Control Data
Resume:
Why Not One Big Database?
Principles for Data Ownership
Authors: Marshall Van Alstyne
Erik Brynjolfsson
Stuart Madnick
Affiliation: MIT Sloan School
Correspondence Address: Marshall Van Alstyne
MIT Sloan School
Rm. E53-308
30 Wadsworth Street
Cambridge, MA 02139
abqd2r@r.postjobfree.com
Acknowledgment: Work reported herein was supported by the MIT International
Financial Services Research Center, the MIT Center for Coordination Science, the MIT
Industrial Performance Center, and the Advanced Research Projects Agency under
grant F30602-93-C-0160. We thank participants at the Workshop on Information
Technology and Systems, members of the MIT community, and three anonymous
referees for valuable comments.
Van Alstyne, Brynjolfsson, Madnick 2
Why Not One Big Database?
Principles for Data Ownership
Abstract: Results of this research concern incentive principles which drive information
sharing and affect database value. Many real world centralization and standardization
efforts have failed, typically because departments lacked incentives or needed greater
local autonomy. While intangible factors such as ownership have been described as
the key to providing incentives, these soft issues have largely eluded formal
characterization. Using an incomplete contracts approach from economics, we model the
costs and benefits of restructuring organizational control, including critical intangible
factors, by explicitly considering the role of data ownership. There are two principal
contributions from the approach taken here. First, it defines mathematically precise
terms for analyzing the incentive costs and benefits of changing control. Second, this
theoretical framework leads to the development of a concrete model and seven
normative principles for improved database management. These principles may be
instrumental to designers in a variety of applications such as the decision to
decentralize or to outsource information technology and they can be useful in
determining the value of standards and translators. Applications of the proposed
theory are also illustrated through case histories.
Keywords: Database Design, Centralization, Decentralization, Distributed Databases,
Ownership, Incomplete Contracts, Incentives, Economic Modeling, Standards,
Outsourcing, Translation Value
Van Alstyne, Brynjolfsson, Madnick 3
1.1 Introduction: Why not one big database?
Information systems designers often argue that centralized control is better
control. From a technology standpoint, this is readily defensible in terms of data
integrity and enforcing a uniform standard. From an economic standpoint,
centralization limits the costs of redundant systems. In addition, stories of confusion
sometimes characterize decentralization. One senior executive at Johnson and Johnson
waited three weeks for the list of his corporation s top 100 customers world-wide due to
problems linking multiple systems. Difficulties with dis-integrated systems have led
senior staff to inquire Why not create one big database or at least control them all from
one central location? With optical technology and newer microprocessors, barriers
imposed by communications bandwidth and speed-bound central hardware continue to
fall. Local data control no longer seems necessary or warranted.
Technical considerations, however, represent only part of a more complex story
in which less tangible managerial and incentive issues play a critical role. We present a
framework demonstrating that local control can be optimal even when there are no
technical barriers to complete centralization. This assertion is based on research showing
that ownership is a critical factor in the success of information systems.
In developing an interaction theory of people and systems, Markus observes
that problems with a database at a large chemical company arose from changes in
control. After implementing a new information system, all financial transactions were
collected into a single database under the control of corporate accountants. The
divisional accountants still had to enter data, but they no longer owned it. [19 p. 438]1
1 Emphasis is the original author's.
Van Alstyne, Brynjolfsson, Madnick 4
Similar arguments are put forth by Maxwell [21] and Wang [30]. Of the factors Maxwell
considers most important to improving data quality, data ownership and origination
are among the most critical. Spirig argues that when data ownership and origination
are separated, information systems cannot sustain high levels of data quality. [30 Cited
in Wang p. 31] Ralph Larsen, the CEO of Johnson and Johnson, states unambiguously,
We believe deeply in decentralization because it gives a sense of ownership. [7]
The key reason for the importance of ownership is self-interest: owners have a
greater vested interest in system success than non-owners. Just as rental cars are driven
less carefully than cars driven by their owners, feudal databases -- those not owned
by their users -- are maintained less conscientiously than databases used by their
owners.
