 3. Analysis of equilibrium values when only Software X is targeted by hackers. Equilibrium
When s> δ 1 2 3 4 5 6
Case 1 c< s Unstable Unstable Unstable Unstable Stable Infeasible Case 2 c > s Unstable Unstable Stable Unstable Stable Infeasible
Note: δ ¼ b 1w � 1 �� d�
Table 4. Analysis of equilibrium values when only Software X is Targeted by hacker. Equilibrium
When s< δ 1 2 3 4 5 6
Case 3 c< s Unstable Unstable Unstable Unstable Unstable Stable/Unstable Case 4 c > s Unstable Unstable Stable Unstable Unstable Stable/Unstable
Notes: δ ¼ b 1w � 1 �� d� .
202 R. SEN ET AL.
effect on the growth of the Windows OS was less than the rate at which users switched from Apple to the Windows OS, then Equilibrium 5 in Case 1 (Table 3) represents the outcome. On the other hand, if we assume that Apple’s restraining effect on the growth of the Windows OS was more than the rate at which users switched from Apple to the Windows OS, then Equilibrium 5 in Case 2 (Table 3) again represents the outcome. This leads us to the discussion of Case 2.
Case 2 (Table 3)
In this case, software Y (the secure software platform) can have a monopoly (i.e., Equilibrium 3). Just like in Scenario 1, the stability of this equilibrium, in which there is a monopoly of Y (Equilibrium 3), depends upon the restraining effect of software Y on the growth of software X being more dominant than any switching effect from Y to X (c > s). Simply put, Y is able to curtail the growth of X despite some users switching from Y to X. Note that in this case, there is another feasible and stable equilibrium, that is, Equilibrium 5 (Table 3). As per our analysis, both Equilibrium 3 and Equilibrium 5 are stable and exhibit the “tipping” phenomenon based on the relative initial market share. Figure 2 shows simulation results for various initial market conditions, with a set of system parameters given as: (a = 0.33, b = 0.9, c = 0.4, d = 0.23, s = 0.317, e = 1, f = 0, w = 0.828, δ= −0.04).
Figure 2a shows Example 1, where unsecure Software X dominates the market with more users switching from Software Y to Software X in spite of X being a late entrant. However, the dynamics of hackers’ activities ultimately resulted in X losing some market share and finally stabilizing at Equilibrium 5. The results in Figure 2a show that a slow buildup of hackers’ activities allowed software X to reach and capture the whole market for some duration (Equilibrium 2) before stabilizing at Equilibrium 5. In Figure 2b, the high initial market share of software X encourages early hacker activities to build up, resulting in reaching the equilibrium quicker. In both simulations, Software Y does not survive, whereas Software X dominates the market.
What is interesting to note about these results is that the non-secure software (i.e., X) is the one that is more likely to dominate the market in the long run, whereas the secure software is driven out of the market in the long run. This long-run result holds even when
(a) Example 1: Slow convergence to Equilibrium 5
(b) Example 2: Quick convergence to Equilibrium 5
(c) Example 3: Convergence to Equilibrium 3
0 50 100 150 200 -0.2
0
0.2
0.4
0.6
0.8
1
1.2
Time
X Y Z
0 50 100 150 200 -0.2
0
0.2
0.4
0.6
0.8
1
1.2
Time
X Y Z
Figure 2. Stable equilibrium 3 and 5 for s> δ; c > s (Case 2 in Table 3).
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 203
the secure software (i.e., Y) initially has more market share than the unsecure software (i.e., X) at t = 0 (see Figure 2-Example 1). This outcome is due to the result of a positive value of the switching parameter (i.e., s). What could justify the high switching rate from Y to X despite X being less secure? Anderson [4] suggests one reason could be the lack of knowledge on the part of the software users about quality security aspects (e.g. security) of X and Y. Furthermore, under such conditions of information asymmetry, developers of software X have a minimal incentive to spend resources on making more secure software. Despite this, software X can become the dominant software platform by focusing on marketing and promotional activities that encourage the users of Y to switch to X. The result suggests that given a choice between investing in developing more secure software, or investing in marketing campaigns to encourage users of the competing software to switch, the software vendor would be better off by doing the latter. However, early entry of software Y and a relatively large initial market share will allow software Y to overcome the switching factor and monopolize the market (Equilibrium 3 as shown in Figure 2c.).
