Open source software (OSS) development is an increasingly important paradigm of software development. However, key aspects of OSS such as the determinants of project success and motivations of developers in joining these projects are not well understood. Based on organizational theory, we propose that OSS activities of patch development and feature request can be classified as exploitation (implementation-oriented) and exploration (innovation-oriented) activities, respectively. We empirically examine how the structure of social network affects the success of patch-development and feature-request networks in OSS projects, using a data set collected from the SourceForge database. Our results provide empirical support for the view that patch development and feature request are exploitation and exploration activities, respectively. Network structures differ due to team formation differences and have a differential impact on development success based on the type of activity. The concepts of ambidextrous developers and ambidexterity are explored in the context of OSS projects. Collectively, our results indicate that studying OSS projects at the artifact level could improve our understanding of OSS project success and team formation. This, in turn, could lead to better management of OSS projects. > >
Software vulnerabilities have become a serious concern because unpatched software runs the risk of being exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of software vendors' patch release behavior and test it using a data set compiled from the National Vulnerability Database, United States Computer Emergency Readiness Team, and vendor Web sites. This model helps to understand how factors specific to vulnerabilities, patches, software vendors, and software affect the patch release behavior of software vendors based on their cost structure. This study also analyzes the impact of the presence of multiple vendors and type of vendor on the patch release behavior of software vendors. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type (new release versus update) and type of vendor (open source versus proprietary) are found. Our results illustrate that when there are legislative pressures, vendors react faster in patching vulnerabilities. Thus, appropriate regulations can be an important policy tool to influence vendor behavior toward socially desirable security outcomes.
Effective management of information technology (IT) and IT-enabled services is becoming increasingly important due to the growing complexity of their context. These services are often delivered by employees who work at widely dispersed locations and interact with each other to constitute knowledge-intensive service delivery networks (KISDNs). This paper contributes to the effective design and management of KISDNs by presenting a mixed-integer programming model that integrates disparate streams of research. This model facilitates analysis and managerial benchmarking of KISDN performance. It captures how the performance of such networks depends on the interaction between workflow decisions, structure of information flow networks (IFNs), and knowledge management decisions. We propose that knowledge about IFNs and worker competence can be effectively used to make workflow decisions. Our results, based on the study of different IFN archetypes, illustrate practices for effective management of KISDNs. Managers can enhance business value by recognizing existing IFNs, increasing randomness in IFNs, nurturing weak or performative ties depending on the archetype, assigning tasks based on effective worker competence, and selectively delaying assignment of tasks to workers. In addition, our results illustrate the impact of training and network density on KISDN performance.
Organizations are faced with a variety of information security threats and implement several information system security countermeasures (ISSCs) to mitigate possible damage due to security attacks. These security countermeasures vary in their ability to deal with different types of security attacks and, hence, are implemented as a portfolio of ISSCs. A key challenge for organizations is to understand the economic consequences of security attacks relative to the ISSC portfolio implemented. This paper combines the risk analysis and disaster recovery perspectives to build an integrated simulation model of ISSC portfolio value. The model incorporates the characteristics of an ISSC portfolio relative to the threat and business environments and includes the type of attack, frequency of attacks, possible damage, and the extent and time of recovery from damage. The simulation experiments provide interesting insights into the interactions between ISSC portfolio components and characteristics of business and threat environments in determining portfolio value.
Information technology (IT) infrastructure investments are an extremely important part of e-business and constitute a major portion of IT investments in many organizations. IT infrastructure investments include investments in connectivity, systems integration, and data storage that may be used by multiple applications. Prior research has recognized the importance of a flexible IT infrastructure as a source of competitive advantage. Evidence regarding the value of IT infrastructures is anecdotal, and there is a realization that large investments in IT infrastructures are often difficult to justify. This paper expands on the idea that the value of an IT infrastructure depends on its use in an organizational context, and presents a relatively simple approach to understanding and assessing the value of IT infrastructure investments. This approach is based on the asset valuation literature in finance. An example is provided to illustrate the proposed approach, and managerial implications are discussed.
Justification of investments in information technologies is an important research topic in the information systems area. Several approaches have been proposed. One of these highlights the deficiencies of traditional economic justification based on net present value, and proposes the use of techniques based on financial option pricing theory. This paper examines the relationship between project risk and option values of investments in new information technologies and illustrates how this relationship is significantly different from well-known results in the case of financial option pricing. Conditions for determining the desirability of risky projects are derived.