Ignoring ownership is also one possible explanation for IS failures since the
impetus for system development is external to the groups being affected. In fact,
evidence suggests that most top-down strategic data planning efforts never meet
expectations [11]. Orlikowski [23] has observed that employees in a major consulting
firm refused to share information despite senior management encouragement,
company-wide introduction, and an industry standard group support tool. Culture and
incentives opposed the knowledge transfers which the technology was designed to
support. In the words of one IS practitioner, No technology has yet been invented to
convince unwilling managers to share information. . . [9 p. 56] Information assets
have simply become too valuable to give away.
The issues highlighted in these studies [9, 11, 19, 23] are organizational not
technical. Prior to deciding on the implementation of features and functionality, it
becomes necessary to ask who should have the power to decide? Will an outsourcing
contractor decide on system features which are in the strategic interests of the firm?
Van Alstyne, Brynjolfsson, Madnick 5
Will one department sufficiently value the interests of another regarding database
integrity? These questions link technology issues to management concerns at a
fundamental level. In response, we develop the concept of data ownership to provide a
mechanism for ensuring that key parties receive compensation for their efforts.
This is developed into two separate contributions. First, a rigorous model gives
mathematical definitions of non-technical costs and benefits arising from changes in
database control. Using the incomplete contracts approach pioneered by Grossman
and Hart [12] and applied to information assets by Brynjolfsson [5], it formalizes
intuitive concepts of independence, ownership, standardization, and other intangibles
that affect system design and that have generally eluded precise specification. The
results are therefore testable and less ambiguous. Second, we use the model to
construct normative database principles that solve problems caused by the separation of
ownership from use. This leads us to propose seven database design principles based
on ownership to complement existing design principles based on technology.
The remainder of this introduction carefully defines ownership and situates it
among the broader issues of database design with references to existing literature.
Section two explains the economic model. It defines the mathematical concepts and the
assumptions used to construct the database design principles. Following these
formulation arguments, section three discusses the role of ownership given
complementarities among databases and given critical or indispensable personnel.
Section four deals with the effects of ownership in the context of database standards and
the decision to outsource design and maintenance. This is followed by section five
which examines tradeoffs among conflicting design principles and proposes a solution
to a lack of ownership incentives in decentralized systems. Throughout each of these
Van Alstyne, Brynjolfsson, Madnick 6
five sections, case histories provide context and interpretation in order to simplify the
application of the model to real world database design.
1.2 Database Architecture and the Definition of Ownership
To place ownership among the technical and non-technical aspects of database
architecture, we propose that database design involves at least three major dimensions
-- system components, development, and control. These are depicted in Figure 1. The
first dimension, components, includes the literal parts of the system hardware, software,
and network connections.2 The second axis, development, concerns procedural aspects
of programming and implementation.3 The third issue, control, describes the rights and
responsibilities of the parties involved in the database system. This includes, for
example, the authority to set standards and to approve system modifications and
hardware acquisition.4
One distinguishing design element, that cuts across all axes, is the degree of
database concentration. In principle, each dimension can be independently centralized
or decentralized. As shown in the diagram, the origin represents maximal
centralization, whereas moving outward along any given axis represents increased
decentralization. Since two of these dimensions, components and development, have
received attention from several important contributions to the research literature. This
paper focuses on unaddressed issues of control.
2 Technical issues of network protocols covering modular design and layering of abstraction levels are
summarized in [28] and [29]. Additional issues of concurrency control covering serializability, record locking, and
recovery are also described in [2] and [3].
3 For a reference on software measurement issues see [10] and for assessing project risk and complexity [4,
16]. Specific issues of relational database design and data manipulation are covered in [8] and [6], Issues of
cooperative software development are covered in [15]. Improving development through software reuse is described
by [17].
4 Control aspects of strategic data planning appear in [20].
Van Alstyne, Brynjolfsson, Madnick 7
Figure 1 -- Of the three main axes to decentralization, we focus on control.
