IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v60y2014i3p638-657.html
   My bibliography  Save this article

Outsourcing Information Security: Contracting Issues and Security Implications

Author

Listed:
  • Asunur Cezar

    (Department of Business Administration, TOBB University of Economics and Technology, Ankara 06560, Turkey)

  • Huseyin Cavusoglu

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

  • Srinivasan Raghunathan

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

Abstract

A unique challenge in information security outsourcing is that neither the outsourcing firm nor the managed security service provider (MSSP) perfectly observes the outcome , the occurrence of a security breach, of prevention effort. Detection of security breaches often requires specialized effort. The current practice is to outsource both prevention and detection to the same MSSP. Some security experts have advocated outsourcing prevention and detection to different MSSPs. We show that the former outsourcing contract leads to a significant disincentive to provide detection effort. The latter contract alleviates this problem but introduces misalignment of incentives between the firm and the MSSPs and eliminates the advantages offered by complementarity between prevention and detection functions, which may lead to a worse outcome than the current contract. We propose a new contract that is superior to these two on various dimensions. This paper was accepted by Lorin Hitt, information systems.

Suggested Citation

  • Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2014. "Outsourcing Information Security: Contracting Issues and Security Implications," Management Science, INFORMS, vol. 60(3), pages 638-657, March.
    • Handle: RePEc:inm:ormnsc:v:60:y:2014:i:3:p:638-657
    DOI: 10.1287/mnsc.2013.1763
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.2013.1763
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.2013.1763?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Itoh, Hideshi, 1994. "Job design, delegation and cooperation: A principal-agent analysis," European Economic Review, Elsevier, vol. 38(3-4), pages 691-700, April.
    2. Leslie P. Willcocks & Mary C. Lacity, 2009. "The Practice of Outsourcing," Palgrave Macmillan Books, Palgrave Macmillan, number 978-0-230-24084-1, December.
    3. Baiman, S & Evans, Jh & Noel, J, 1987. "Optimal-Contracts With A Utility-Maximizing Auditor," Journal of Accounting Research, Wiley Blackwell, vol. 25(2), pages 217-244.
    4. Antle, R, 1982. "The Auditor As An Economic Agent," Journal of Accounting Research, Wiley Blackwell, vol. 20(2), pages 503-527.
    5. Chen, Bo, 2012. "All-or-nothing payments," Journal of Mathematical Economics, Elsevier, vol. 48(3), pages 133-142.
    6. Holmstrom, Bengt & Milgrom, Paul, 1994. "The Firm as an Incentive System," American Economic Review, American Economic Association, vol. 84(4), pages 972-991, September.
    7. Glenn MacDonald & Leslie M. Marx, 2001. "Adverse Specialization," Journal of Political Economy, University of Chicago Press, vol. 109(4), pages 864-899, August.
    8. Grossman, Sanford J & Hart, Oliver D, 1983. "An Analysis of the Principal-Agent Problem," Econometrica, Econometric Society, vol. 51(1), pages 7-45, January.
    9. Bengt Holmstrom, 1979. "Moral Hazard and Observability," Bell Journal of Economics, The RAND Corporation, vol. 10(1), pages 74-91, Spring.
    10. Itoh, Hideshi, 1991. "Incentives to Help in Multi-agent Situations," Econometrica, Econometric Society, vol. 59(3), pages 611-636, May.
    11. Nash, John, 1950. "The Bargaining Problem," Econometrica, Econometric Society, vol. 18(2), pages 155-162, April.