Case 3 (Table 4)
In this case, while the rate at which users switch from Y to X is less than the modified growth rate of Y (i.e., s< δ), the restraining effect of Y on the growth of X is also relatively weak (i.e., c< s). In contrast, for Equilibrium 6, where two competing software platforms co-existing in an equilibrium is feasible, the equilibrium’s stability is governed by various parameter values. If stable, Equilibrium 6 is the only equilibrium in this scenario where the hacker’s activity results in the software market being shared by both competing software platforms in a steady state. If unstable, then the hacker activity results in an alternative dynamic state where the two software platforms coexist together, however their market share is always in flux. Figure 3 shows two examples of market share and market dynamics phase plots for both situations, using the following market parameters:
Example 1: a = 0.32, b = 0.5, c = 0.4, d = 0.06, s = 0.437, e = 1, f = 0, w = 0.4
Example 2: a = 0.32, b = 0.57, c = 0.4, d = 0.06, s = 0.437, e = 1, f = 0, w = 0.33
Example 1 in Figure 3 shows a case where market dynamics converge and ultimately stabilize at the Equilibrium 6, irrespective of the entry point or initial market share of the two software platforms.
The rate of hackers going to main stream w has a direct impact on the final market share of software X. The more the hackers stay, the less will be the share of market for software X. This outcome makes sense since the hackers are only targeting X. On the other hand, the market share of the secure software Y depends on its intrinsic growth (i.e., b). In Example 2 in Figure 3, where no feasible equilibrium exists, the market enters into a stable limit cycle irrespective of market entry point for the two software platforms. To break out of this cycle, X and Y will have to take steps such as investing in marketing and promotion to influence their intrinsic growth rates, discourage users from switching to the competi- tion, and encourage hackers to become mainstream stakeholders in the software market (e.g., security consultants, vulnerability researchers).
204 R. SEN ET AL.
Case 4 (Table 4)
In Case 3, the unsecure software’s (i.e., X) existence was supported through its ability to steal users through switching from the other software (i.e., Y). If the switching support to software X is further reduced, for example through aggressive marketing by software Y, (i.e., δ > s; c > s), the existence of X becomes tenuous. However, hacking activity makes it possible that the two software platforms still can coexist. In this case, there are two possible situations: (a) only Equilibrium 3 (i.e., monopoly of Y) is stable; and (b) both Equilibriums 3 and 6 are stable. As in Case 3, the unsecure software can survive in both situations, but unlike in Case 3 its survival is not guaranteed as it depends upon a favorable entry point and limited hacking activity. Figure 4 and Figure 5 show different examples of market outcome for the two situations defined by the following model parameters:
Situation A: a = 0.33, b = 0.54, c = 0.4, d = 0.34, s = 0.357, e = 1, f = 0, w = 0.29586) Situation B: a = 0.33, b = 0.54, c = 0.4, d = 0.34, s = 0.357, e = 1, f = 0, w = 0.37586 Figure 4 demonstrates three examples for Situation A. Example 1 shows unsecure
software X surviving and competing with Y. However, higher hacker activity (Example 2 in Figure 4) or little unfavorable initial market share (Example 3 in Figure 4) results in
Figure 3. Solution converging to stable Equilibrium 6 (market share on the vertical axis).
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 205
X being forced out of the market, and Y (the secure software) remains as a monopoly. That is, only Equilibrium 3 is feasible and stable in Situation A.
Figure 5 demonstrates Situation B with two examples. The initial market shares of X and Y, and the level of hacker activity, dictate where the market dynamics converge and which software platform dominates the market. In Example 1, both X and Y coexist in the market (i.e., Equilibrium 6), while in Example 2, Y ends up monopolizing the market in the long run (i.e., Equilibrium 3).
Scenario 3: Both X and Y Are Attacked by Hackers
Next, we consider what happens if both software X and software Y are attacked by hackers. The set of equations representing this scenario is shown in Equation 11:
dX dt ¼ a� aX � aY � sY � cY � eZ½ �X dY dt ¼ b� bX � bY þ sX � dX � fZ½ �Y dZ dt ¼ ½eX þ fY � w�Z
(11)
The linear model for this system (from Equation 8) is given as:
Figure 4. Case 4 (situation A) – one stable equilibrium. Outcome is shaped by initial entry point and hackers activity.