Components: All computing and data storage equipment can be centralized at one
location, with world-wide access provided via remote terminals. An automatic teller
machine (ATM) network is an example. Alternatively, the computing and data storage
equipment can be decentralized. For instance, a global brokerage firm might provide a
workstation to each of its traders but each workstation might run software developed
by a central group.
Development: Development may be performed by a central group or by each local
department regardless of equipment location. A decision to use one central computer,
for example, does not necessarily imply centralizing systems development. Conversely,
a decision to centralize all development ... does not compel the organization to use one
... computer. [26 p. 16] Individual departments might even contract for development
from the central group but then own the finished products.
Control: Control of the databases, planning, and application programs may be
centralized to a corporate data center that owns the system irrespective of equipment
location. Traditionally, this has been the finance department or a corporate resource
center. Local divisions would then defer to this central authority for all IS functions.
Alternatively, control might be decentralized to local divisions. Under decentralized
Van Alstyne, Brynjolfsson, Madnick 8
control, divisions might contract via a chargeback system for data center resources or
they might assume completely independent responsibility for their IS resources. Each
of these options has been observed in practice.
We consider control to be centralized if a corporate data center retains the right to
make any decision not explicitly and specifically delegated to others. Adopting
Grossman and Hart's [12] use of terminology, we refer to this as the residual right of
control and associate it with ownership of the system.
For databases, ownership and use are easily confused as both connote
privileges ranging from read and query access to creation and modification rights. By
usage rights, we mean the ability to access, create, standardize, and modify data as well
as all intervening privileges. Usage, however, is not what is meant by ownership. We
use ownership and the residual right of control to mean the right to determine these
privileges for others. The ownership archetype is a single database controlled and
operated by a single department with no outside access. This group, which exercises
control over format, access, standards, etc., is the exclusive owner. It may then grant
successively more permissive access to outsiders until the effective usage privileges of
outsiders resemble the usage rights of the owner. It is the authority, however, to
subsequently alter or retract these privileges that distinguishes the owner from a non-
owner. If the ability to alter others' access is interfered with or vetoed, perhaps by a
central authority, then the original owner is not, by our definition, the sole owner of the
database. Subsequent design principles answer the important managerial question:
Who should own the data?
Van Alstyne, Brynjolfsson, Madnick 9
2.1 Background: Incomplete Contracts in a Database Context
Incomplete contracts theory, considers asset allocation as a cause for firms'
integration. Firms should either acquire or divest assets by considering how ownership
of these assets affects incentives for the creation of value. When owning an asset
induces higher investment and higher realized value, a company should purchase that
asset and manage it internally. However, when an asset creates greater value in the
hands of others, a company is better off contracting for that asset from the market and
then it should not own that asset. Although Hart and Moore consider residual rights to
be synonymous with firm boundaries, we follow Brynjolfsson [5] and argue that the
concept can also apply to intra-firm database transactions. This is because effective
ownership of information rarely accrues solely to its nominal legal owners, the
stockholders of the firm. More realistically, various groups within the firm are the de
facto owners with residual rights of control that can be transferred by changes in
organizational structure or management edict. In the present context, the incomplete
contracts model is useful in deciding which distribution of database control maximizes
database value.
Grossman and Hart [12] and Hart and Moore[ 13] consider the effects of
ownership on investment behavior and define ownership as the residual right to control
access to an asset. The residual control rights become important to the extent that
specific rights have not been contractually assigned to other parties. If a contract were
to completely specify all uses to which an asset could be put, its maintenance schedules,
its operating procedures, associated liabilities, etc. then residual rights of control would
have no meaning. All control rights would have been determined by the contract. If, on
the other hand, an incomplete contract were to fail to anticipate every possible
contingency -- a much more plausible situation -- then the residual control provided for
Van Alstyne, Brynjolfsson, Madnick 10
by ownership would determine the assets use under circumstances where control had
been left unspecified.
