Security Fears Limit Growth of Web Apps

The rise of web applications — websites that replace the functions of a software program that was traditionally installed on a personal computer — is one of the hottest topics in the tech industry. Huge numbers of “Web 2.0” startups are competing for user attention, and many observers predict rapid growth for web applications.

But most of the analysts refer to web application growth as something that’s going to happen in the future. The reality is that web app usage has already stretched far beyond early adopters, and is moving rapidly into the mainstream of US home computer users. A recent survey, conducted by Rubicon Consulting, showed that more than a third of them already use at least one web application on a regular basis. Students are moving especially fast, with more than 50% using web applications.

Other key findings of the research included:

  • Adoption of web applications varies tremendously by category. E-mail and games are the leaders at the moment. Other categories, such as word processing and spreadsheet, still have extremely low adoption of web apps.
  • Web applications displace traditional application usage. Among people who use any web applications, those apps consume about 40% of the user’s total application usage time. So web apps are already displacing traditional application usage for many people. This trend is very likely to cut into sales of conventional applications over time.
  • Security is a looming problem. Fear of security problems is one of the biggest barriers to further adoption of web applications.

Implications for the industry

Web apps need to solve practical problems. Users don’t care whether they’re using a web application or a traditional application; they just want to get on with their lives. The good news for web app companies is that there’s very little barrier to adoption of web apps. The challenging news is that users expect the apps to solve real-world problems. Web app companies must make sure they’re offering a service that users really care about, and must explain the benefits of it in terms users can understand.

Traditional software companies are very vulnerable. The low adoption barriers to web applications mean that no traditional packaged software company is safe from web-based competition in the near term. The time to embrace “Web 2.0” development and business practices is now. If packaged software companies wait for the competition to intensify, it will probably be too late.

Improve web app security now. The latent security fears of many PC users could explode if there’s a well-publicized security meltdown in a major web application. This could derail the current growth in web app usage. It’s very important that web app companies take steps to make their software more secure now, before the insecurities turn into outright fear.


More than 2,000 US adults who have personal computers at home were surveyed in summer of 2007. Windows, Mac, and Linux users were included. Survey participants were randomly selected through a third-party sampling firm.

Adoption and awareness of web applications
80% of US home PC users say they have heard of web applications. More than half of them have tried at least one web app, and more than a third — 37% — say they use at least one web application on a regular basis.

That means use of web applications has already spread far beyond the 16% of the population traditionally identified as innovators and early adopters. Web applications are entering the mainstream of US PC users.
(Base: All respondents. Web applications were defined as websites that replace a task the user previously performed using a software application installed on the PC. Examples were given to ensure comprehension.)

E-mail and games are the leading web application categories

Among people who use web apps, the most popular usage is sending and receiving e-mail through a browser-based client. Games are next, used by just over 50% of the web app users, followed by music and photo management and editing.

Web app adoption differs dramatically by application category. Some of the most discussed web app categories, such as word processing and spreadsheets, have attracted only a very small percentage of home PC users to date.

(Percent of web app users who say they use a web app in each category. Multiple responses allowed. Base: People who use at least one web application on a regular basis. To get the percentage of the total home PC population using an application category, multiply these numbers by 37%. For example, less than 2% of US home PC users say they use a web-based database.)

Web applications consume 40% of total application usage time

Another way to measure the impact of web apps is to ask how much time people spend using them. People who use at web applications say that they spend about 22% of their total computing time doing so. That amounts to about 40% of the total time they spend with applications of any sort.
That implies that for these users, web applications are already crowding out much of the user’s total application activity. Over time, that is very likely to reduce the demand for traditional applications.
(Percent of total computing time devoted to each activity. Base: People who use at least one web application on a regular basis. To get the percentage of the total home PC population using an application category, multiply these numbers by 37%. For example, less than 2% of US home PC users say they use a web-based database.)

Web application users vs. non-users

The research attempted to identify characteristics of the people who use web applications. Are web apps being adopted most by a particular demographic segment? The answer is generally no, but there are some differences:

  • The people who use web applications are heavier users of applications in general, both web-based and traditional. Web app users have 28% more applications installed on their computers compared to non-users. The web app users also use their computers more heavily.
  • Web app users are somewhat more likely to rate themselves as having good technical skills.
  • Web app users are slightly better-educated, but the difference is only a few percentage points.
  • There was no significant difference between web app users and non-users in income, sex, marital status, and presence of children in the family.