206 R. SEN ET AL.
dX dt dY dt dZ dt
8< :
9= ; ¼
a 1� 2xeð Þ � aþ c� sð Þye � eze � aþ c� sð Þxe �exe � aþ dþ sð Þye b 1� 2yeð Þ � bþ dþ sð Þxe fye
ez0 fz0 exe þ fye � w
2 4
3 5 X � xeY � ye
Z � ze
8< :
9= ;
The equilibrium values for the system of equations (11) are as follows: Equilibrium 1: ðxe; ye; zeÞ ¼ ð0; 0; 0Þ; Equilibrium 2: ðxe; ye; zeÞ ¼ ð1; 0; 0Þ; (i.e., monopoly of Software X) Equilibrium 3: ðxe; ye; zeÞ ¼ ð0; 1; 0Þ; (i.e., monopoly of Software Y) Equilibrium 4: ðxe; ye; zeÞ ¼ �b c�sð Þab�ðaþc�sÞðbþdþsÞ ; �a dþsð Þab�ðaþc�sÞðbþdþsÞ ; 0
� � ; (i.e., a competitive
market consisting of both X & Y) Equilibrium 5: ðxe; ye; zeÞ ¼ we ; 0; aðe�wÞe2
� � ; (i.e., monopoly of Software X, and the hack-
ers target both X & Y)
Equilibrium 6: ðxe; ye; zeÞ ¼ af 2þbe½w�f �þfw½s�c� eðbe�cf Þþf ðaf�deÞ ;
be2þaf ½w�f ��ew½sþd� eðbe�cf Þþf ðaf�deÞ ;
ws2þbeða�cÞþaf ðb�dÞþdwðc�sÞþsðbe�af Þþwðcs�abÞ eðbe�cf Þþf ðaf�deÞ
0 @
1 A
(i.e. a competitive market consisting of both X & Y, and the hackers target both X & Y)
Equilibrium 7: ðxe; ye; zeÞ ¼ 0; wf ; bðf�wÞf 2 � �
(i.e., monopoly of Software Y, and the hackers target both X & Y)
This setup represents the most general market scenario. Just as where the vulnerability of Software X results in making Equilibrium 2 always unstable, the simultaneous
Figure 5. Case 4 (situation B) – Two stable equilibrium. Outcome is shaped by initial entry point and hackers activity.
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 207
vulnerability of Software Y makes Equilibrium 3 always unstable in this scenario. As the model suggests, the basic nature of the various equilibrium points remains similar to those equilibria obtained in Scenario 1 and Scenario 2. This observation is not surprising since these scenarios are special cases of Scenario 3. For example, in Scenario 2 we saw that the unsecure software X introduced an equilibrium point (i.e., Equilibrium 5 in Scenario 2) corresponding to a case of market monopoly without fully capturing the full market share. In this most general scenario, a similar equilibrium point is expected for Y and is defined by Equilibrium 7. However, the simultaneous presence of the restraining effect of hackers for both software platforms slightly modifies Equilibrium 5 (and its counterpart Equilibrium 7) from Scenario 2. The restraining parameters (“e” and “f “) also modify Equilibrium 6, which remains the most interesting equilibrium, as it can be a feasible and stable equilibrium with both of the software platforms co-existing. Thus, in this scenario, we expect similar situations.
In this most general case represented by Scenario 3, the first four equilibrium points are unstable. All of the parameters that define the software market affect the dynamics of the market near the last three equilibrium points (Equilibriums 5 to 7), making the corre- sponding eigenvalues complex functions of these parameters. Thus, the stability of these equilibrium points varies based on the values of the system parameters. Furthermore, not all equilibriums are always feasible, as the equilibrium point may move outside of the scope of variables. As a result, it is difficult to define the scope of parameters for the feasibility and stability of these equilibriums using an analytical approach. Therefore, we use a numerical approach [5] to test the stability, by using three examples corresponding to different values of the parameters (see Appendix C). The results are summarized in Table 5.
Equilibrium 6 Feasible and Stable at Parameter Values: Example 1: a = 0.33, b = 0.44828, c = 0.4, d = 0.23, s = -0.37931, e = 0.11, f = 0.89, w = 0.1669 (See Appendix C, Figure C1).
Table 4 shows that when hackers target both X and Y, a competitive software market (i.e., Equilibrium 6 in which both X and Y have positive market share) is both feasible and stable, under certain conditions. For this competitive market to evolve as the equilibrium, the software market should be characterized as follows. The probability of a user choosing X (Y) is less than that of choosing Y (X), more X (Y) users are switching to Y (X) than vice versa, and the likelihood of a hacker targeting Y (X) is significantly greater than that of targeting X (Y). While we don’t have empirical data to test these conditions, we do have anecdotal evidence for such a market. These conditions are present in the mobile
Table 5. Analysis of equilibrium values when both X & Y are targeted by hackers. Example 1 Example 2 Example 3
Feasible Stable Feasible Stable Feasible Stable
Equilibrium 1 Yes No Yes No Yes No Equilibrium 2 Yes No Yes No Yes No Equilibrium 3 Yes No Yes No Yes No Equilibrium 4 No Yes Yes No No No Equilibrium 5 Yes No Yes Yes Yes Yes Equilibrium 6* No No Yes Yes Yes No Equilibrium 7 Yes Yes Yes No No No
Notes: Equilibrium in which the market is shared between competing software. The bold text represents scenarios where the equilibrium is both Feasible & Stable.