Ownership issues, in fact, arise with considerable frequency as illustrated by the
conflicting interests of two vendors of database search services. The Chemical Abstracts
Society (CAS) produces a database of chemical compounds with a sophisticated
capability for matching one related compound with another. CAS, however, initially
had a smaller user base, a less sophisticated marketing capability, and limited resources.
In contrast, DIALOG Information Services had an enormous user base, sophisticated
marketing, and considerable resources. As a value added reseller, DIALOG can
repackage CAS data but is reluctant to make asset-specific investments which might
improve the user interface or the marketing of the chemical database because it cannot
claim ownership of the data it sells. If DIALOG investments were to substantially
increase the value of the CAS database, CAS would be in a position to extract a sizable
portion of any increased profits. As owner, CAS could restrict access to the database
unless DIALOG agreed to share the incremental profits even if DIALOG were the sole
investor in any new project This is the classic hold-up problem. As a consequence,
DIALOG is less likely to invest than if it owned the data and had no need of sharing its
profits.
Under these circumstances, total asset value would be increased if DIALOG were
to own the chemical database. DIALOG would invest up to the product's full potential.
On the other hand, there might also be reasons not to transfer ownership. If it were true
that only CAS s chemically sophisticated staff were capable of making enhancements or
that transfer foreclosed other resellers investments, then asset value would be
maximized by leaving ownership with CAS, thereby preserving existing incentives.
The point is that different incentive requirements lead to different ownership results.
Van Alstyne, Brynjolfsson, Madnick 11
Our model captures these and other tradeoffs for databases inside a company where
such allocation decisions are more easily made.
There is a further complication, however, relating to the verification of DIALOG's
investment. If DIALOG's contributions were easily and completely documented, then
DIALOG could be fully compensated. But what if these contributions are intangible or
difficult to measure such as brand name equity, executive expertise, strategic
positioning, or interface quality? Then DIALOG can never be certain that deploying its
assets to benefit CAS products will be in DIALOG's own best interests. DIALOG would
be unable to document its contribution and would instead be required to expend
resources in costly negotiation -- a situation that changes if DIALOG were to own the
database.
In the context of database systems, the inability to verify data quality, adequate
standardization, usefulness of interfaces and desirable skill sets makes it difficult to
specify these features in advance in any meaningful fashion to developers or system
administrators. Intangible, unverifiable and non-measurable phenomena are endemic
to information and to information systems. Deprived of measurement instruments,
technology solutions handle intangible issues poorly. Brynjolfsson [5] argued that these
properties make the insights of an incomplete contracts approach particularly
appealing in this domain and derived a number of properties for information
ownership by applying the Hart-Moore framework.
In fact, DIALOG did attempt to improve certain elements of its own version of
the user interface despite CAS s control of key unspecified parameters of the database.
Shortly thereafter, CAS changed the underlying format to render this impossible. CAS
feared losing its more profitable core business to its less profitable resale business while
it also feared becoming dependent on a single major distributor. The case is currently
Van Alstyne, Brynjolfsson, Madnick 12
under litigation with DIALOG suing precisely over denial of access [22]. CAS was
prohibited by contract from withdrawing its database completely, but exercised a
residual right as owner to modify the underlying structure. This did not violate the
letter of the existing contract, but it has definite implications for investment incentives.
Ownership matters when firms must make asset-specific investments. The more
specific the assets, the more firms prefer to own the assets in which they invest. If the
benefits of investment are subject to hold-up problems by owners -- problems which
arise from unforeseen events -- non-owners will underinvest.
2.2 Methodology: The Grossman, Hart & Moore Model
Formally, Hart and Moore [13] model ownership in the following manner. Let
V(S, A X) denote the total value created by the full set (or grand coalition) S of agents
who control assets A and have previously chosen to invest X. The grand coalition S of
all individuals I can be broken into any subset s. A single agent is indexed by i = 1 ... I
and makes an investment x i. The coalition s also controls assets a1, a2, ... an A and
makes collective investments X = (x1, x2, ... xI) at a cost C(X). An ownership map
describes the control s exercises over its assets written as (s) = {a1, a2, ... an}.
