Across all of its advocates, its community leaders, its contributors and its benefactors, open source software has earned respect. Once relegated to the fringes of IT and applications, open source software is now a critical part of everyone’s software portfolio. The reasons vary, but in most cases the lack of a price, the low barrier to entry, the value delivered and the frictionless adoption (just fork it from GitHub) made the consumption of open source both irresistible and unstoppable. But the degree to which open source software has infused a landscape may be surprising to many. In study after study, it’s been asserted that up to 80% of a code base is open source. Only 20% is net new code.
In my recent talk at Open Source Summit North America, I leaned on a bit of behavioral economic theory to explain how such a critical part of IT strategy and application code base could grow so fast, become so critical and yet go unnoticed, even neglected. And how that neglect elevates risk and ultimately, cost.
Theories about theories
It starts with the Free Rider theory. In this scenario, consumers take advantage of a resource or asset at no cost, assuming someone else will pick up the cost. This is often equated with public radio, which most people enjoy without paying for. The gap between the listeners and donors/contributors is wide. The Free Rider scenario happens when the good or asset:
- Delivers value (it’s desired)
- Is free (there’s no price)
- Is non-excludable (no barriers to access)
- Lacks centralize management or control
Open source software meets all those requirements: valuable software, available any time (from GitHub or other online repositories) to anyone, controlled by only the project maintainer.
The paradox of price also plays a role. In this situation, a good that is valuable, delivers benefit, yet carries a price of $0 tends to become “devalued” in the eyes of its consumer, no matter how essential it is. Without an invoice or bill, there’s no economic or financial choice or compromise required. The good (in this case, open source software) becomes “valueless” and invisible. No investment is required, so none is made. Open source adopters consume at will, rarely make contributions to the project and rarely still include it as a line item in their staff’s time allocation budget.
In the Tragedy of the Commons theory, a common or community good is overrun with selfish actors—those who consume the good or asset to their own benefit, no matter the cost to the community at large or the damage done to the asset. A handy comparison is a freeway. It’s a common good, but when everyone decides that the freeway is the only method of transportation, traffic ensues and the freeway ceases to operate efficiently. The asset (freeway) becomes clogged with selfish actors (single occupancy vehicles). In open source, the Tragedy of the Commons becomes real when a project maintainer, overwhelmed by users and underwhelmed by contributors, rage quits, taints the code, or merely goes dark, virtually abandoning the code.
In each of these scenarios, the assumption is that the user is complicit. They know about the asset or good that they are consuming and willfully act as a free rider, contribute to the Tragedy of the Commons, and know that they should care more about the asset, but just don’t. Other priorities rule the day and the budget. But in other cases, the user or consumer may not even know they are participating in the undoing of the asset. In this case, ignorance is bliss. Regardless, all of these actors realize tremendous benefit from the open source consumed with zero investment and no apparent penalty.
Enter the risk factor
However, nothing comes without a cost, and open source is no different. For each of these situations, consuming open source without any investment (time or money) incurs a risk. And risk is nothing more than cost in disguise. By intentionally distancing yourself from the source, you start to accrue risk. Some of these risks include:
- Technical debt
Costs to implement remediation strategies for a security breach, replacing an outdated component or recovering from other failures can be quite expensive and damaging. Worse still is the “ignorance is bliss” category where up to 80% of your code base is unknown to you. For more on project risk in open source, read through Dawn Foster’s four-part series on open source risk.
Risk is cost in disguise. It’s a future cost of unknown magnitude that must be paid in full.
Steps to change behavior
So, what’s next? An Open Source Program Office (OSPO) or OSPO-like function can help set things right. It starts with a guided conversation to reveal the open source you’re using today. From there, you move from “I didn’t know” to a “Where do I need to invest?” posture. Only then can you start to make smart choices and invest in your open source and account for it as you would every other essential asset in your IT portfolio.
If you’re curious about the role an Open Source Program Office could play in your organization, read through the recent report published by the TODO Group, “The Evolution of the Open Source Program Office (OSPO)” for additional insights. You can also find templates, best practice guides and case studies at the TODO Group.
So, what’s the true cost of open source? Well, it depends on you and your open source strategy (or lack thereof). If you want to lower costs, pay your dues (don’t be a free rider) and act with more than self-interest in mind. And finally, don’t forget to add open source to your budget.
You can listen to my presentation or review the slides at the Open Source Summit North America site. The presentation recording is currently available on the virtual site (registration required), and on August 1 the presentation will be posted on YouTube. We’ll update links at that time.
So, what’s your open source posture? Are you a free rider or a key player in the Tragedy of the Commons? I’d love to hear your thoughts.