IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v31y2020i3p848-864.html
   My bibliography  Save this article

Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization

Author

Listed:
  • Zan Zhang

    (School of Economics and Management, Beihang University, Beijing 100191, China)

  • Guofang Nan

    (College of Management and Economics, Tianjin University, Tianjin 300072, China)

  • Yong Tan

    (Michael G. Foster School of Business, University of Washington, Seattle, Washington 98195)

Abstract

Cloud computing services are transforming business and government at an ever-increasing rate. The associated security risk and low customization capability, however, create challenges for the adoption of cloud services. In this paper, we construct a game-theoretical model that involves two vendors—one that provides cloud service on a pay-per-use basis and the other that sells on-premises software at a one-time licensing fee—and consumers who are heterogeneous in their usage frequencies in an environment in which negative security externalities are present. We study the competitive implications of security risk and product customization capability on consumer purchase choice and vendors’ pricing and investment strategies. Although it is generally believed that cloud services are more vulnerable to security breaches, our results demonstrate that in high-security-loss environments in which consumers incur a large loss per use if struck by attacks, using cloud service yields a lower average expected loss for consumers compared with on-premises software. By endogenizing vendors’ investment decisions on security and customization, our investigation highlights that in low-security-loss environments, the cloud vendor has no incentive to invest effort in reducing security risk, but the on-premises vendor will increase security investment when the probability of attacks on its product becomes higher. We also find that the on-premises vendor’s security and customization investments act as strategic substitutes in low-security-loss environments and, under certain conditions, complements in high-security-loss environments. We further examine welfare-maximizing security investments and find that the socially optimal investment requires greater effort to improve cloud security in low-security-loss environments and to improve on-premises software security in high-security-loss environments.

Suggested Citation

  • Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    • Handle: RePEc:inm:orisre:v:31:y:2020:i:3:p:848-864
    DOI: 10.1287/isre.2019.0919
    as

