Cloud Implications on Software Network Structure and Security Risks

Information Systems Research, 2014, Vol. 25, No. 3, pp. 489-510

Posted: 27 Sep 2011 Last revised: 27 Oct 2015

See all articles by Terrence August

Terrence August

University of California, San Diego (UCSD) - Rady School of Management

Marius Florin Niculescu

Georgia Institute of Technology - Scheller College of Business

Hyoduk Shin

University of California, San Diego (UCSD) - Rady School of Management

Date Written: 2014

Abstract

By software vendors offering, via the cloud, software as a service (SaaS) versions of traditionally on-premises application software, security risks associated with usage become more diversified which can greatly increase the value associated with the software. In an environment where negative security externalities are present and users make complex consumption and patching decisions, we construct a model that clarifies whether and how SaaS versions should be offered by vendors. We find that the existence of version-specific security externalities is sufficient to warrant a versioned outcome, which has been shown to be suboptimal in the absence of security risks. In high security-loss environments, we find that SaaS should be geared to the middle tier of the consumer market if patching costs and the quality of the SaaS offering are high, and geared to the lower tier otherwise. In the former case, it is a noteworthy result that strategic interactions between the vendor and consumers can lead a lower inherent quality product to actually be preferred by a higher tier customer segment when security risk associated with each version is endogenously determined by consumption choices. Relative to on-premises benchmarks, we find that software diversification indeed leads to lower average security losses for users when patching costs are high. However, when patching costs are low, surprisingly, average security losses can actually increase as a result of SaaS offerings and lead to lower consumer surplus. We also investigate the vendor's security investment decision and establish that the vendor tends to increase investments in an on-premises version and decrease investments in a SaaS version as the market becomes riskier. In low security-loss environments, we find that SaaS is optimally targeted to a lower tier of the consumer market, average security losses decrease, and consumer surplus increases as a result. Security investments increase for both software versions as risk increases in these environments.

Keywords: software as a service, SaaS, security, economics of information systems, network externalities, software patching, security risk

JEL Classification: C70, D42, L12, L86

Suggested Citation

August, Terrence and Niculescu, Marius Florin and Shin, Hyoduk, Cloud Implications on Software Network Structure and Security Risks (2014). Information Systems Research, 2014, Vol. 25, No. 3, pp. 489-510, Available at SSRN: https://ssrn.com/abstract=1933618 or http://dx.doi.org/10.2139/ssrn.1933618

Terrence August (Contact Author)

University of California, San Diego (UCSD) - Rady School of Management ( email )

9500 Gilman Drive
Rady School of Management
La Jolla, CA 92093
United States

HOME PAGE: http://management.ucsd.edu/faculty/directory/august/

Marius Florin Niculescu

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States
404-385-3105 (Phone)

HOME PAGE: http://scheller.gatech.edu/directory/faculty/niculescu/index.html

Hyoduk Shin

University of California, San Diego (UCSD) - Rady School of Management ( email )

9500 Gilman Drive
Rady School of Management
La Jolla, CA 92093
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
2,878
PlumX Metrics