IDEAS home Printed from https://ideas.repec.org/a/inm/ordeca/v17y2020i3p235-259.html
   My bibliography  Save this article

Managing Security Outsourcing in the Presence of Strategic Hackers

Author

Listed:
  • Yong Wu

    (Glorious Sun School of Business and Management, Donghua University, Shanghai 200051, China)

  • Junlin Duan

    (Glorious Sun School of Business and Management, Donghua University, Shanghai 200051, China)

  • Tao Dai

    (Glorious Sun School of Business and Management, Donghua University, Shanghai 200051, China)

  • Dong Cheng

    (Glorious Sun School of Business and Management, Donghua University, Shanghai 200051, China)

Abstract

Nowadays, firms tend to outsource security operations to professional managed security service providers (MSSPs) as a result of the sophistication of strategic hackers. Thus, how an MSSP makes security decisions according to a strategic hacker’s action is worth researching. Constructing a contract theory model, this paper examines the interaction between an MSSP and a strategic hacker based on both parties’ characteristics. We find that the hacker will give up less valuable information assets, and thus not all information assets are worth protecting for the MSSP. For both parties, their optimal efforts do not necessarily increase with their respective efficiency, and the firm’s reputation loss has an opposite effect on its respective efforts. Moreover, we distinguish two types of security externalities including MSSP-side externality and hacker-side externality, and we find that the two types of security externalities have different effects on both parties’ optimal efforts and expected payoffs. We also find that as a result of the trade-off between the integration effect of the MSSP and the effect of MSSP-side externality, firms are still willing to outsource their security operations to the MSSP even when an MSSP devotes fewer security efforts than those of firms that manage security in-house. Last, we extend our base model from two aspects to generalize the main results.

Suggested Citation

  • Yong Wu & Junlin Duan & Tao Dai & Dong Cheng, 2020. "Managing Security Outsourcing in the Presence of Strategic Hackers," Decision Analysis, INFORMS, vol. 17(3), pages 235-259, September.
    • Handle: RePEc:inm:ordeca:v:17:y:2020:i:3:p:235-259
    DOI: 10.1287/deca.2019.0406
    as

    Download full text from publisher

    File URL: https://doi.org/10.1287/deca.2019.0406
    Download Restriction: no
    File URL: https://libkey.io/10.1287/deca.2019.0406?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    2. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    3. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2013. "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, INFORMS, vol. 24(2), pages 295-311, June.
    4. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    5. Xiaofei Qian & Xinbao Liu & Jun Pei & Panos M. Pardalos, 2018. "A new game of information sharing and security investment between two allied firms," International Journal of Production Research, Taylor & Francis Journals, vol. 56(12), pages 4069-4086, June.
    6. Orcun Temizkan & Sungjune Park & Cem Saydam, 2017. "Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities," Information Systems Research, INFORMS, vol. 28(4), pages 828-849, December.
    7. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    8. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    9. Huseyin Cavusoglu & Young Kwark & Bin Mai & Srinivasan Raghunathan, 2013. "Passenger Profiling and Screening for Aviation Security in the Presence of Strategic Attackers," Decision Analysis, INFORMS, vol. 10(1), pages 63-81, March.
    10. Xiaofei Qian & Xinbao Liu & Jun Pei & Panos M. Pardalos & Lin Liu, 2017. "A game-theoretic analysis of information security investment for multiple firms in a network," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 68(10), pages 1290-1305, October.
    11. Derrick Huang, C. & Hu, Qing & Behara, Ravi S., 2008. "An economic analysis of the optimal information security investment in the case of a risk-averse firm," International Journal of Production Economics, Elsevier, vol. 114(2), pages 793-804, August.
    12. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2017. "Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions," Production and Operations Management, Production and Operations Management Society, vol. 26(5), pages 860-879, May.
    13. Huseyin Cavusoglu & Srinivasan Raghunathan, 2004. "Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches," Decision Analysis, INFORMS, vol. 1(3), pages 131-148, September.
    14. Vijay Mookerjee & Radha Mookerjee & Alain Bensoussan & Wei T. Yue, 2011. "When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination," Information Systems Research, INFORMS, vol. 22(3), pages 606-623, September.
    15. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2014. "Outsourcing Information Security: Contracting Issues and Security Implications," Management Science, INFORMS, vol. 60(3), pages 638-657, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Xing Gao & Siyu Gong, 2022. "An economic analysis of information security outsourcing with competitive firms," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(7), pages 2748-2758, October.
    2. Vicki M. Bier, 2020. "From the Editor: Advances in Multi-Agent Decision Making," Decision Analysis, INFORMS, vol. 17(3), pages 187-188, September.
    3. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Xing Gao & Siyu Gong, 2022. "An economic analysis of information security outsourcing with competitive firms," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(7), pages 2748-2758, October.
    2. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    3. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    4. Xiaofei Qian & Jun Pei & Xinbao Liu & Mi Zhou & Panos M. Pardalos, 2019. "Information security decisions for two firms in a market with different types of customers," Journal of Combinatorial Optimization, Springer, vol. 38(4), pages 1263-1285, November.
    5. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    6. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    7. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    8. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    9. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    10. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    11. Xing Gao, 2020. "Open Source or Closed Source? A Competitive Analysis with Software Security," Decision Analysis, INFORMS, vol. 17(1), pages 56-73, March.
    12. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    13. Guang Zhu & Hu Liu & Mining Feng, 2018. "Sustainability of Information Security Investment in Online Social Networks: An Evolutionary Game-Theoretic Approach," Mathematics, MDPI, vol. 6(10), pages 1-19, September.
    14. Guang Zhu & Hu Liu & Mining Feng, 2018. "An Evolutionary Game-Theoretic Approach for Assessing Privacy Protection in mHealth Systems," IJERPH, MDPI, vol. 15(10), pages 1-27, October.
    15. Xinbao Liu & Xiaofei Qian & Jun Pei & Panos M. Pardalos, 2018. "Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size," Journal of Global Optimization, Springer, vol. 70(2), pages 413-436, February.
    16. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    17. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    18. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    19. Krishnan S. Anand & Manu Goyal, 2019. "Ethics, Bounded Rationality, and IP Sharing in IT Outsourcing," Management Science, INFORMS, vol. 65(11), pages 5252-5267, November.
    20. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ordeca:v:17:y:2020:i:3:p:235-259. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.