The model covers two consecutive periods. In the first period agents choose their
investment levels; in the second period they realize the benefits accruing from their
investments and divide the benefits in proportion to their bargaining power. Having
invested in the first period, value is determined in the second as a function of the agents
in the coalition s S and the assets a A they control given their prior decision to
invest x = (xi1, xi2, ... xin), hence for a single coalition the notation is V(s, a x). The Hart-
Moore model includes the following assumptions, letting Vi ( / xi)V :
Assumption 1: V(s, a x) 0, V is twice differentiable and concave in x.
Van Alstyne, Brynjolfsson, Madnick 13
Assumption 2: Ci(xi) 0, C is twice differentiable and convex in x.
Assumption 3: Vi (s, a x) = 0 if i s.
Assumption 4: ( / xj)Vi(S, A x) 0 for all j i.
Assumption 5: For all subsets5 a A, s S, V(S, A x) V(s, a x) + V(S\s, A\a x)
Assumption 6: For all subsets a A, s S, Vi (S, A x) Vi(s, a x)
The first two assumptions are standard in economics implying that marginal
value per dollar is decreasing while marginal costs are increasing. Together, these
assumptions permit the use of first order conditions to locate a unique solution. The
third assumption implies that an agent s marginal investment affects only coalitions to
which he belongs and no other. In assumption four, one agent's investments are
complementary at the margin with those of another. Assumption five implies that
groups working together create at least as much value as working apart, while
assumption six states that the marginal return on investment increases with the number
of other agents and new assets in the coalition. Together, assumptions five and six
imply that marginal and total values correlate with one another. The optimal
investment levels would then be determined according to the globally efficient levels:
I
C(x )
(1) max V(S, A X) - i
X
i=1
Additionally, the model allows for substitution of the governance structure for
assets from A that the coalition controls. This leads to rewriting the value function as
V(s, (s) x). The level of compensation granted each individual member of the
coalition, however, is not the total value V but some portion p(s) of V based on the
members in the group s. Following Hart and Moore [13] the subsequent examples will
5 Reader's Note: The notation s\{i}, from set theory, is used to designate the removal of element i from the set
s. If i is a set then s\i will be used and if i was not originally contained in s then this represents a null operation. In
conjunction with the ownership map, for example, the expression " (s\{i})" means the collection of assets owned by
a group of which i is not a member.
Van Alstyne, Brynjolfsson, Madnick 14
assume that p(s) is the reduced form probability term from the Shapley value6. The
intuition behind the Shapley value is that it represents each agent's bargaining power in
terms of a percentage of the total value created. Bargaining power varies with value
contributed and with assets controlled. Persons who contribute more or who control
more assets receive a higher percentage of the benefits.
Despite sharing total value, individual coalition members do not share all their
respective costs. Due to a lack of verifiability, certain intangible costs are not
contractible. Unreliable software metrics, unknown training requirements, disputed
opportunity costs, and spent political capital might fall into this category. Lack of
agreement and verifiability means that these costs cannot be directly compensated and
therefore group members will not incur them unless receipts exceed them. Costs that
are verifiable can be directly compensated according to terms set forth in a contract.
Ownership will not affect such costs and so initially we focus only on unverifiable costs.
We explicitly reintroduce verifiable costs with Design Principle Four. Continuing the
earlier example, these cost conditions imply that if DIALOG can create $100,000 by
investing $x of unverified effort in marketing the database owned by CAS, then it will
have no recourse for being directly compensated for the $x of investment. However, it
will be able to bargain ex post for half the $100,000 of benefits7 or $50,000. CAS has the
bargaining power to insist on the other $50,000 share. Realizing this, DIALOG will only
incur expenses up to a maximum of $50,000 even though any investment less than
$100,000 would generate a profit. This result holds so long as DIALOG and CAS cannot
6 The full function is actually a fractional share (i, s, ) which is based on the individual, the membership
and on the assets each member controls. For specifics of this function, see the Appendix. Any monotonic decision
rule will leave the following propositions unaffected, however, so long as payoff is increasing in the control of
additional assets and in contributed value.
