Outsourcing Information Security: Contracting Issues and Security Implications

نویسندگان

  • Asunur Cezar
  • Huseyin Cavusoglu
  • Srinivasan Raghunathan
چکیده

We examine the implications of a firm outsourcing both (i) security device management which attempts to prevent security breaches and (ii) security monitoring which attempts to detect security breaches to managed security service providers (MSSPs). In the context of security outsourcing, the firm not only faces the traditional moral hazard problem as it cannot observe an MSSP’s prevention or detection effort, but also observes the security breach outcome only imperfectly. Furthermore, outsourced prevention and detection services are separate but interrelated security functions, and thereby cannot be considered independently. Hence, the firm needs to carefully design a contract or contracts to induce the desired efforts from the service providers to effectively manage the cost of information security. We first show that the current practice of outsourcing both device management and monitoring functions to the same MSSP using a contract that imposes a penalty on MSSP when the MSSP is deemed responsible for a breach results in a higher than the first-best prevention effort and zero (and less than the first-best) detection effort. This is due to the conflict of interest faced by the MSSP and the substitutable nature of prevention and detection services. We then propose two new contracts, both of which achieve the firstbest outcomes. The first contract imposes a penalty for a breach and offers a reward for detecting and revealing breaches to the firm and the second contract calls for the firm to use two different MSSPs one for prevention and the other for detection. The required penalty and reward are smaller when the firm uses two MSSPs than when it uses a single MSSP. It is possible for all three types of contracts to fail to satisfy the fairness criterion – the penalty does not exceed the firm’s loss from a security breach -, and also fail to achieve the first-best efforts when there are limits on penalty and/or reward. However, the two-MSSP contract meets the fairness criterion whenever the other two contracts do. An increase in the prevention cost relative to the detection cost increases the likelihood that the two-MSSP contract meets the fairness criterion, making the two-MSSP contract even more attractive relative to the single MSSP contract with penalty and reward. Despite these advantages of the two-MSSP contract over single MSSP contracts, the firm may be better off outsourcing both prevention and detection functions to the same MSSP with a penalty-and-reward-based contract if a strong cost complementarity exists between the two functions.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

How to improve security by contracting security outsourcing

There is an increasing number of articles and internet forums against outsourcing security and contracting Managed Security Services. In this type of articles and forums, outsourcing providers professionals are presented as a security threat to their customers.(An extreme example of this can be seen at Cio.com Forum (6)). The aim of this paper is to show customers the possible advantages of con...

متن کامل

Browse searchable encryption schemes: Classification, methods and recent developments

With the advent of cloud computing, data owners tend to submit their data to cloud servers and allow users to access data when needed. However, outsourcing sensitive data will lead to privacy issues. Encrypting data before outsourcing solves privacy issues, but in this case, we will lose the ability to search the data. Searchable encryption (SE) schemes have been proposed to achieve this featur...

متن کامل

Managing Security Service Providers: Issues in Outsourcing Security

The issue of trust and risk in outsourced relationships was extended beyond traditional outsourcing models with the introduction of Application Service Providers (ASPs). As ASPs evolve, Managed Security Service Providers (MSSPs) have emerged as external providers of security for firms facing increasing information assurance threats. This research-in-progress paper develops a conceptual model of...

متن کامل

A Literature Review on Cloud Computing Security Issues

The use of Cloud Computing has increasedrapidly in many organization .Cloud Computing provides many benefits in terms of low cost and accessibility of data. In addition Cloud Computing was predicted to transform the computing world from using local applications and storage into centralized services provided by organization.[10] Ensuring the security of Cloud Computing is major factor in the Clo...

متن کامل

IT Outsourcing Contracts: Practical Issues for Management

A good contract is often the key to a successful IT outsourcing relationship. The contract defines the rights, liability, and expectations of both the outsourcing vendor and the outsourcing customer concerned and is often the only solid mechanism for regulating the relationship of the parties. Outsourcing contracts are often of high value and last a relatively long time. It is therefore of part...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • Management Science

دوره 60  شماره 

صفحات  -

تاریخ انتشار 2010