Software selection is an important consideration in managing the information security function. Open source software is touted by proponents as being robust to many of the security problems that seem to plague proprietary software. This study empirically investigates specific security characteristics of open source and proprietary operating system software. Software vulnerability data spanning several years are collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities, mean time to release patches, type of vulnerability reported and respective severity of the vulnerabilities. The results demonstrate that open source and proprietary operating system software are each likely to report similar vulnerabilities and that open source providers are marginally quicker in releasing patches for problems identified in their software. The arguments favoring the inherent security of open source software do not initially appear to hold up to such analysis. However, much more research needs to be performed to fully explore the relationships between the proprietary nature of software and security.

Arora, A.; Telang, R.; and Xu, H. (2004). "Optimal Policy for Software Vulnerability Disclosure," In Proceedings of the Ninth INFORMS Conference on Information Systems & Technology (CIST). Oct 23-24. Denver, CO.

Arora, A.; Nandkumar, A.; Krishnan, R.; and Telang, R. (2004). "Impact of Patches and Software Vulnerability Information on Frequency of Security Attacks - An Empirical Analysis," In Proceedings of the 3rd Workshop on Economics and Information Security. May 13-15. Minneapolis, MN.

Banker, R. D.; Datar, S. M.; Kemerer, C. F.; and Zweig, D. (2002), "Software Errors and Software Maintenance Management," Information Technology and Management 3 (1-2): 25-41.

Beattie, S.; Arnold, S.; Cowan, C.; Wagle, P.; Wright, C.; and Shostack, A. (2002). "Timing the Application of Security Patches for Optimal Uptime," In Proceedings of LISA '02: Sixteenth Systems Administration Conference. Nov 3-8. Berkeley, CA.

Boehm, B.W., Brown, J.R., and Lipow, M. (1976). "Quantitative Evaluation of Software Quality," In Proceedings of the Second International Conference on Software Engineering. Oct 13-15. San Francisco, CA.

Bulkeley, W. M. (2004), "Can Linux Take Over the Desktop?" Wall Street Journal, May 24, 2004.

Cavusoglu, H., Raghunathan, S., and Cavusoglu, H. (2004), "Optimal Timing Decision for Application of Security Patches," Working paper, Tulane University.

CERT. Securing Network Servers. Prepared by CERT, Retrieved August 8, 2004, from http://www.cert.org/security-improvement/modules/m07.html

CNET News, Prepared by CNET, Retrieved December, 2004, from http://www.news.com.com

Greene, W. H. and Greene, W. H. (2002), Econometric Analysis. 5th edition, Prentice Hall, Upper Saddle River, NJ.

Hamm, S. (2005), "Linuxinc," BusinessWeek, Jan. 31, 2005, 60-68.

Hann, I.; Roberts, J.; and Slaughter, S. (2004). "Why Developers Participate in Open Source Software Projects: An Empirical Investigation," In Proceedings of the Twenty-Fifth International Conference on Information Systems, Dec. 12-15. Washington, DC.

ICAT Metabase, (2004), http://icat.nist.gov /icat.cfm.

Jelinski, Z. and Moranda, P. B. (1972), "Software Reliability Research," In W. Freiberger, (ed.) Statistical Computer Performance Evaluation. Academic Press, New York, 465-484.

Johnson, J. P. (2002), "Economics of Open Source Software," Journal of Economic and Management Strategy, 11 (4): 637-662.

Kannan, K. and Telang, R. (2005), "Market for Software Vulnerabilities? Think Again," Management Science, 51 (5): 726-740.

Lerner, J. and Tirole, J. (2001), "The open source movement: Key research questions," European Economic Review, 45 (4): 819-826.

Lerner, J. and Tirole, J. (2002), "Some Simple Economics of Open Source," The Journal of Industrial Economics, 50 (2): 197-234.

MITRE. (2004), "Common Vulnerabilities and Exposure,"http://www.cve.mitre.org

MIZI Research, (2004), "Linux Vs Windows: Which is more secure?" Retrieved January 20, 2005 from http://www.mizi.com/en/index/news-app/story.32

Myers, G. (1976), Software Reliability: Principles and Practices, John Wiley and Sons, New York, NY.

The Open Source Definition, Open Source Initiative, (2005), Retrieved February 14, 2005 from http://www.opensource.org/docs/definition.php

Pescatore, J. (2004), "Management Update: Mount a Solid Defense Against Worms and Viruses," Gartner intraWeb Report ID Number: G00123950, Retrieved December, 2004 from http://www.itap.purdue.edu/itresources/gartner/index.html

Raymond, E. S. (2000), "The Cathedral and the Bazaar" Retrieved February 12, 2006 from http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/

Rescorla, E. (2002), "Security holes... who cares?" Retrieved January 20, 2005 from http://www.rtfm.com/upgrade.pdf

Shooman, M. (1973). "Operational Testing and Software Reliability Estimation During Program Development," In Record of the 1973 IEEE Symposium on Computer Software Reliability, IEEE, New York, 51-57.

Silver, M. and Pescatore, J. (2004), "Security Holes Increase Windows Client TCO," Gartner intraWeb Report ID Number: G00123511, Retrieved December, 2004 from http://www.itap.purdue.edu/itresources/gartner/index.html

Sliwa, C. (2004), "App Tests for Win XPSP2 Burden Users: Most Delay Installing XP Security Update," Computerworld, August 20, 2004.

Sumita, U. and Shantikumar, G. (1986), "A Software Reliability Model with Multiple-Error Introduction & Removal," IEEE Transactions on Reliability, 35, (4): 459-462.

Vijayan, J. (2003), "Microsoft Release Four Patches Under New Monthly Schedule," Computerworld, November 17, 2003.