208 R. SEN ET AL.
operating systems market. According to a 2017 Gartner report, Android and iOS, together, account for more than 99 percent of the market share.5 So this market closely resembles the one modeled in this study. Furthermore, we will represent iOS with X and Android with Y. Android is available on more mobile devices than iOS and Android based products come in a wider price range than iOS based products. Therefore, it is reasonable to assume that the probability of a user choosing X (iOS) is less than that of choosing Y (Android). A search for vulnerabilities in iOS and Android in the National Vulnerability database (NVD)6 shows that between January 2006 and April 2018, 2587 vulnerabilities were discovered in iOS, and 4676 vulnerabilities were discovered in Android. According to Kaspersky Lab, vulnerabilities are frequently exploited in successful cyberattacks (Kaspersky Lab 2017).7 Also, since the Android platform is more open compared to iOS, it is slightly more vulnerable to hacks and cyber threats. Therefore, it is safe to assume that hackers are more likely to target Android (Y) than iOS (X). If we use loyalty of the software’s users as a surrogate measure for their likelihood to switch to the competing platform, then some trade publications suggest that Android (Y) users are more loyal than iOS (X) users.8,9 Therefore, it is safe to assume that more iOS (Y) users are switching to Android (X) than vice versa. As a result, both Android and iOS still exist in the mobile marketplace. Figure 6 shows the US market shares of Android and iOS.
Interestingly, if we modify the parameter capturing hacker attacks on iOS and Android and assume that instead of Android being more at risk than iOS, both face the same or approximately the same risk from hackers, then Android is more likely to emerge as the dominant player in the mobile operating systems market. This trend is already evident in the global market for mobile operating systems, as demonstrated by the outcome in Figure 7.
Conclusion
Attacks by malicious hackers on technological systems are an ongoing managerial chal- lenge. As such, these malicious hackers have become an integral part of the software ecosystem that also consists of software developers and users. Prior research largely focuses on low-level drivers of technology bugs, related malicious hacker exploits, and protection against or remediation of their impacts. However, no research investigates the higher-level strategic impact of the presence of malicious hackers and their activities on the long-term structure of markets for software products, systems, and platforms. This study fills this gap, by studying whether the presence of malicious hackers within software markets is necessarily a bad thing.
We model a software market to examine the impact of malicious hacker attacks as a restraining effect on the targeted software’s rate of change in market share. We incorporate factors related to network effects and consumer switching between competing software platforms. We investigate the competition in this software market both in the absence of, and in the presence of, malicious hacker activities. Using numerical analysis and simulation, we find that in many situations, the malicious hacker activities make it possible for multiple competing platforms to co-exist together.
We find that in the absence of malicious hacker activities, a software market is more likely to become a monopoly in the long term. When malicious hackers are present and they predominantly target only one of the competing platforms, the market is again more
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 209
likely to end up a monopoly in theory. In practice, we have the example of MS Windows dominating the market for desktop operating systems in the 1990s, even when it was the platform most frequently targeted by malicious hackers. In this scenario, a market con- sisting of both competing software platforms is feasible and stable. However, the stability of this market structure depends on the number of users switching from one software to another software, and the number of active malicious hackers targeting one of the competing software platforms. When the malicious hackers target both of the competing
Figure 6. Subscriber share held by smartphone OS in the United States 2012-2018 (https://www.statista.com).10
Figure 7. Subscriber share held by smartphone OS in the United States 2012-2018 (generated from Statista at https://www.statista.com).
210 R. SEN ET AL.
software platforms, their activity introduces a new co-existing equilibrium (i.e., Equilibrium 6) and modified monopoly equilibriums (i.e., Equilibriums 5 and 7) that result in various complex market dynamics. We observe that, due to the hackers’ presence, the two competing software platforms can coexist: (a) in a stable state at Equilibrium 6 irrespective of entry point and initial conditions (e.g., the market for mobile operating systems); (b) in stable cyclic or market flux conditions irrespective of entry point and initial conditions; (c) in an entry point and initial conditions dependent stable state at Equilibrium 6 — where unfavorable initial conditions can tip the market towards mono- poly equilibriums (Equilibrium 5 and 7); and (d) in an entry point and initial conditions dependent cyclic or flux state – where the unfavorable initial conditions can tip the market toward monopoly equilibriums (Equilibriums 5 and 7).
