1. Cloud Implications on Software Network Structure and Security Risks Terrence August Rady School of Management, UC San Diego Joint with Marius Florin Niculescu and Hyoduk Shin (Georgia Tech & UC San Diego) NSF Grant: 0954234

3. Software Liability Loss liability is a strictly dominated policy for most software security environments

4. On-premises Browsers: IE, Firefox, Chrome A/V: Sophos, Avira, Symantec Webservers: IIS, Apache HTTP Server Doc Readers: Acrobat Reader, YAP App Servers: Websphere, JBoss, etc. SaaS Enterprise: Salesforce CRM, Netsuite ERP, CRM Productivity: Google Docs Rev. Mgmt: IBM DemandTec Social: LinkedIn, Facebook On-Premises and SaaS Software On-premises and SaaS Microsoft Office and Office 365 Microsoft Dynamics CRM On-premises / Online SAP Business All-in-One / SAP Business One OnDemand Oracle Siebel CRM / Oracle CRM OnDemand Where are we heading??

5. When to use On-Premises Require solution that meets the unique needs of your company (extensive customization) Require certain level of security and control over data Have a dedicated IT staff Do not want access to data to depend on Internet availability and speed On-site hardware maintenance When to use SaaS Want to get up and running as quickly as possible Require minimal customization (less integrated solution) Have limited IT support and resources Do not want to invest in hardware or pay upfront licensing fees Diverse Consumer Preferences

6. SAP

7. Cloud Computing Market  Gartner estimates the cloud computing industry will grow to $149 Billion by 2015  U.S. Government championing the Federal Cloud Computing Initiative Encourage agencies to use cloud computing solutions $80 Billion federal IT budget  SaaS applications will play an increasing role in firms’ IT strategies

8.  Security Risk comes in two forms:  Undirected:  Self-replicating attack such as a worm  Intent is to spread and distribute payload  Examples: Code Red, Slammer, Sasser, Stuxnet, AutoCad worm Security Attacks

9. WormDate Vulnerability Notice Code Red7.19.20011 month Slammer1.25.20036 months Blaster8.11.20031 month Sasser5.1.20042 weeks Zotob8.13.20054 days Undirected Risk

10.  Security Risk comes in two forms:  Undirected:  Self-replicating attack such as a worm  Intent is to spread and distribute payload  Examples: Code Red, Slammer, Sasser, Stuxnet, AutoCad worm  Directed:  Targeted attack such as a hacker infiltration  Intent is to penetrate a particular organization for either an economic or political objective  Examples: distribute.IT, Office 365 token management vulnerability Security Attacks

11. Sony PlayStation Network Outage (April, 2011)  77 million user accounts compromised including date of birth, address, password information  Outage lasted 3 weeks Targeted Attack

12.  Both variants are affected by undirected and directed security attacks  On-Premises  Characterized by a large network of servers, each running distinct instances of the software  Heterogeneous users make independent patching decisions  Undirected risk  SaaS  Characterized by a centralized server or bank of servers  Acts more a single, large node  Directed risk Risk Profile: On-Premises vs. SaaS

13. Research questions 1.What are the benefits of developing SaaS versions of on-premises software products, focusing on how the joint offering affects the security risk properties of the software? 2.How does the effect on security of having both on-premises and SaaS variants relate to the classic information good versioning problem? Who should the firm target to use SaaS versions? 3.Compared to benchmark levels of vendor profits and social welfare, what is the impact of jointly offering SaaS versions? 4.How will the security risk faced by users be affected?

14. Literature Review Software Patching Beattie et al. (2002) August and Tunca (2006) Arora et al. (2006) Choi et al. (2007) Software Diversification Deswarte et al. (1999) Schneider and Birman (2009) Jackson et al. (2011) Chen et al. (2011) SaaS Choudhary (2007) Ma and Seidmann (2008) Zhang and Seidmann (2010) Xin (2011) Versioning Bhargava and Choudhary (2001, 2008) Wei and Nault (2011) Jones and Medelson (2011) Chellappa and Jia (2011) Chellappa and Mehra (2013)

15.  Consumer valuation space:  Cost of patching:  Money and effort exerted to verify, test, and roll-out patched versions of existing systems On-premises SaaS (On-demand) Valuation Security Losses Price Model

16.  Consumer Strategy Buy On-premises Patch / Not Patch Model Buy SaaS / Not Buy

17. Population of potential users On-premises Model

18. Non-users Patched users Unpatched users Population of potential users Don’t contribute to undirected risk Contribute to undirected risk Protect network from undirected risk On-premises Model

19. On-premises and SaaS Models

20. Contribute to directed risk

21. Security Costs where: Model

22. Consumer Market Equilibrium Structure Unpatched On-premises Users Patched On-premises Users Non-users  Threshold structure (2 possible orderings) SaaS Users

23. Unpatched On-premises Users Patched On-premises Users Non-users SaaS Users Equilibrium Equations

24. Consumer Market Equilibrium Structure  Other ordering Unpatched On-premises Users Patched On-premises Users Non-users SaaS Users

25. Vendor’s Problem Security Losses Social Welfare

26. Proposition  In equilibrium, there are always some on-premises users who remain unpatched  Cause a large externality under high security risk  Under SaaS, they will face directed risk  Segmenting usage across on-premises and SaaS diversifies this security risk High Security-Loss Environments

27. Proposition  Low patching costs  strong incentives to patch  Vendor can charge high price because relatively small unpatched population  set low SaaS price to version at low end while limiting cannibalization Where should SaaS be targeted?

28.  Security Loss Factor: Optimal pricing and the consumer market

29. Proposition  High patching costs  still strong incentives to patch  Patching populations fall  overall usage declines in the face of high security risk  Reduce price of on-premises to increase purchasing and patching populations  Strategically target SaaS at middle tier to reduce security risk Where should SaaS be targeted?

30.  Security Loss Factor: Optimal pricing and the consumer market

31. Proposition Welfare Implications

32. Benchmark Case  Only an on-premises offering (or can set )  In a high security-loss environment, patched and unpatched populations exist in equilibrium under optimal price  Use measures of profit, security losses, consumer surplus, and social welfare as benchmarks

33. Proposition Comparison to Benchmarks

34. Proposition Comparison to Benchmarks

35. Proposition Low Security-Loss Environments  Uniform valuations and no security externality  Don’t version  Uniform valuations and idiosyncratic risk  Version  Even if the strength of the losses becomes small

36. Proposition Comparison to Benchmarks

37. Relative Profit Improvement

38. Proposition Low Security-Loss Environments

39. Summary Table

40. Invest to reduce attack likelihood Security Investment UndirectedDirected Effort Cost of Effort Likelihood

41. Proposition Investment Comparative Statics  Low security-loss environment  Security investments in on-premises and SaaS both increase as the loss factor increases  High security-loss environment  Security investment in on-premises can increase while it can decrease in SaaS as the loss factor increases

42. Security Investment

43. Summary  Model of security risk that includes:  On-premises and SaaS versions of software  Security externalities stemming from usage and patching  Software vendor always versions  SaaS can be geared to either the middle or lower tiers sometimes splitting on-premises user populations  Average per-user security losses can increase when patching costs are low  SaaS targeted to middle tier maintains under security investment