Cloud Service Model's Role in Provider and User Security Investment Incentives

Cloud computing can be viewed as an e-business in which the cloud provider sells a range of information technology services and operations over the Internet to firms. Security is a major concern for firms that move to the cloud. The security of a cloud is the joint responsibility of the cloud provider and cloud users. However, the extent to which the provider and users can affect cloud security through their efforts depends on the cloud service model. In this study, we develop a game-theoretical model to study the impact of the cloud service model on provider and user incentives to exert security effort. Our results show that for a given service model, an increase in the user loss from a security breach induces users to exert more security effort. However, if the provider's service cost is low, the provider profitably free rides on the enhanced user incentives to exert security effort by diminishing his effort. Analogously, the cloud provider is able to profitably free ride on users' enhanced incentives to exert security effort when the user population is more homogeneous in terms of either cloud valuation or loss from a security breach, depending on the service cost. Our results also have implications for how a cloud provider could possibly target a particular cloud service model to specific user groups based on their characteristics and likelihood of security loss.