 Patchy incentives: using law to encourage effective vulnerability responseAndrew Cormack and Éireann Leverett Journal of Cyber Policy, 2023, vol. 8, issue 1, 88-113 Abstract: Data breach reports suggest that managing patches is hard: too many major incidents are caused by well-known software vulnerabilities with available fixes. Legal sanctions – from mandates to liability – apparently have limited effect. This paper discusses how an effective vulnerability response process can help software users allocate their remediation effort to minimise overall risk and disruption. We analyse laws and regulations on liability, product quality and patching mandates to see why they fail to promote good practice. Recent cases under privacy laws highlight features that make risk-based patching a better basis for system managers, executives and regulators to agree a common approach to effective vulnerability response. Date: 2023 Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:taf:rcybxx:v:8:y:2023:i:1:p:88-113 Ordering information: This journal article can be ordered from DOI: 10.1080/23738871.2023.2284233 Access Statistics for this article Journal of Cyber Policy is currently edited by Emily Taylor More articles in Journal of Cyber Policy from Taylor & Francis Journals |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.