Contributions and Policy Implications
The theoretical, managerial, and policy implications of our results are as follows. First, the results add to our understanding of competition in software markets. The findings illustrate the important, even though unintended, consequence of the presence of mal- icious hackers in the software ecosystem. That is, malicious hackers can foster competition among software vendors. Second, given these theoretical implications, managers can take into account the presence of malicious hackers in their markets, while making policies regarding software development and technology management investment decisions. For example, in a case where malicious hackers target only one of two competing software platforms, the software targeted can still end up monopolizing the market as long as its vendor invests sufficiently in campaigns that encourage more users to switch to using the non-secure software. Third, from a regulatory policy perspective, the results should encourage a balanced debate regarding the pros and cons of malicious hacker activities.
The common public policy opinion is that malicious hackers are only bad for the software industry ecosystem and software markets. Yet, there are some hacker advocates, particularly in the open source community, who believe hackers often do more good than harm, by drawing our attention to security flaws in popular software. This study illustrates another (albeit unintended) benefit of hacker activities. The study findings show that by encouraging competition among software vendors, the hackers provide software platform users with more choices, and therefore any other benefits associated with more choices in the marketplace. Therefore, before making ad hoc policy, such as making all hacker activities completely illegal, a more calibrated approach may be needed.
What should government policy do? The study results showing the unintended benefit of malicious hacking should not be taken as support for all such activities. Some hacker activities can be classified as malicious (e.g., because the target user has not given the hacker permission to engage in such activity) but harmless. For example, the intentions of the malicious hacker could be taken into account in any law, and if it can be proved that the intentions are to cause harm (e.g., identify theft, data breach, and financial fraud), then legal ramifications should be more severe. However, hacking activities that do not result in harm to individuals, organizations, and nations should be treated less severely. For example, activities of hackers, commonly referred to as Grey Hats, that is, those hackers who discover vulnerabilities in a system without the owner’s permission or knowledge, and then report their findings to the owner, vendor of the vulnerable software/system, bug
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 211
bounty programs,11 and/or government agencies (e.g., NIST’s National Vulnerability Database12) or other such forums (e.g. CVE13), should not be treated on par with malicious (or Black Hat) hackers. However, the Computer Fraud and Abuse Act (CFAA), a 1980s-era law originally designed to punish and deter intrusions into govern- ment and financial-industry computer systems — the main federal law still used today to punish hackers — is often applied to all hacking activities, irrespective of the intention of the hacker. For example, many legal and popular publications have debated the legal outcomes regarding the conviction of Andrew Aurnheimer for exposing 114,000 emails of iPad customers to AT&T due to a vulnerability in the AT&T website, the prosecution of Aaron Swartz for downloading (without subscription) JSTOR research articles, and the conviction of Mathew Keys for providing a password to a Los Angeles Times website account [23]. Those parties in favor of modifying the CFAA law (e.g., the Electronic Frontier Foundation) are however not having much success in changing policy. In fact, the U.S. federal government’s intention of doubling down on its policy efforts to curb cybercrime via CFAA was evident in President’s Obama’s 2015 State of the Union Address. This study shows that an indiscriminate policy of targeting all hacker activities under the CFAA law is not necessarily consistent with good public policy. More specifi- cally, the sentencing guidelines under CFAA are very strict and very broadly defined. While vandalizing physical property usually carries some fine, a jail sentence of a few weeks, and/or community service,14 vandalizing a website could result in a jail sentence of several years! This study provides analytical support to those who argue that CFAA policies, especially with respect to its sentencing guidelines, should be modified to protect the interests of software security researchers and ethical hackers. Such a policy update should include specific guidelines on vulnerability research and disclosure such that ethical hackers do not break the law. For example, if a hacker discovers vulnerability, informs the vendor of the software product first, and then discloses the vulnerability to the public, then he should not be prosecuted. However, currently under the CFAA, even the act of discovering software vulnerability could be a criminal activity [7].
