Cloud Implications on Software Network Structure and Security Risks
成果类型:
Article
署名作者:
August, Terrence; Niculescu, Marius Florin; Shin, Hyoduk
署名单位:
University of California System; University of California San Diego; Korea University; University System of Georgia; Georgia Institute of Technology
刊物名称:
INFORMATION SYSTEMS RESEARCH
ISSN/ISSBN:
1047-7047
DOI:
10.1287/isre.2014.0527
发表日期:
2014
页码:
489-510
关键词:
information security
vulnerability disclosure
MARKET
GOODS
EFFICIENCY
monopoly
QUALITY
patch
COMPETITION
management
摘要:
By software vendors offering, via the cloud, software-as-a-service (SaaS) versions of traditionally on-premises application software, security risks associated with usage become more diversified. This can greatly increase the value associated with the software. In an environment where negative security externalities are present and users make complex consumption and patching decisions, we construct a model that clarifies whether and how SaaS versions should be offered by vendors. We find that the existence of version-specific security externalities is sufficient to warrant a versioned outcome, which has been shown to be suboptimal in the absence of security risks. In high security-loss environments, we find that SaaS should be geared to the middle tier of the consumer market if patching costs and the quality of the SaaS offering are high, and geared to the lower tier otherwise. In the former case, when security risk associated with each version is endogenously determined by consumption choices, strategic interactions between the vendor and consumers may cause a higher tier consumer segment to prefer a lower inherent quality product. Relative to on-premises benchmarks, we find that software diversification leads to lower average security losses for users when patching costs are high. However, when patching costs are low, surprisingly, average security losses can increase as a result of SaaS offerings and lead to lower consumer surplus. We also investigate the vendor's security investment decision and establish that, as the market becomes riskier, the vendor tends to increase investments in an on-premises version and decrease investments in a SaaS version. On the other hand, in low security-loss environments, we find that SaaS is optimally targeted to a lower tier of the consumer market, average security losses decrease, and consumer surplus increases as a result. Security investments increase for both software versions as risk increases in these environments.
来源URL: