Abstract: By software vendors offering, via the cloud, software as a service (SaaS) versions of traditionally on-premises application software, security risks associated with usage become more diversified which can greatly increase the value associated with the software. In an environment where negative security externalities are present and users make complex consumption and patching decisions, we construct a model that clarifies whether and how SaaS versions should be offered by vendors. We find that the existence of version-specific security externalities is sufficient to warrant a versioned outcome, which has been shown to be suboptimal in the absence of security risks. In high security-loss environments, we find that SaaS should be geared to the middle tier of the consumer market if patching costs and the quality of the SaaS offering are high, and geared to the lower tier otherwise. In the former case, it is a noteworthy result that strategic interactions between the vendor and consumers can lead a lower inherent quality product to actually be preferred by a higher tier customer segment when security risk associated with each version is endogenously determined by consumption choices. Relative to on-premises benchmarks, we find that software diversification indeed leads to lower average security losses for users when patching costs are high. However, when patching costs are low, surprisingly, average security losses can actually increase as a result of SaaS offerings and lead to lower consumer surplus. We also investigate the vendor's security investment decision and establish that the vendor tends to increase investments in an on-premises version and decrease investments in a SaaS version as the market becomes riskier. In low security-loss environments, we find that SaaS is optimally targeted to a lower tier of the consumer market, average security losses decrease, and consumer surplus increases as a result. Security investments increase for both software versions as risk increases in these environments.

Link to paper: https://maint.ssrn.com/403.cfm?403;http://maint.ssrn.com:80/?abstract_id=1933618

Biography: Terrence August is Assistant Professor of Innovation, Technology and Operations at the Rady School of Management, University of California, San Diego. He received his Ph.D. in the field of operations, information & technology from the Graduate School of Business at Stanford University in 2007.  Terrence August's research broadly spans information systems and operations management with current interests in the economics of network software, production and service management, pricing and policy associated with network goods, and the interaction of digital piracy and security risk.

Currently, he is investigating the control of information security risk using economic incentives. He received a 2010 National Science Foundation CAREER award. Terrence August has also co-founded two information technology start-up companies and worked in research and development and operations for the Clorox Company. He has consulted for Honeywell, GlaxoSmithKline, Herbalife and Time Warner Cable.

Website: https://rady.ucsd.edu/faculty-research/faculty/terrence-august.html