What can the software industry do? The software industry, while not a big fan of hacking activities, has come to accept the presence of hackers as a key stakeholder in the software ecosystem. Many industry vendors and users actually have taken steps already to reduce their risk from unethical hacking by encouraging ethical hacking. Ethical hacking activities will result in more secure software and thereby it will reduce the risks from unethical hacking. For example:
● Software developers such as PayPal, Google, and Firefox have Vulnerability Rewards programs (VRP) that encourage hackers to discover and responsibly disclose vulner- abilities [1, 16, and 41].
● Software producers such as Apple and Microsoft sponsor and encourage hacking competition (e.g., Pwn2Own) to identify vulnerabilities in their products.
● Software producers paying ethical hackers to test their products for software vulner- abilities [e.g., 20].
● As part of risk assessment, industrial software users now often will hire consulting firms staffed with ethical hackers to audit the security of their systems. In fact, all leading consulting firms have cybersecurity divisions that provide pen-testing
212 R. SEN ET AL.
services to their clients. Some user firms, such as United Airlines, employ resources of individual ethical hackers using bug-finder loyalty program bonuses.15
In short, by incorporating known hackers into the operational activities and processes of software producing and software using firms, the managers of those firms indeed can benefit from reduced hacking activities from unethical hackers. These ongoing policy changes within select leading-edge firms illustrate the potential implications of our modeling exercise. If one or more firms are successful in eliminating attacks from unethical hackers, then Scenario 1, where no malicious hacking exists, or Scenario 2, where not all of the competition is targeted comes into play. In both these scenarios, the firms competing in various software market segments would benefit from a lack of competition. However, this is not necessarily a good outcome for the software users. These scenarios leave the users less well off because: (a) lack of competition is not good for consumers; and (b) in case of Scenario 2, they risk cyberattacks from unethical hackers.
Potential Limitations and Future Research Directions
As with any modeling study, the model documented in this paper exhibits potential limitations that provide opportunities for additional study of related issues. As analytical studies are built on specific modeling assumptions, researchers might always improve the rigor of findings by examining different modeling frameworks and different assumptions. While there are known to be several categories of hacker attacks, in this manuscript we view malicious hacker attacks as a generic construct, and do not disentangle the effects of different hacking types. Given we are modeling industry level outcomes, we also are unable to incorporate into our model variables such as the attack severity. Perhaps future researchers can extend the work here to examine how different types of hacker attacks, severity of attacks, and benefits/harms of attacks, among other issues, may affect the competitive software market structure. Finally, while we focus on long-term equilibriums of the software market, future research might extend the examination to focus on (a) short-run impacts of hacker actions on software market competition and (b) the associated social welfare implications resulting from a competitive software market.
Notes 1. https://us.norton.com/internetsecurity-emerging-threats-what-is-the-difference-between-
black-white-and-grey-hat-hackers.html 2. https://cybermap.kaspersky.com/ 3. https://investor.yahoo.net/releasedetail.cfm?ReleaseID=990570 4. https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do 5. https://www.gartner.com/newsroom/id/3859963 6. https://nvd.nist.gov/ 7. https://securelist.com/exploits-how-great-is-the-threat/78125/ 8. http://www.applemust.com/are-android-users-really-more-loyal-than-iphone-users/ 9. https://appleinsider.com/articles/18/03/08/survey-calls-android-buyers-more-loyal-but-more-
users-are-still-switching-to-ios 10. There is one data point for Blackberry/Microsoft because of their short partnership at that
time. 11. https://hackerone.com/bug-bounty-programs
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 213
12. https://nvd.nist.gov/ 13. https://cve.mitre.org/ 14. http://www.criminaldefenselawyer.com/crime-penalties/federal/Vandalism.htm 15. https://www.united.com/web/en-US/content/contact/bugbounty.aspx
References
1. Algarni, A.M.; and Malaiya, Y.K. Software vulnerability markets: Discoverers and buyers. International Journal of Computer, Electrical, Automation, Control and Information Engineering, 8, 3 (2014), 480–490.
2. Arora, A.; Caulkins, J.P.; and Telang, R. Sell first, fix later: Impact of patching on software quality. Management Science, 52, 3 (March 2006), 465–471.
3. August, T.; and Tunca, T.I. Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Science, 57, 5 (May 2011), 934–959.
4. Anderson, R. Why information security is hard- An economic perspective. 17th Annual Computer Security Applications Conference (ACSAC’01), IEEE Computer Society, December, 2001. https://www.acsac.org/2001/papers/110.pdf, (accessed March 12, 2017).
5. Barnes, R.; and Fulford, G.R. Mathematical Modelling with Case Studies: A Differential Equations Approach using Maple and MATLAB. Boca Raton, FL: CRC Press, 2002, pp. 99–109.
