Cloud Implications on Software Network Structure and Security Risks

被引：60

作者：

August, Terrence ^{[1
,2
]}

Niculescu, Marius Florin ^{[3
]}

Shin, Hyoduk ^{[1
]}

机构：

[1] Univ Calif San Diego, Rady Sch Management, La Jolla, CA 92093 USA

[2] Korea Univ, Sch Business, Seoul 136701, South Korea

[3] Georgia Inst Technol, Scheller Coll Business, Atlanta, GA 30308 USA

来源：

INFORMATION SYSTEMS RESEARCH | 2014年 / 25卷 / 03期

基金：

美国国家科学基金会;

关键词：

cloud computing; software-as-a-service; network economics; security; versioning; on-premises software; INFORMATION SECURITY; VULNERABILITY DISCLOSURE; MARKET; GOODS; EFFICIENCY; MONOPOLY; QUALITY; PATCH; COMPETITION; MANAGEMENT;

D O I：

10.1287/isre.2014.0527

中图分类号：

G25 [图书馆学、图书馆事业]; G35 [情报学、情报工作];

学科分类号：

1205 ; 120501 ;

摘要：

By software vendors offering, via the cloud, software-as-a-service (SaaS) versions of traditionally on-premises application software, security risks associated with usage become more diversified. This can greatly increase the value associated with the software. In an environment where negative security externalities are present and users make complex consumption and patching decisions, we construct a model that clarifies whether and how SaaS versions should be offered by vendors. We find that the existence of version-specific security externalities is sufficient to warrant a versioned outcome, which has been shown to be suboptimal in the absence of security risks. In high security-loss environments, we find that SaaS should be geared to the middle tier of the consumer market if patching costs and the quality of the SaaS offering are high, and geared to the lower tier otherwise. In the former case, when security risk associated with each version is endogenously determined by consumption choices, strategic interactions between the vendor and consumers may cause a higher tier consumer segment to prefer a lower inherent quality product. Relative to on-premises benchmarks, we find that software diversification leads to lower average security losses for users when patching costs are high. However, when patching costs are low, surprisingly, average security losses can increase as a result of SaaS offerings and lead to lower consumer surplus. We also investigate the vendor's security investment decision and establish that, as the market becomes riskier, the vendor tends to increase investments in an on-premises version and decrease investments in a SaaS version. On the other hand, in low security-loss environments, we find that SaaS is optimally targeted to a lower tier of the consumer market, average security losses decrease, and consumer surplus increases as a result. Security investments increase for both software versions as risk increases in these environments.

引用

页码：489 / 510

页数：22

共 87 条

[1] Why information security is hard - An economic perspective [J].

Anderson, R .

17TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, PROCEEDINGS, 2001, :358-365

[2] The economics of information security [J].

Anderson, Ross ;

Moore, Tyler .

SCIENCE, 2006, 314 (5799) :610-613

[3]

[Anonymous], WORKING PAPER

[4]

[Anonymous], WALL STREET J

[5]

[Anonymous], P 15 C USENIX SEC S

[6]

[Anonymous], 2000, NEW YORK TIMES

[7] Optimal policy for software vulnerability disclosure [J].

Arora, Ashish ;

Telang, Rahul ;

Xu, Hao .

MANAGEMENT SCIENCE, 2008, 54 (04) :642-656

[8] Let the pirates patch? An economic analysis of software security patch restrictions [J].

August, Terrence ;

Tunca, Tunay I. .

INFORMATION SYSTEMS RESEARCH, 2008, 19 (01) :48-70

[9] Network software security and user incentives [J].

August, Terrence ;

Tunca, Tunay I. .

MANAGEMENT SCIENCE, 2006, 52 (11) :1703-1720

[10] Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments [J].

August, Terrence ;

Tunca, Tunay I. .

MANAGEMENT SCIENCE, 2011, 57 (05) :934-959

← 1 2 3 4 5 6 7 8 9 →