IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v25y2014i3p489-510.html
   My bibliography  Save this article

Cloud Implications on Software Network Structure and Security Risks

Author

Listed:
  • Terrence August

    (Rady School of Management, University of California, San Diego, La Jolla, California 92093; and Korea University Business School, Seoul 136-701, Korea)

  • Marius Florin Niculescu

    (Scheller College of Business, Georgia Institute of Technology, Atlanta, Georgia 30308)

  • Hyoduk Shin

    (Rady School of Management, University of California, San Diego, La Jolla, California 92093)

Abstract

By software vendors offering, via the cloud, software-as-a-service (SaaS) versions of traditionally on-premises application software, security risks associated with usage become more diversified. This can greatly increase the value associated with the software. In an environment where negative security externalities are present and users make complex consumption and patching decisions, we construct a model that clarifies whether and how SaaS versions should be offered by vendors. We find that the existence of version-specific security externalities is sufficient to warrant a versioned outcome, which has been shown to be suboptimal in the absence of security risks. In high security-loss environments, we find that SaaS should be geared to the middle tier of the consumer market if patching costs and the quality of the SaaS offering are high, and geared to the lower tier otherwise. In the former case, when security risk associated with each version is endogenously determined by consumption choices, strategic interactions between the vendor and consumers may cause a higher tier consumer segment to prefer a lower inherent quality product. Relative to on-premises benchmarks, we find that software diversification leads to lower average security losses for users when patching costs are high. However, when patching costs are low, surprisingly, average security losses can increase as a result of SaaS offerings and lead to lower consumer surplus. We also investigate the vendor’s security investment decision and establish that, as the market becomes riskier, the vendor tends to increase investments in an on-premises version and decrease investments in a SaaS version. On the other hand, in low security-loss environments, we find that SaaS is optimally targeted to a lower tier of the consumer market, average security losses decrease, and consumer surplus increases as a result. Security investments increase for both software versions as risk increases in these environments.

Suggested Citation

  • Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    • Handle: RePEc:inm:orisre:v:25:y:2014:i:3:p:489-510
    DOI: 10.1287/isre.2014.0527
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2014.0527
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2014.0527?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Marius F. Niculescu & D. J. Wu, 2014. "Economics of Free Under Perpetual Licensing: Implications for the Software Industry," Information Systems Research, INFORMS, vol. 25(1), pages 173-199, March.
    3. Xueqi (David) Wei & Barrie R. Nault, 2014. "Monopoly Versioning of Information Goods When Consumers Have Group Tastes," Production and Operations Management, Production and Operations Management Society, vol. 23(6), pages 1067-1081, June.
    4. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2013. "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, INFORMS, vol. 24(2), pages 295-311, June.
    5. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    6. Galina Vereshchagina & Hugo A. Hopenhayn, 2009. "Risk Taking by Entrepreneurs," American Economic Review, American Economic Association, vol. 99(5), pages 1808-1830, December.
    7. Li, Lode & McKelvey, Richard D. & Page, Talbot, 1987. "Optimal research for cournot oligopolists," Journal of Economic Theory, Elsevier, vol. 42(1), pages 140-166, June.
    8. Geoffrey Heal & Howard Kunreuther, 2007. "Modeling Interdependent Risks," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 621-634, June.
    9. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    10. Zhixi Wan & Damian R. Beil, 2009. "RFQ Auctions with Supplier Qualification Screening," Post-Print hal-00471441, HAL.
    11. Laffont, Jean-Jacques & Tirole, Jean, 1988. "The Dynamics of Incentive Contracts," Econometrica, Econometric Society, vol. 56(5), pages 1153-1175, September.
    12. Roy Jones & Haim Mendelson, 2011. "Information Goods vs. Industrial Goods: Cost Structure and Competition," Management Science, INFORMS, vol. 57(1), pages 164-176, January.
    13. MacLeod, W Bentley & Malcomson, James M, 1993. "Investments, Holdup, and the Form of Market Contracts," American Economic Review, American Economic Association, vol. 83(4), pages 811-837, September.
    14. Justin P. Johnson & David P. Myatt, 2003. "Multiproduct Quality Competition: Fighting Brands and Product Line Pruning," American Economic Review, American Economic Association, vol. 93(3), pages 748-774, June.
    15. Muller, Holger M., 2000. "Asymptotic Efficiency in Dynamic Principal-Agent Problems," Journal of Economic Theory, Elsevier, vol. 91(2), pages 292-301, April.
    16. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    17. Jay Pil Choi & Chaim Fershtman & Neil Gandal, 2010. "Network Security: Vulnerabilities And Disclosure Policy," Journal of Industrial Economics, Wiley Blackwell, vol. 58(4), pages 868-894, December.
    18. Zhixi Wan & Damian R. Beil, 2009. "RFQ Auctions with Supplier Qualification Screening," Operations Research, INFORMS, vol. 57(4), pages 934-949, August.
    19. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    20. Jing, Bing, 2007. "Network externalities and market segmentation in a monopoly," Economics Letters, Elsevier, vol. 95(1), pages 7-13, April.
    21. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    22. Jeroen M. Swinkels & Wolfgang Pesendorfer, 2000. "Efficiency and Information Aggregation in Auctions," American Economic Review, American Economic Association, vol. 90(3), pages 499-525, June.
    23. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    24. Hemant K. Bhargava & Vidyanand Choudhary, 2008. "Research Note--When Is Versioning Optimal for Information Goods?," Management Science, INFORMS, vol. 54(5), pages 1029-1035, May.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    2. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    3. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2013. "Licensing and Competition for Services in Open Source Software," Information Systems Research, INFORMS, vol. 24(4), pages 1068-1086, December.
    4. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    5. Terrence August & Wei Chen & Kevin Zhu, 2021. "Competition Among Proprietary and Open-Source Software Firms: The Role of Licensing in Strategic Contribution," Management Science, INFORMS, vol. 67(5), pages 3041-3066, May.
    6. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    7. Terrence August & Duy Dao & Hyoduk Shin, 2015. "Optimal Timing of Sequential Distribution: The Impact of Congestion Externalities and Day-and-Date Strategies," Marketing Science, INFORMS, vol. 34(5), pages 755-774, September.
    8. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    9. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2018. "Generating Value Through Open Source: Software Service Market Regulation and Licensing Policy," Information Systems Research, INFORMS, vol. 29(1), pages 186-205, March.
    10. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    11. Shivendu Shivendu & Zhe (James) Zhang, 2015. "Versioning in the Software Industry: Heterogeneous Disutility from Underprovisioning of Functionality," Information Systems Research, INFORMS, vol. 26(4), pages 731-753, December.
    12. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    13. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    14. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    15. Atanu Lahiri & Debabrata Dey, 2013. "Effects of Piracy on Quality of Information Goods," Management Science, INFORMS, vol. 59(1), pages 245-264, June.
    16. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    17. José A. Novo‐Peteiro, 2023. "Product design with attribute dependence," Manchester School, University of Manchester, vol. 91(4), pages 361-385, July.
    18. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    19. Francisco Martínez-Sánchez, 2016. "Versioning Goods and Joint Purchase: Substitution and Complementarity Strategies," Prague Economic Papers, Prague University of Economics and Business, vol. 2016(5), pages 577-590.
    20. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:25:y:2014:i:3:p:489-510. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.