7 Letting DIALOG = i, CAS = j, and investment = x, assets controlled by DIALOG and CAS are (i, j) and the
full functional form for DIALOG is (i, {i, j}, (i, j))= p(s)V({i, j}, (i, j) x) = (1/2)$100,000 = $50,000.
Van Alstyne, Brynjolfsson, Madnick 15
write a contract based on the size of DIALOG's investment. Formally, an agent acting in
his own self interest will choose to invest according to:
max p(s)[V(s, (s) x) - V(s\{i}, (s\{i}) x)] - C(xi)
(2)
xi s i s
This states that individuals profit according to their value added, i.e., the
difference in value created with and without their participation net of costs. Their share
of total returns increases as their inputs and assets contribute to the group s output. We
also assume that individuals will invest only to the point at which private marginal cost
equals private marginal benefit (MC = MB) which is not the same as the group s
marginal value (MC MV). After taking first order derivatives and using assumption
three to reduce the second term, this becomes:
p(s)Vi(s, (s) x) = Ci(xi)
(2a)
s i s
Because p(s) 1, this result indicates that the lefthand side is at most Vi(s,
s i s
a x) and therefore each agent underinvests. At an intuitive level, the model combines
three key insights. First, today's actions or investments should affect tomorrow's
payoffs, i.e., V depends on x. Second, since share rises with assets controlled, asset
ownership matters as an investment incentive. This means that i will invest a smaller xi
if j controls critical asset ai which is essential to i's final product. Third, since not all
actions can be explicitly measured or anticipated and costs C(xi) are sunk before V is
realized, transferring ownership beforehand can alter and improve investment
incentives. In sum, altering ownership structure can improve total value. This simple
rule leads to our subsequent propositions.
In this paper, we focus on applying the model specifically to decentralized
databases. Of the following design principles, the first three are direct applications of
propositions that were proven by Hart and Moore [13], which consider only intangible
Van Alstyne, Brynjolfsson, Madnick 16
costs. Building upon this basic framework, we subsequently relax the assumption of no
tangible costs, and the relaxed program of equations leads to design principles four
through seven.
3.1 Effects of Independence and Indispensability
For concreteness, we consider a pair of case histories. The following case
represents a system whose ownership is concentrated in the hands of a central authority
while its input operations are decentralized to satellite groups. The inherent conflict in
this organizational structure serves to illustrate several issues of control. Each case
describes an operational database system. This one is based on interviews conducted in
May-July 1991.
Case I: In 1990, local branches of a national post office forwarded their operating
data to a central office for storage and processing. Needing data for their own
operations, local managers submitted requests for summary reports to the central office.
Differences in data requirements emerged, however, since financial and management
accounting needs diverged. Although both the primary users and suppliers of data
were local, this centralized arrangement reduced local equipment costs, it facilitated
standardization and in many ways it was consistent with Strategic Data Planning (SDP).
It also provided the central office with financial accounting information to use in
gauging postal efficiency. The central office, however, had little incentive to supply
management accounting reports to local branches in a timely manner and, being unable
to effectively use the delayed reports, branch offices had little incentive to supply
accurate or complete data. Consequently, neither office received sufficiently useful data
for its accounting purposes. Also, as a further disincentive to supply accurate data,
local branches learned of their internal problems only after the head office had learned
of them.
One of the main issues of this case is that the central office provides negligible
value to the branch offices in exchange for their operating data. In effect, branches have
simply been ordered to produce data according to a given set of standards. This
independence of value leads to the proposition below.
Van Alstyne, Brynjolfsson, Madnick 17
Define value independence as a marginal product which is unaffected by
access to other agents or their assets, i.e., for all coalitions s S and for all sets of assets
a A
Vi({i} s, {ai} as X) Vi({i}, {ai} X)
where Vi represents the marginal value contributed by agent i. This may be
interpreted to mean that marginal value is the same regardless of participation or non-
participation by other agents.