6. Bitzer, J. Commercial versus open source software: The role of product heterogeneity in competition. Economic Systems, 28, 4 (December 2004), 369–381.
7. Brewster, T. US cybercrime laws being used to target security researchers. The Guardian, Thursday 29 May 2014. https://www.theguardian.com/technology/2014/may/29/us- cybercrime-laws-security-researchers.
8. Brynjolfsson, E. and Kemerer, C.F. Network externalities in microcomputer software: An econometric analysis of the spreadsheet market. Management Science, 42, 12 (December 1996), 1627–1647.
9. Cavusoglu, H.; Cavusoglu, H.; and Raghunathan, S. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering, 33, 3 (March 2007), 171–185.
10. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9, 1 (2004), 69.
11. CBS. These Cybercrime Statistics Will Make You Think Twice About Your Password: Where’s The CSI Cyber Team When You Need Them? CBS.com, March 3, 2015. http:// www.cbs.com/shows/csi-cyber/news/1003888/these-cybercrime-statistics-will-make-you- think-twice-about-your-password-where-s-the-csi-cyber-team-when-you-need-them -/(accessed November 2, 2016).
12. Economides, N.; and Katsamakas, E. Two-sided competition of proprietary vs. open source technology platforms and the implications for the software industry. Management Science, 52, 7 (July 2006), 1057–1071.
13. English Oxford Living Dictionaries. Accessed on August 25 2019: https://en.oxforddiction aries.com/definition/hacker
14. Fan, M.; Kumara, S.; and Whinston, A.B. Short-term and long-term competition between providers of shrink-wrap software and software as a service. European Journal of Operational Research, 196, 2, 16 (July 2009), 661–671.
15. Farrell, J.; and Saloner, G. Installed base and compatibility: Innovation, product pronounce- ments, and predation. The American Economic Review, 76, 5 (December 1986), 940–955.
16. Finifter, M.; Akhawe, D.; and Wagner, D. An empirical study of vulnerability rewards programs. Presented at 22nd USENIX Security Symposium, August 14-16, Washington DC.
214 R. SEN ET AL.
Accessed on August 25 2019: https://www.usenix.org/conference/usenixsecurity13/technical- sessions/presentation/finifter.
17. Finkle, J. 6 more stores attacked by same hack as target: Firm. Reuters, January 17th 2014. http://www.huffingtonpost.com/2014/01/17/six-other-stores-are-bein_n_4618414.html (accessed January 22, 2014).
18. Gallaugher, J.M., and Wang, Y. Understanding network effects in software markets: Evidence from web server pricing. MIS Quarterly, 26, 4 (December 2002), 303–327.
19. Gandal, N. Competing compatibility standards and network externalities in the PC software market. The Review of Economics and Statistics, 77, 4 (November 1995), 599–608.
20. Gander, K. Microsoft pays out $100,000 to hacker who exposed Windows security flaws. Independent, Thursday 10 October 2013.
21. Garcia, A.; Sun, Y.; and Shen, J. Dynamic platform competition with malicious users. Dynamic Games and Applications 4, 3 (2014), 209–308.
22. Gordon, L.A.; Loeb, M.P.; and Sohail, T. A Framework for using insurance for cyber risk management. Communications ACM, 46, 3 (2003), 81–85.
23. Gustin, S. U.S. “Hacker” crackdown sparks debate over computer-fraud law. Time, March 19, 2013. Accessed on August 25 2019: http://business.time.com/2013/03/19/u-s-hacker- crackdown-sparks-debate-over-computer-fraud-law/.
24. Jaisingh, J.; See-To, E.; and Tam, KY. The impact of open source software on the strategic choices of firms developing proprietary software. Journal of Management Information Systems, 25, 3 (2008), pp.243–277.
25. Kannan. K.; and Telang, R. Market for software vulnerabilities? Think again. Management Science, 51, 5 (May 2005) 726–740.
26. Katz, M. L.; and Shapiro, C. Systems competition and network effects. The Journal of Economic Perspectives, 8, 2 (Spring 1994), 93–115.
27. Kim, B. C.; Chen, P.; and Mukhopadhyay, T. (2010b). The effect of liability and patch release on software security: The monopoly case. Production and Operations Management, 20, 4, 603–617.
28. Lanzi, D. Competition and open source with perfect software compatibility. Information Economics and Policy, 21, 3 (August 2009), 192–200.
29. Lin, L. Impact of user skills and network effects on the competition between open source and proprietary software. Electronic Commerce Research and Applications, 7, 1 (Spring 2008), 68–81.
