IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v24y2013i2p295-311.html
   My bibliography  Save this article

Contracting Information Security in the Presence of Double Moral Hazard

Author

Listed:
  • Chul Ho Lee

    (Management Information Systems, Williams College of Business, Xavier University, Cincinnati, Ohio 45207)

  • Xianjun Geng

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

  • Srinivasan Raghunathan

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

Abstract

In information security outsourcing, it is the norm that the outsourcing firms and the outsourcers (commonly called managed security service providers, MSSPs) need to coordinate their efforts for better security. Nevertheless, efforts are often private and thus both firms and MSSPs can suffer from double moral hazard. Furthermore, the double moral hazard problem in security outsourcing is complicated by the existence of strong externality and the multiclient nature of MSSP services. In this prescriptive research, we first show that the prevailing contract structure in security outsourcing, bilateral refund contract, cannot solve double moral hazard. Adding breach-contingent sunk cost or external payment cannot solve double moral hazard either. Furthermore, positive externality can worsen double moral hazard. We then propose a new contract structure termed multilateral contract and show that it can solve double moral hazard and induce first-best efforts from all contractual parties when an MSSP serves two or more client firms, regardless of the externality. Firm-side externality significantly affects how payments flow under a multilateral contract when a security breach happens. When the number of client firms for an MSSP increases, we show that the contingent payments under multilateral contracts for any security breach scenario can be easily calculated using an additive method, and thus are computationally simple to implement.

