Information Systems Research, 2015, Volume 26,
Issue 4, Page 845-858.
This paper extends prior research on the software vendors' optimal release time and patching strategy in the context of cloud computing and software as a service (SaaS). Traditionally, users are responsible for running on-premises software; by contrast, a vendor is responsible for running SaaS software, and the SaaS vendor incurs a larger proportion of defect-related costs than a vendor of on-premises software. We examine the effect of this difference on a vendor's choice of when to release software and the proportion of software defects to fix. Surprisingly, we find that, despite incurring a larger proportion of defect-related costs, it is optimal for the SaaS vendor to release software earlier and with more defects, and to patch a smaller proportion of defects, than the on-premises software vendor. Even though the SaaS vendor incurs higher defect-related costs, he obtains a larger profit than the traditional vendor. In addition, we find that for a vendor who uses the SaaS model, the optimal number of defects after patching may be lower than the socially efficient outcome. This occurs despite the fact that the number of defects after patching in the SaaS model is higher than in the traditional on-premises model.
Keywords: software security ; cloud ; software as a service ; patch management ; software release time ; software maintenance ; defect-related costs ; economics of information systems ; monopoly