Adoption by students. The most striking difference of web app users was that they’re more than twice as likely to be enrolled in college or graduate school. So we analyzed students separately from the rest of the population, and found some interesting results…

Student adoption of web apps is much more advanced

More than half of college and graduate school students said they use one or more web apps on a regular basis. Only 11% said they had not heard of web applications.
It’s safe to say that among US college students, web app usage has become a mainstream activity.
(Base: All respondents.)

Web applications used by students and non-students

The students’ web app usage patterns were similar to those of non-students. Students were somewhat more likely to do blogging and webpage creation via web applications, and somewhat less likely to do security, finance, word processing, and spreadsheets.
(Base: People who use web applications on a regular basis.)

Time spent using web applications

Although students are more likely to use web applications on a regular basis, they don’t necessarily spent more time with them. Students who use web applications spent about 15% of their total computing time using those applications, compared to 22% for nonstudents.
(Percent of total computing time devoted to each activity. Base: People who use web applications on a regular basis.)

Security fears limit growth of web applications

(Reasons why web apps are not used. Multiple responses permitted. Base: People who do not use web applications.)
Although web applications usage has grown rapidly, there are storm clouds on the horizon. When people who don’t use web applications were asked why they don’t use them, two answers stood out:

  • “I have no need for them.” This is a common response in any developing market for a technology product — many people just haven’t yet seen a web application they need.
  • “I’m worried about security risks.” This is not a typical response in most tech market surveys, and it was cited by 38% of the respondents, making it the second most common response.

Based on this research, security fears appear to be a significant barrier to future growth of web applications. Those fears are not unjustified, considering what’s being said online about web applications. Here are two examples:
Symantec Corporation issues a semi-annual report on Internet security trends, called the Internet Security Threat Report. The September 2007 edition calls out web applications as a major risk area:

“61 percent of all vulnerabilities disclosed were in Web applications. Once a trusted Web site has been compromised, cyber criminals can use it as a source for distribution of malicious programs in order to then compromise individual computers. This attack method allows cyber criminals to wait for their victims to come to them verses actively seeking out targets. Social networking Web sites are particularly valuable to attackers since they provide access to a large number of people, many of whom trust the site and its security. These Web sites can also expose a lot of confidential user information that can then be used in attempts to conduct identity theft, online fraud or to provide access to other Web sites from which attackers can deploy further attacks.”

IBM published a whitepaper on the security of “mashups,” web applications that combine functionality from several different websites. Mashups are a very common procedure for producing a web app. IBM wrote:

“The workarounds currently in wide use to enable Ajax mashups each come at some cost. When stretching a browser’s designed limits, you affect other aspects of the application’s overall operation….The tools that browsers currently provide for mashups are insufficient to allow you to build applications that are both scalable and secure.”

Implications for the industry

To web app companies: Users are incredibly practical; the products must be as well. Although the tech industry spends a lot of time drawing distinctions between traditional software and “Web 2.0” apps, computer users don’t care. They just want to solve their problems. Since virtually all US PC users have a web connection and a browser, if a web app solves their problem, they won’t hesitate to use it. So the barrier to adoption for web applications is extremely low.
But this also puts important responsibilities on web app developers. The research didn’t detect any significant group of people who are biased strongly toward adopting web applications for their own sake. Again, they just want their problems solved. If a web application isn’t better than a traditional software app, or doesn’t solve some new problem, most people won’t adopt it just because it’s on the web.
Web app companies need to ensure they solve real-world problems that significant numbers of people care about, and they need to communicate those benefits clearly.
To traditional software companies: No traditional software application is immune to web-based competition, so adopt web app practices now. It’s easy for traditional packaged software companies to convince themselves that web applications are not an immediate threat. In Rubicon’s work with them, we often hear software company executives say things like, “web applications will be a big challenge to us in three or four years.” Assuming that web app growth will be moderate and predictable is extremely dangerous. Since web app adoption has already moved fast in some software categories, it can move fast in any software category if the web app company gets its features right.
The time for traditional software companies to adopt web app technologies and business practices is now, before they’re in a crisis. If they wait for a crisis to develop, it will probably be too late to respond.
Everyone: Address security now. The security fears of many people who don’t use web applications should be taken very seriously. They show a latent undercurrent of fear that could grow rapidly in the future. A single well-publicized security disaster in a major web app could discredit the entire category and severely limit web app growth, just as safety problems in a few Chinese products have affected the image of the country’s entire manufacturing sector.
The IBM report on mashups acknowledged that there are several efforts underway to make web apps more secure. Web app companies should embrace solutions like these aggressively.


(Note: this post was co-authored during my leadership of Rubicon.)

No comments yet.

Leave a Reply