Suggested Citation

  • Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2013. "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, INFORMS, vol. 24(2), pages 295-311, June.
    • Handle: RePEc:inm:orisre:v:24:y:2013:i:2:p:295-311
    DOI: 10.1287/isre.1120.0447
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.1120.0447
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.1120.0447?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Eric T. G. Wang & Terry Barron & Abraham Seidmann, 1997. "Contracting Structures for Custom Software Development: The Impacts of Informational Rents and Uncertainty on Internal Development and Outsourcing," Management Science, INFORMS, vol. 43(12), pages 1726-1744, December.
    2. Srabana Gupta & Richard E. Romano, 1998. "Monitoring the Principal with Multiple Agents," RAND Journal of Economics, The RAND Corporation, vol. 29(2), pages 427-442, Summer.
    3. Sugato Bhattacharyya & Francine Lafontaine, 1995. "Double-Sided Moral Hazard and the Nature of Share Contracts," RAND Journal of Economics, The RAND Corporation, vol. 26(4), pages 761-781, Winter.
    4. Russell Cooper & Thomas W. Ross, 1985. "Product Warranties and Double Moral Hazard," RAND Journal of Economics, The RAND Corporation, vol. 16(1), pages 103-113, Spring.
    5. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    6. Al-Najjar, Nabil I., 1997. "Incentive Contracts in Two-Sided Moral Hazards with Multiple Agents," Journal of Economic Theory, Elsevier, vol. 74(1), pages 174-195, May.
    7. Kashi R. Balachandran & Suresh Radhakrishnan, 2005. "Quality Implications of Warranties in a Supply Chain," Management Science, INFORMS, vol. 51(8), pages 1266-1277, August.
    8. Corbett, Charles J. & DeCroix, Gregory A. & Ha, Albert Y., 2005. "Optimal shared-savings contracts in supply chains: Linear contracts and double moral hazard," European Journal of Operational Research, Elsevier, vol. 163(3), pages 653-667, June.
    9. Sagnika Sen & T. S. Raghu & Ajay Vinze, 2009. "Demand Heterogeneity in IT Infrastructure Services: Modeling and Evaluation of a Dynamic Approach to Defining Service Levels," Information Systems Research, INFORMS, vol. 20(2), pages 258-276, June.
    10. Debabrata Dey & Ming Fan & Conglei Zhang, 2010. "Design and Analysis of Contracts for Software Outsourcing," Information Systems Research, INFORMS, vol. 21(1), pages 93-114, March.
    11. Seungjin Whang, 1992. "Contracting for Software Development," Management Science, INFORMS, vol. 38(3), pages 307-324, March.
    12. Jahyun Goo, 2010. "Structure of service level agreements (SLA) in IT outsourcing: The construct and its measurement," Information Systems Frontiers, Springer, vol. 12(2), pages 185-205, April.
    13. Kim, Son Ku & Wang, Susheng, 1998. "Linear Contracts and the Double Moral-Hazard," Journal of Economic Theory, Elsevier, vol. 82(2), pages 342-378, October.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    2. Margareta Heidt & Jin P. Gerlach & Peter Buxmann, 2019. "Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments," Information Systems Frontiers, Springer, vol. 21(6), pages 1285-1305, December.
    3. Xing Gao & Siyu Gong, 2022. "An economic analysis of information security outsourcing with competitive firms," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(7), pages 2748-2758, October.
    4. Krishnan S. Anand & Manu Goyal, 2019. "Ethics, Bounded Rationality, and IP Sharing in IT Outsourcing," Management Science, INFORMS, vol. 65(11), pages 5252-5267, November.
    5. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    6. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    7. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    8. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    9. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    10. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 0. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 0, pages 1-18.
    11. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    12. Yong Wu & Junlin Duan & Tao Dai & Dong Cheng, 2020. "Managing Security Outsourcing in the Presence of Strategic Hackers," Decision Analysis, INFORMS, vol. 17(3), pages 235-259, September.
    13. Shantanu Bhattacharya & Alok Gupta & Sameer Hasija, 2014. "Joint Product Improvement by Client and Customer Support Center: The Role of Gain-Share Contracts in Coordination," Information Systems Research, INFORMS, vol. 25(1), pages 137-151, March.
    14. He Huang & Zhipeng Li & De Liu & Hongyan Xu, 2022. "Auctioning IT Contracts with Renegotiable Scope," Management Science, INFORMS, vol. 68(8), pages 6003-6023, August.
    15. Emre M. Demirezen & Subodha Kumar & Bala Shetty, 2016. "Managing Co-Creation in Information Technology Projects: A Differential Games Approach," Information Systems Research, INFORMS, vol. 27(3), pages 517-537.
    16. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    17. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    18. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 2021. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 23(3), pages 773-790, June.
    19. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Prasenjit Mandal & Tarun Jain & Abhishek Chakraborty, 2021. "Quality collaboration contracts under product pricing strategies," Annals of Operations Research, Springer, vol. 302(1), pages 231-264, July.
    2. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 0. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 0, pages 1-18.
    3. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 2021. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 23(3), pages 773-790, June.
    4. Elitzur, Ramy & Gavious, Arieh & Wensley, Anthony K.P., 2012. "Information systems outsourcing projects as a double moral hazard problem," Omega, Elsevier, vol. 40(3), pages 379-389.
    5. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    6. Zhao, Rui R., 2007. "Dynamic risk-sharing with two-sided moral hazard," Journal of Economic Theory, Elsevier, vol. 136(1), pages 601-640, September.
    7. Tsoulouhas, Theofanis, 1999. "Do tournaments solve the two-sided moral hazard problem?," Journal of Economic Behavior & Organization, Elsevier, vol. 40(3), pages 275-294, November.
    8. Corbett, Charles J. & DeCroix, Gregory A. & Ha, Albert Y., 2005. "Optimal shared-savings contracts in supply chains: Linear contracts and double moral hazard," European Journal of Operational Research, Elsevier, vol. 163(3), pages 653-667, June.
    9. Pei†Cheng Liao & Suresh Radhakrishnan, 2013. "A Commitment†Based Explanation for Outsourcing Multiple Tasks," Contemporary Accounting Research, John Wiley & Sons, vol. 30(3), pages 1063-1081, September.
    10. Shuo Zeng & Moshe Dror, 2019. "Serving many masters: an agent and his principals," Mathematical Methods of Operations Research, Springer;Gesellschaft für Operations Research (GOR);Nederlands Genootschap voor Besliskunde (NGB), vol. 90(1), pages 23-59, August.
    11. Elodie Adida & Fernanda Bravo, 2019. "Contracts for Healthcare Referral Services: Coordination via Outcome-Based Penalty Contracts," Management Science, INFORMS, vol. 65(3), pages 1322-1341, March.
    12. Moussawi-Haidar, Lama & Çömez-Dolgan, Nagihan, 2017. "Percentage rent contracts between co-stores," European Journal of Operational Research, Elsevier, vol. 258(3), pages 912-925.
    13. Sverre Grepperud, 2015. "Optimal safety standards when accident prevention depends upon both firm and worker effort," European Journal of Law and Economics, Springer, vol. 39(3), pages 505-521, June.
    14. Shin, Dongsoo, 2015. "Incentives and management styles," International Journal of Industrial Organization, Elsevier, vol. 40(C), pages 22-31.
    15. Vergara, Marcos & Bonilla, Claudio A. & Sepulveda, Jean P., 2016. "The complementarity effect: Effort and sharing in the entrepreneur and venture capital contract," European Journal of Operational Research, Elsevier, vol. 254(3), pages 1017-1025.
    16. Dur, Robert & Non, Arjan & Roelfsema, Hein, 2010. "Reciprocity and incentive pay in the workplace," Journal of Economic Psychology, Elsevier, vol. 31(4), pages 676-686, August.
    17. Olmos, Marta Fernández & Grazia, Cristina & Perito, Maria Angela, 2011. "Quality and Double Sided Moral Hazard in Share Contracts," Agricultural Economics Review, Greek Association of Agricultural Economists, vol. 12(1).
    18. Arup Bose & Debashis Pal & David E. M. Sappington, 2011. "On the Performance of Linear Contracts," Journal of Economics & Management Strategy, Wiley Blackwell, vol. 20(1), pages 159-193, March.
    19. Nitish Jain & Sameer Hasija & Dana G. Popescu, 2013. "Optimal Contracts for Outsourcing of Repair and Restoration Services," Operations Research, INFORMS, vol. 61(6), pages 1295-1311, December.
    20. Udo Schneider, 2004. "Asymmetric Information and the Demand for Health Care – the Case of Double Moral Hazard," Schmollers Jahrbuch : Journal of Applied Social Science Studies / Zeitschrift für Wirtschafts- und Sozialwissenschaften, Duncker & Humblot, Berlin, vol. 124(2), pages 233-256.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:24:y:2013:i:2:p:295-311. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.