| Security plays a critical role in modern information systems. This dissertation provides managerial insights and useful guidelines for managing information system security for information systems administrators, software developers, and security software vendors.; First, faced with frequent release of numerous security patches, a system administrator must decide when and how often to interrupt ongoing business applications running on enterprise servers in order to deploy patches in a timely manner, so as to strike a proper balance between the potential exploitation cost and the business disruption cost. I propose and analyze five patch management policies: one-for-one, time-based, patch-based, total-control, and emergency-control. The results provide guidelines for system administrators to choose one policy over another depending on the parameters of an application context.; Second, faced with the burden of developing security patches, software developers must learn from past failures to improve the security quality of their products. In order to identify features of security vulnerabilities for effective learning, I apply three regression models---negative binomial, latent class, and hidden Markov models---to investigate the (largely unobservable) learning process. Comparing all the models, I find that vendors' learning process is dynamic, i.e., vendors' knowledge levels change over time, and is best represented by a hidden Markov model. I use three learning states---high, medium, and low---to classify the knowledge level and observe that different characteristics of vulnerabilities facilitate learning differently in different learning states.; Third, in a highly competitive market for security software, vendors have to understand the market structure in order to adopt appropriate competition and product strategies. I incorporate a negative network effect to analyze the structure of a security software market. I observe different characteristics in this market when compared to markets without the negative network effect. Further, I evaluate the strategy of vertical differentiation and conclude that the strategy is not desired by a monopolist but may be adopted in a duopoly if the negative network effect is moderate.; Overall, my dissertation provides managerial insights for effective patch management in organizations, for efficient learning from security vulnerabilities, and for appropriate competition and product strategies in a security software market. |