    12. Holmstrom, Bengt & Milgrom, Paul, 1991. "Multitask Principal-Agent Analyses: Incentive Contracts, Asset Ownership, and Job Design," The Journal of Law, Economics, and Organization, Oxford University Press, vol. 7(0), pages 24-52, Special I.
    13. Ross, Stephen A, 1973. "The Economic Theory of Agency: The Principal's Problem," American Economic Review, American Economic Association, vol. 63(2), pages 134-139, May.
    14. Dewatripont, Mathias & Jewitt, Ian & Tirole, Jean, 2000. "Multitask agency problems: Focus and task clustering," European Economic Review, Elsevier, vol. 44(4-6), pages 869-877, May.
    15. Debabrata Dey & Ming Fan & Conglei Zhang, 2010. "Design and Analysis of Contracts for Software Outsourcing," Information Systems Research, INFORMS, vol. 21(1), pages 93-114, March.
    16. Sri S. Sridhar & Bala V. Balachandran, 1997. "Incomplete Information, Task Assignment, and Managerial Control Systems," Management Science, INFORMS, vol. 43(6), pages 764-778, June.
    17. Seungjin Whang, 1992. "Contracting for Software Development," Management Science, INFORMS, vol. 38(3), pages 307-324, March.
    18. Caplan, D, 1999. "Internal controls and the detection of management fraud," Journal of Accounting Research, Wiley Blackwell, vol. 37(1), pages 101-117.
    19. Harris, Milton & Raviv, Artur, 1979. "Optimal incentive contracts with imperfect information," Journal of Economic Theory, Elsevier, vol. 20(2), pages 231-259, April.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Nassim Ghondaghsaz & Zarina Chokparova & Sven Engesser & Leon Urbas, 2022. "Managing the Tension between Trust and Confidentiality in Mobile Supply Chains," Sustainability, MDPI, vol. 14(4), pages 1-25, February.
    2. He Huang & Minhui Hu & Robert J. Kauffman & Hongyan Xu, 2021. "The Power of Renegotiation and Monitoring in Software Outsourcing: Substitutes or Complements?," Information Systems Research, INFORMS, vol. 32(4), pages 1236-1261, December.
    3. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    4. Yong Wu & Junlin Duan & Tao Dai & Dong Cheng, 2020. "Managing Security Outsourcing in the Presence of Strategic Hackers," Decision Analysis, INFORMS, vol. 17(3), pages 235-259, September.
    5. Xing Gao, 2023. "A competitive analysis of software quality investment with technology diversification and security concern," Electronic Commerce Research, Springer, vol. 23(4), pages 2691-2712, December.
    6. Guang Zhu & Hu Liu & Mining Feng, 2018. "Sustainability of Information Security Investment in Online Social Networks: An Evolutionary Game-Theoretic Approach," Mathematics, MDPI, vol. 6(10), pages 1-19, September.
    7. Xing Gao & Siyu Gong, 2022. "An economic analysis of information security outsourcing with competitive firms," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(7), pages 2748-2758, October.
    8. Krishnan S. Anand & Manu Goyal, 2019. "Ethics, Bounded Rationality, and IP Sharing in IT Outsourcing," Management Science, INFORMS, vol. 65(11), pages 5252-5267, November.
    9. Huang, Min & Tu, Jun & Chao, Xiuli & Jin, Delong, 2019. "Quality risk in logistics outsourcing: A fourth party logistics perspective," European Journal of Operational Research, Elsevier, vol. 276(3), pages 855-879.
    10. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    11. Tejaswini C. Herath & Hemantha S. B. Herath & David Cullum, 2023. "An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks," Information Systems Frontiers, Springer, vol. 25(2), pages 681-721, April.
    12. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    13. Xiaowei Zhu, 2017. "Outsourcing management under various demand Information Sharing scenarios," Annals of Operations Research, Springer, vol. 257(1), pages 449-467, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Pierre Fleckinger & David Martimort & Nicolas Roux, 2024. "Should They Compete or Should They Cooperate? The View of Agency Theory," Journal of Economic Literature, American Economic Association, vol. 62(4), pages 1589-1646, December.