30. Marks, P. Dot-dash-diss: The gentleman hacker’s 1903 lulz. New Scientist. Issue 2844, December 27, 2011. (accessed October 14, 2013).
31. Marshall, A. Causes, effects and solutions of piracy in the computer software market. Review of Economic Research on Copyright Issues, 4, 1 (2007), 63–86.
32. Merriam-Webster Dictionary Accessed on August 25 2019: http://www.merriam-webster. com/dictionary/hacker.
33. Rochet, J.; and Tirole, J. Platform competition in two-sided markets. Journal of the European Economic Association, 1, 4 (June 2003), 990–1029.
34. Samtani, S.; Chinn, R.; Chen, H.; and Nunamaker, J.F. Exploring emerging hacker assets and key hackers for proactive cyber threat intelligence. Journal of Management Information Systems, 34, 4 (2017), 1023–1053.
35. Sen, R. A Strategic analysis of competition between open source and proprietary software. Journal of Management Information Systems, 24, 1 (Summer 2007), 233–257.
36. Swire, P.P. A model for when disclosure helps security: What is different about computer and network security? In M.F. Grady and F. Parisi (eds.), The Law and Economics of Cybersecurity. Cambridge: Cambridge University Press, 2005, pp. 29–70.
37. Telang, R.; and Wattal, S. An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering, 33, 8 (August 2007), 544–557.
38. Verizon. 2016 Data Breach Investigations Report. http://www.verizonenterprise.com/verizon- insights-lab/dbir/2016/(accessed November 2, 2016).
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS 215
39. Wright, C.S. Software, vendors and reputation: An analysis of the dilemma in creating secure software. Lecture Notes in Computer Science, 6802 (2011), 346–360.
40. Zetter, K. The biggest security threats we’ll face in 2016.Wired.com, January 1, 2016. https://www. wired.com/2016/01/the-biggest-security-threats-well-face-in-2016/. (accessed on November 2, 2016).
41. Zhao, M.; Grossklags, J.; and Liu, P. An empirical study of web vulnerability discovery ecosystems. In Proceeding CCS ‘15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 1105–1117.
About the Authors
Ravi Sen ([email protected]; corresponding author) is an Associate Professor at Mays Business School, Texas A&M. He received his Ph.D. from the University of Illinois at Urbana-Champaign. His research interests include cybersecurity, open source software, and economics of electronic commerce. Dr. Sen has published in Journal of Management Information Systems, Decision Sciences, International Journal of Electronic Commerce, Communications of AIS, and other journals.
Ajay Verma ([email protected]) is a Senior Engineer at Lockheed Martin Missiles and Fire Control, involved in innovative conceptual design of new systems. Dr. Verma received his Ph.D. from Texas A&M University. He was previously Senior Research Scientist for Knowledge Based Systems, where he was principal investigator for innovative research sponsored by Department of Defense. His research interests include simulation and modelling, dynamic analysis and control of large multi-agent complex systems, system optimization, control, and guidance of aerospace systems.
Gregory R. Heim ([email protected]) is the Janet and Mark H. Ely `83 Professor in the Department of Information & Operations Management, Mays Business School at Texas A&M University. He holds Ph.D. in Business Administration from the Carlson School of Management at the University of Minnesota. Dr. Heim’s research focuses on service and e-service/e-retail operations, management of technology, supply chain management, and quality management. He is a Department Editor of the Technology Management area of Journal of Operations Management and Senior Editor of Production and Operations Management.
216 R. SEN ET AL.
Copyright of Journal of Management Information Systems is the property of Taylor & Francis Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
- Abstract
- Introduction
- Literature Review
- Software Market Model
- Software Market
- Market Share
- Rate of New Users Adopting the Software
- Intrinsic Growth in Market Share
- Restraining Effect of the Maximum Market Potential
- Restraining Effect of the Competing Software’s Market Share
- Users Switching to or from Competition’s Software
- Restraining Effect of Hackers
- Model Analysis— Equilibrium Outcomes
- Scenario 1 (Benchmark): Both Fully Secured; Hackers Attack Neither Platform
- Scenario 2: One Software Is Targeted by Hackers
- Case 1 (Table 3)
- Case 2 (Table 3)
- Case 3 (Table 4)
- Case 4 (Table 4)
- Scenario 3: Both Xand YAre Attacked by Hackers
- Conclusion
- Contributions and Policy Implications
- Potential Limitations and Future Research Directions
- Notes
- References
- Notes on contributors