Certification of Open Source Software Compliance: Insights From a Conjoint Experiment

Abstract

Open source software (OSS) is becoming increasingly crucial for companies as they use OSS components in a wide range of products, including cars, smart-home equipment, and many more, as well as in their internal processes. However, OSS comes with regulations and licensing conditions with which companies need to comply. This complicates the company's software acquisition and hinders the broader diffusion of OSS. In this paper, we study a novel approach that could reduce or overcome barriers to software acquisition in business-to-business transactions: the certification of software suppliers for OSS compliance based on the ISO 5230 regulatory standard. This standard specifies OSS compliance and, in addition to third-party certification involving an auditor, allows suppliers to self-certify. Building on institution-based trust and signalling theory, we hypothesise that a supplier's OSS compliance certification is a critical selection criterion for companies acquiring software. Specifically, we expect that self-certification constitutes a valuable signal influencing the selection decision, although we expect it to be weaker than third-party certification. We further hypothesise that the acquirer's awareness of the standard strengthens the effect of self-certification and that their perceived OSS procurement risk strengthens the impact of third-party certification. Using a discrete choice-based conjoint experiment, we find evidence supporting our hypotheses and demonstrate that self-certification can be a viable substitute for third-party certification. Our study contributes to the understanding of the diffusion and adoption of OSS, extends signalling theory by comparing self-certification with third-party certification, and extends the information systems literature on institution-based trust.