The Impact of Professional Information Security Ratings on Vendor Competition 1 September 2009

Security breaches often stem from business partner failures within the value chain. There have been several recent efforts to develop a common reference for rating the information risk posed by partners. We develop a simple analytical model to examine the impact of such information security ratings on service providers, customers, and social welfare. While some might believe that professional information security ratings would benefit high-security providers and hurt those with lower security, we show that this is not always the case. We find that such ratings can hurt both types of providers or benefit both, depending on the market conditions. Surprisingly, we also find that professional information security ratings do not always benefit the most demanding customers who desire highly secure business partners. Yet, in all cases, we find that social welfare is improved when professional information security ratings are adopted. This result suggests that professional information security ratings should be encouraged through public policy initiatives.