Design Principle 1: Organizations using databases which are value independent
should dispense with joint control.
Proof:8 Consider group i and assume that it must share the value it creates but
cannot measure its intangible costs to the satisfaction of other groups. Then i
chooses
p(s)[V(s, (s) X) - V(s\{i}, (s\{i}) X) ] - C(xi )
(3) max
s i s
xi
which, after applying first order conditions, reduces to
p(s)Vi({i}, {ai} X) = Ci(xi)
(3a)
s i s
by the definition of value independence. The lefthand side is at most Vi({i},
{ai } X) and therefore group i, who must share its assets, will underinvest. By
assumption 3, i s investments have no effect on the investments of any other
group j when they are not in the same coalition so j s incentives are no worse
under independent control and value independence. Under independent
control, however, i retains his benefits since p(s)Vi = Vi and there is no
s i s
underinvestment.
8 After Hart-Moore proposition 10.
Van Alstyne, Brynjolfsson, Madnick 18
Interpretation: Design Principle One requires that there be a cooperative payoff
for joint control to be beneficial. The reason the post office database system performs
badly is that the group responsible for local operations does not own the data it uses.
The solution is to pass control of local partitions to local branches. This would both
motivate them to populate their database with more accurate and timely data; it would
also eliminate the hold-up problem of the central office supplying tardy reports. Design
Principle One also supports established research suggesting that data should be stored
closest to its most frequent users [6]. Note that while the local branch is independent of
the central office, the central office depends on the local branch. Design Principle Two
handles this aspect below.
Define an indispensable agent, i, as one who is critical to project success in the
sense that some asset ai is nonfunctional without the agent. The marginal product of
any group without the indispensable agent is unaffected by whether or not they own
j j
the relevant asset. Mathematically, V (s, a x) V (s, a\{ai} x) if i s.
Design Principle 2: Persons or organizations which are indispensable to the
functioning of a database partition should control that partition.
Proof:9 Consider giving ownership of asset ai to i. As new owner, i's
incentives are at least as great as before. For any j the change in incentives is
the difference between the new and old control structures with the asset
transferred:
p(s)[V j (s, (s) {ai}) - V j (s, (s))] p(s)[V j (s, (s)) - V j (s, (s) \ {ai})]
(4) s i, j s s i s, j s
a i (s) a i (s)
As ai is useless to j without i, and by assumption 6, the second summation is
zero. Group j only benefits from working with both i and ai. If ai were
owned by a third party k, however, then j would have had to work with {i, j,
k} but this introduces an additional hold-up, lowering j's incentives.
9 After Hart-Moore proposition 8.
Van Alstyne, Brynjolfsson, Madnick 19
Interpretation: In fact, the local branch data is used to support two distinct
functions: (1) local operations and (2) central office cost accounting. In both cases, the
local office is indispensable and Design Principle Two indicates that the local office
should own this specific partition. If the central office were also indispensable, there
would be a conflict -- a possibility which is addressed in Design Principles Six and
Seven. The effect of transferring ownership to the local office also supports research
which finds that internal rather than external pressure leads to more active user
participation and superior database performance [24]. In general, agents should assume
control of decentralized functions for which they are indispensable.
3.2 Effects of Complementary Assets
Case II: A major midwestern hospital communicates directly with its
independent physicians' clinics via a decentralized information system. The system
includes database partitions for patient records at the doctors' offices, pharmaceutical
data on inventories and treatment suggestions at the hospital, laboratory test results,
and operating room scheduling at the hospital. Additionally, the hospital maintains a
database of specialty practitioners for doctor to doctor, hospital to doctor, and doctor to
hospital referrals. Parties trade information in both directions.
