Outsourcing Internet Security: Economic Analysis of Incentives for Managed Security Service Providers

Firms hesitate to outsource their network security to outside security providers (called Managed Security Service Providers or MSSPs) because an MSSP may shirk secretly to increase profits. In economics this secret shirking behavior is commonly referred to as the Moral Hazard problem. There is a counter argument that this moral hazard problem is not as significant for the Internet security outsourcing market because MSSPs work hard to build and maintain their reputations which are crucial to surviving competition. Both arguments make sense and should be considered to write a successful contract. This paper studies the characteristics of optimal contracts (payment to MSSPs) for security outsourcing market by setting up an economic framework that combines both effects. It is shown that an optimal contract should be performance-based. The degree of performance dependence decreases if the reputation effect becomes more significant. We also show that if serving a large group of customers helps the provider to improve service quality significantly (which is observed in the internet security outsourcing market), an optimal contract should always be performance-based even if a strong reputation effect exists.