    2. Balmaceda, Felipe, 2016. "Optimal task assignments," Games and Economic Behavior, Elsevier, vol. 98(C), pages 1-18.
    3. Chen, Bo, 2012. "All-or-nothing payments," Journal of Mathematical Economics, Elsevier, vol. 48(3), pages 133-142.
    4. Eduard Marinov, 2016. "The 2016 Nobel Prize in Economics," Economic Thought journal, Bulgarian Academy of Sciences - Economic Research Institute, issue 6, pages 97-149.
    5. Suraj Prasad, 2009. "Task assignments and incentives: generalists versus specialists," RAND Journal of Economics, RAND Corporation, vol. 40(2), pages 380-403, June.
    6. Jokivuolle, Esa & Keppo, Jussi, 2014. "Bankers' compensation: Sprint swimming in short bonus pools?," Bank of Finland Research Discussion Papers 2/2014, Bank of Finland.
    7. Joshua Graff Zivin & Lisa B. Kahn & Matthew Neidell, 2021. "Incentivizing Learning-by-Doing: The Role of Compensation Schemes," Research in Labor Economics, in: Workplace Productivity and Management Practices, volume 49, pages 139-178, Emerald Group Publishing Limited.
    8. repec:bof:bofrdp:urn:nbn:fi:bof-201503041096 is not listed on IDEAS
    9. Bengt Holmström, 1999. "Managerial Incentive Problems: A Dynamic Perspective," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 66(1), pages 169-182.
    10. Gil-Bazo, Javier, 2001. "Portfolio management fees: assets or profits based compensation?," DEE - Working Papers. Business Economics. WB wb012207, Universidad Carlos III de Madrid. Departamento de Economía de la Empresa.
    11. Jokivuolle, Esa & Keppo, Jussi & Yuan, Xuchuan, 2015. "Bonus caps, deferrals and bankers' risk-taking," Bank of Finland Research Discussion Papers 5/2015, Bank of Finland.
    12. Alex Edmans & Xavier Gabaix, 2016. "Executive Compensation: A Modern Primer," Journal of Economic Literature, American Economic Association, vol. 54(4), pages 1232-1287, December.
    13. Bartsch, Elga, 1996. "Enforcement of environmental liability in the case of uncertain causality and asymmetric information," Kiel Working Papers 755, Kiel Institute for the World Economy (IfW Kiel).
    14. Jokivuolle, Esa & Keppo, Jussi, 2014. "Bankers' compensation: : Sprint swimming in short bonus pools?," Research Discussion Papers 2/2014, Bank of Finland.
    15. Jared Rubin & Roman Sheremeta, 2016. "Principal–Agent Settings with Random Shocks," Management Science, INFORMS, vol. 62(4), pages 985-999, April.
    16. Robert Gibbons, 2010. "Inside Organizations: Pricing, Politics, and Path Dependence," Annual Review of Economics, Annual Reviews, vol. 2(1), pages 337-365, September.
    17. Kim, Son Ku & Wang, Susheng, 1998. "Linear Contracts and the Double Moral-Hazard," Journal of Economic Theory, Elsevier, vol. 82(2), pages 342-378, October.
    18. Dennis H. Caplan & Michael Kirschenheiter, 2000. "Outsourcing and Audit Risk for Internal Audit Services," Contemporary Accounting Research, John Wiley & Sons, vol. 17(3), pages 387-428, September.
    19. Harvey James & Derek Johnson, 2002. "Why Are There Explicit Contracts of Employment?," Law and Economics 0202001, University Library of Munich, Germany.
    20. Gang-Zhi Fan & Seow Ong & Tien Sing, 2006. "Moral Hazard, Effort Sensitivity and Compensation in Asset-Backed Securitization," The Journal of Real Estate Finance and Economics, Springer, vol. 32(3), pages 229-251, May.
    21. Son Ku Kim, 1990. "Efficiency of an Information System in an Agency Model," UCLA Economics Working Papers 608, UCLA Department of Economics.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:60:y:2014:i:3:p:638-657. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.