Define complementary assets as assets which have great value together but
which have negligible value apart. Mathematically, suppose am, an A, then
j j j
V (S, A\{am } X) V (S, {A\{an} X) V (S, A\{am, an} X)
Design Principle 3 : Database partitions which are complementary should be
controlled together.
Proof:10 Again, consider the transfer of asset an to a group that already owns
complementary asset am . The increase in value is given by
10After Hart-Moore proposition 6.
Van Alstyne, Brynjolfsson, Madnick 20
p(s)[V (s, (s) {a }) p(s)[V (s, (s))
- V i (s, (s))] - V i (s, (s) \ {a n })]
i i
n
(5) s i s a m (s) s i s a m (S\s)
a n (s) a n (s)
As the assets are complementary and considering assumption three, the
second summation is zero. There is no loss of investment incentives to the
present owner of an due to the transfer. The receiving party, in contrast, has
strictly higher incentives to invest indicating a net gain in total welfare.
Equivalently, am could have been transferred in the other direction thereby
increasing the other party's incentives.
Interpretation: Consider the pharmaceuticals database. It includes partitions both
for inventories and for treatment methods, two databases which are strictly
complementary. There is little merit in prescribing treatments which are unavailable or
in stocking drugs which are outdated treatments. To provide the maximum practical
incentive, the data should be controlled by the same agent rather than distributed
among multiple agents. The hospital does, in fact, control both databases in this more
successful system.
4 The Use of Standards and Outsourcing as Control Issues
4.1 Considering both Contractible and Non-Contractible Costs
For several of the principles which follow, we relax assumptions of the basic
model to extend its scope and to generalize the insights from more theoretical to more
applied tasks. Specifically, while the preceding propositions assume that all costs are
non-contractible, subsequent propositions allow costs to be divided into verifiable,
contractible or tangible costs (tau) and into unverifiable, non-contractible or intangible
costs (iota). Earlier design principles hold given contractible costs in addition to
uncontractible costs, but the exposition and proofs become more complex. In this
context, costs become C(xi, xt) (xt) + (xi) where the subscript refers to the tangible or
intangible choice of investment and the standard convexity assumptions from section
Van Alstyne, Brynjolfsson, Madnick 21
two apply to both and . Intuitively, this equation captures the idea that any group
can independently choose its investment behavior regarding actions xt, which are open
to public scrutiny, and regarding actions xi, which are obscured from view. In effect,
tangible and intangible action choices may be separated as may be decisions regarding
equipment purchases and emphasis on data quality respectively.
4.2 Standardized Systems
Occasionally, computer standards can be used to simplify or even to circumvent
data sharing problems. If data formats and management methods are standardized, it
may be possible to communicate more of the associated collection and maintenance
costs. We address the use of standards below.
Define a standardized relative to a non-standardized database as one which
has lower marginal costs with respect to intangible aspects of the system. Formally,
letting and represent the lower intangible costs of the standardized and higher
intangible costs of the non-standardized systems respectively, this leads to:
i(xi)
0. These definitions form the basis of Design Principle Five.
11Alternative frameworks for outsourcing are considered in [25] and [1].
Van Alstyne, Brynjolfsson, Madnick 25
Design Principle 5 : Lower cost technologies and reduced overhead are
insufficient to justify outsourcing.
Proof: Prior to outsourcing, a group faces net benefit function
p(s)[V(s, (s) xt, xi) - V(s\{i}, (s\{i}) xt, xi) - (xt)] - (xi)
(7)
s i s
Following outsourcing, however, the net benefit function using cheaper
technology is
p(s)[V(s, (s) xt, xi) - V(s\{i}, (s\{i}) xt, xi) - (xt)]
(7a)
s i s
Importantly, the intangible efforts cannot be contracted. Since the contractor
does not own the project, and has no ex post bargaining power, he will try to
minimize his hidden costs. This he can do easily by setting (xi) = 0 or
equivalently xi = 0. It follows that for all value functions such that V(s,
(s) 0, ) > V(s, (s) , 0) where > 0 and Vi > Vt and for all cost functions
such that i (xi)
Contact this candidate