Information Systems Research, 2014, Vol. 25, No. 3, pp. 489-510
Posted: 27 Sep 2011 Last revised: 27 Oct 2015
Date Written: 2014
By software vendors offering, via the cloud, software as a service (SaaS) versions of traditionally on-premises application software, security risks associated with usage become more diversified which can greatly increase the value associated with the software. In an environment where negative security externalities are present and users make complex consumption and patching decisions, we construct a model that clarifies whether and how SaaS versions should be offered by vendors. We find that the existence of version-specific security externalities is sufficient to warrant a versioned outcome, which has been shown to be suboptimal in the absence of security risks. In high security-loss environments, we find that SaaS should be geared to the middle tier of the consumer market if patching costs and the quality of the SaaS offering are high, and geared to the lower tier otherwise. In the former case, it is a noteworthy result that strategic interactions between the vendor and consumers can lead a lower inherent quality product to actually be preferred by a higher tier customer segment when security risk associated with each version is endogenously determined by consumption choices. Relative to on-premises benchmarks, we find that software diversification indeed leads to lower average security losses for users when patching costs are high. However, when patching costs are low, surprisingly, average security losses can actually increase as a result of SaaS offerings and lead to lower consumer surplus. We also investigate the vendor's security investment decision and establish that the vendor tends to increase investments in an on-premises version and decrease investments in a SaaS version as the market becomes riskier. In low security-loss environments, we find that SaaS is optimally targeted to a lower tier of the consumer market, average security losses decrease, and consumer surplus increases as a result. Security investments increase for both software versions as risk increases in these environments.
Keywords: software as a service, SaaS, security, economics of information systems, network externalities, software patching, security risk
JEL Classification: C70, D42, L12, L86
Suggested Citation: Suggested Citation
August, Terrence and Niculescu, Marius Florin and Shin, Hyoduk, Cloud Implications on Software Network Structure and Security Risks (2014). Information Systems Research, 2014, Vol. 25, No. 3, pp. 489-510. Available at SSRN: https://ssrn.com/abstract=1933618 or http://dx.doi.org/10.2139/ssrn.1933618