Cloud Services vs. On-Premises Software: Competition under Security Risk and Product Customization

Cloud computing services are transforming business and government at an ever-increasing rate. The associated security risk and low customization capability, however, create challenges for the adoption of cloud services. In this paper, we construct a game-theoretical model that involves two vendors—one that provides cloud service on a pay-per-use basis and the other that sells on-premises software at a one-time licensing fee—and consumers who are heterogeneous in their usage frequencies in an environment in which negative security externalities are present. We study the competitive implications of security risk and product customization capability on consumer purchase choice and vendors’ pricing and investment strategies. Although it is generally believed that cloud services are more vulnerable to security breaches, our results demonstrate that in high-security-loss environments in which consumers incur a large loss per use if struck by attacks, using cloud service yields a lower average expected loss for consumers compared with on-premises software. By endogenizing vendors’ investment decisions on security and customization, our investigation highlights that in low-security-loss environments, the cloud vendor has no incentive to invest effort in reducing security risk, but the on-premises vendor will increase security investment when the probability of attacks on its product becomes higher. We also find that the on-premises vendor’s security and customization investments act as strategic substitutes in low-security-loss environments and, under certain conditions, complements in high-security-loss environments. We further examine welfare-maximizing security investments and find that the socially optimal investment requires greater effort to improve cloud security in low-security-loss environments and to improve on-premises software security in high-security-loss environments.