    Download full text from publisher

    File URL: https://doi.org/10.1287/isre.2019.0919
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2019.0919?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Gabaix, Xavier & Laibson, David & Li, Deyuan & Li, Hongyi & Resnick, Sidney & de Vries, Casper G., 2016. "The impact of competition on prices with numerous firms," Journal of Economic Theory, Elsevier, vol. 165(C), pages 1-24.
    2. Marius F. Niculescu & D. J. Wu, 2014. "Economics of Free Under Perpetual Licensing: Implications for the Software Industry," Information Systems Research, INFORMS, vol. 25(1), pages 173-199, March.
    3. Muller, Holger M., 2000. "Asymptotic Efficiency in Dynamic Principal-Agent Problems," Journal of Economic Theory, Elsevier, vol. 91(2), pages 292-301, April.
    4. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    5. Fan, Ming & Kumar, Subodha & Whinston, Andrew B., 2009. "Short-term and long-term competition between providers of shrink-wrap software and software as a service," European Journal of Operational Research, Elsevier, vol. 196(2), pages 661-671, July.
    6. Vidyanand Choudhary & Zhe (James) Zhang, 2015. "Research Note—Patching the Cloud: The Impact of SaaS on Patching Strategy and the Timing of Software Release," Information Systems Research, INFORMS, vol. 26(4), pages 845-858, December.
    7. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    8. Arun Sundararajan, 2004. "Nonlinear Pricing of Information Goods," Management Science, INFORMS, vol. 50(12), pages 1660-1673, December.
    9. MacLeod, W Bentley & Malcomson, James M, 1993. "Investments, Holdup, and the Form of Market Contracts," American Economic Review, American Economic Association, vol. 83(4), pages 811-837, September.
    10. Dan Ma & Abraham Seidmann, 2015. "Analyzing Software as a Service with Per-Transaction Charges," Information Systems Research, INFORMS, vol. 26(2), pages 360-378, June.
    11. Pei-yu Chen & Shin-yi Wu, 2013. "The Impact and Implications of On-Demand Services on Market Structure," Information Systems Research, INFORMS, vol. 24(3), pages 750-767, September.
    12. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    13. Chesher, Andrew, 1989. "Hajek Inequalities, Measures of Leverage and the Size of Heteroskedasticity Robust Wald Tests," Econometrica, Econometric Society, vol. 57(4), pages 971-977, July.
    14. Jean-Jacques Laffont & Jean Tirole, 1993. "A Theory of Incentives in Procurement and Regulation," MIT Press Books, The MIT Press, edition 1, volume 1, number 0262121743, December.
    15. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    16. Kreps, David M., 1977. "A note on "fulfilled expectations" equilibria," Journal of Economic Theory, Elsevier, vol. 14(1), pages 32-43, February.
    17. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    18. Katz, Michael L & Shapiro, Carl, 1985. "Network Externalities, Competition, and Compatibility," American Economic Review, American Economic Association, vol. 75(3), pages 424-440, June.
    19. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    20. Laffont, Jean-Jacques & Tirole, Jean, 1988. "The Dynamics of Incentive Contracts," Econometrica, Econometric Society, vol. 56(5), pages 1153-1175, September.
    21. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    22. Sridhar Balasubramanian & Shantanu Bhattacharya & Vish V. Krishnan, 2015. "Pricing Information Goods: A Strategic Analysis of the Selling and Pay-per-Use Mechanisms," Marketing Science, INFORMS, vol. 34(2), pages 218-234, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Wang, Yu & Li, Minqiang & Feng, Haiyang & Feng, Nan, 2023. "Which is better for competing firms with quality increasing: behavior-based price discrimination or uniform pricing?," Omega, Elsevier, vol. 118(C).
    2. Bo Li & Subodha Kumar, 2022. "Managing Software‐as‐a‐Service: Pricing and operations," Production and Operations Management, Production and Operations Management Society, vol. 31(6), pages 2588-2608, June.
    3. Jin Li & Wei Xiao & Chong Zhang, 2023. "Data security crisis in universities: identification of key factors affecting data breach incidents," Palgrave Communications, Palgrave Macmillan, vol. 10(1), pages 1-18, December.
    4. Lan Lu & Zheng Zhu & Pengfei Guo & Qiao‐Chu He, 2022. "Service Operations for Mixed Autonomous Paradigm: Lane Design and Subsidy," Production and Operations Management, Production and Operations Management Society, vol. 31(4), pages 1595-1612, April.
    5. Yaxin Wang & Haoyu Wen & ZhongQuan Hu & Yuntao Zhang, 2023. "Collaborative Innovation Strategy of Supply Chain in the Context of MCU Domestic Substitution : A Differential Game Analysis," Computational Economics, Springer;Society for Computational Economics, vol. 61(3), pages 1039-1074, March.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    2. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    3. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    4. Terrence August & Hyoduk Shin & Tunay I. Tunca, 2013. "Licensing and Competition for Services in Open Source Software," Information Systems Research, INFORMS, vol. 24(4), pages 1068-1086, December.
    5. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    6. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    7. Terrence August & Duy Dao & Hyoduk Shin, 2015. "Optimal Timing of Sequential Distribution: The Impact of Congestion Externalities and Day-and-Date Strategies," Marketing Science, INFORMS, vol. 34(5), pages 755-774, September.
    8. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    9. Mehdi Nezami & Kapil R. Tuli & Shantanu Dutta, 2022. "Shareholder wealth implications of software firms’ transition to cloud computing: a marketing perspective," Journal of the Academy of Marketing Science, Springer, vol. 50(3), pages 538-562, May.
    10. Bo Li & Subodha Kumar, 2022. "Managing Software‐as‐a‐Service: Pricing and operations," Production and Operations Management, Production and Operations Management Society, vol. 31(6), pages 2588-2608, June.
    11. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    12. Rajib L. Saha & Sumanta Singha & Subodha Kumar, 2021. "Does Congestion Always Hurt? Managing Discount Under Congestion in a Game-Theoretic Setting," Information Systems Research, INFORMS, vol. 32(4), pages 1347-1367, December.
    13. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    14. Guofang Nan & Xingtao Li & Zan Zhang & Minqiang Li, 0. "Optimal pricing for new product entry under free strategy," Information Technology and Management, Springer, vol. 0, pages 1-19.
    15. Drew Fudenberg, 2015. "Tirole's Industrial Regulation and Organization Legacy in Economics," Scandinavian Journal of Economics, Wiley Blackwell, vol. 117(3), pages 771-800, July.
    16. Zan Zhang & Guofang Nan & Minqiang Li & Yong Tan, 2022. "Competitive Entry of Information Goods Under Quality Uncertainty," Management Science, INFORMS, vol. 68(4), pages 2869-2888, April.
    17. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    18. Vidyanand Choudhary & Zhe (James) Zhang, 2015. "Research Note—Patching the Cloud: The Impact of SaaS on Patching Strategy and the Timing of Software Release," Information Systems Research, INFORMS, vol. 26(4), pages 845-858, December.
    19. Guofang Nan & Xingtao Li & Zan Zhang & Minqiang Li, 2018. "Optimal pricing for new product entry under free strategy," Information Technology and Management, Springer, vol. 19(1), pages 1-19, March.
    20. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:31:y:2020:i:3:p:848-864. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.