IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v60y2014i3p638-657.html
   My bibliography  Save this article

Outsourcing Information Security: Contracting Issues and Security Implications

Author

Listed:
  • Asunur Cezar

    (Department of Business Administration, TOBB University of Economics and Technology, Ankara 06560, Turkey)

  • Huseyin Cavusoglu

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

  • Srinivasan Raghunathan

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

Abstract

A unique challenge in information security outsourcing is that neither the outsourcing firm nor the managed security service provider (MSSP) perfectly observes the outcome , the occurrence of a security breach, of prevention effort. Detection of security breaches often requires specialized effort. The current practice is to outsource both prevention and detection to the same MSSP. Some security experts have advocated outsourcing prevention and detection to different MSSPs. We show that the former outsourcing contract leads to a significant disincentive to provide detection effort. The latter contract alleviates this problem but introduces misalignment of incentives between the firm and the MSSPs and eliminates the advantages offered by complementarity between prevention and detection functions, which may lead to a worse outcome than the current contract. We propose a new contract that is superior to these two on various dimensions. This paper was accepted by Lorin Hitt, information systems.

Suggested Citation

  • Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2014. "Outsourcing Information Security: Contracting Issues and Security Implications," Management Science, INFORMS, vol. 60(3), pages 638-657, March.
    • Handle: RePEc:inm:ormnsc:v:60:y:2014:i:3:p:638-657
    DOI: 10.1287/mnsc.2013.1763
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.2013.1763
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.2013.1763?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Itoh, Hideshi, 1994. "Job design, delegation and cooperation: A principal-agent analysis," European Economic Review, Elsevier, vol. 38(3-4), pages 691-700, April.
    2. Itoh, Hideshi, 1991. "Incentives to Help in Multi-agent Situations," Econometrica, Econometric Society, vol. 59(3), pages 611-636, May.
    3. HOLMSTROM, Bengt, 1979. "Moral hazard and observability," LIDAM Reprints CORE 379, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    4. Nash, John, 1950. "The Bargaining Problem," Econometrica, Econometric Society, vol. 18(2), pages 155-162, April.
    5. Holmstrom, Bengt & Milgrom, Paul, 1991. "Multitask Principal-Agent Analyses: Incentive Contracts, Asset Ownership, and Job Design," The Journal of Law, Economics, and Organization, Oxford University Press, vol. 7(0), pages 24-52, Special I.
    6. Leslie P. Willcocks & Mary C. Lacity, 2009. "The Practice of Outsourcing," Palgrave Macmillan Books, Palgrave Macmillan, number 978-0-230-24084-1.
    7. Baiman, S & Evans, Jh & Noel, J, 1987. "Optimal-Contracts With A Utility-Maximizing Auditor," Journal of Accounting Research, Wiley Blackwell, vol. 25(2), pages 217-244.
    8. Ross, Stephen A, 1973. "The Economic Theory of Agency: The Principal's Problem," American Economic Review, American Economic Association, vol. 63(2), pages 134-139, May.
    9. Antle, R, 1982. "The Auditor As An Economic Agent," Journal of Accounting Research, Wiley Blackwell, vol. 20(2), pages 503-527.
    10. Dewatripont, Mathias & Jewitt, Ian & Tirole, Jean, 2000. "Multitask agency problems: Focus and task clustering," European Economic Review, Elsevier, vol. 44(4-6), pages 869-877, May.
    11. Grossman, Sanford J & Hart, Oliver D, 1983. "An Analysis of the Principal-Agent Problem," Econometrica, Econometric Society, vol. 51(1), pages 7-45, January.
    12. Chen, Bo, 2012. "All-or-nothing payments," Journal of Mathematical Economics, Elsevier, vol. 48(3), pages 133-142.
    13. Debabrata Dey & Ming Fan & Conglei Zhang, 2010. "Design and Analysis of Contracts for Software Outsourcing," Information Systems Research, INFORMS, vol. 21(1), pages 93-114, March.
    14. Sri S. Sridhar & Bala V. Balachandran, 1997. "Incomplete Information, Task Assignment, and Managerial Control Systems," Management Science, INFORMS, vol. 43(6), pages 764-778, June.
    15. Holmstrom, Bengt & Milgrom, Paul, 1994. "The Firm as an Incentive System," American Economic Review, American Economic Association, vol. 84(4), pages 972-991, September.
    16. Glenn MacDonald & Leslie M. Marx, 2001. "Adverse Specialization," Journal of Political Economy, University of Chicago Press, vol. 109(4), pages 864-899, August.
    17. Seungjin Whang, 1992. "Contracting for Software Development," Management Science, INFORMS, vol. 38(3), pages 307-324, March.
    18. Bengt Holmstrom, 1979. "Moral Hazard and Observability," Bell Journal of Economics, The RAND Corporation, vol. 10(1), pages 74-91, Spring.
    19. Caplan, D, 1999. "Internal controls and the detection of management fraud," Journal of Accounting Research, Wiley Blackwell, vol. 37(1), pages 101-117.
    20. Harris, Milton & Raviv, Artur, 1979. "Optimal incentive contracts with imperfect information," Journal of Economic Theory, Elsevier, vol. 20(2), pages 231-259, April.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Nassim Ghondaghsaz & Zarina Chokparova & Sven Engesser & Leon Urbas, 2022. "Managing the Tension between Trust and Confidentiality in Mobile Supply Chains," Sustainability, MDPI, vol. 14(4), pages 1-25, February.
    2. He Huang & Minhui Hu & Robert J. Kauffman & Hongyan Xu, 2021. "The Power of Renegotiation and Monitoring in Software Outsourcing: Substitutes or Complements?," Information Systems Research, INFORMS, vol. 32(4), pages 1236-1261, December.
    3. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    4. Yong Wu & Junlin Duan & Tao Dai & Dong Cheng, 2020. "Managing Security Outsourcing in the Presence of Strategic Hackers," Decision Analysis, INFORMS, vol. 17(3), pages 235-259, September.
    5. Guang Zhu & Hu Liu & Mining Feng, 2018. "Sustainability of Information Security Investment in Online Social Networks: An Evolutionary Game-Theoretic Approach," Mathematics, MDPI, vol. 6(10), pages 1-19, September.
    6. Xing Gao & Siyu Gong, 2022. "An economic analysis of information security outsourcing with competitive firms," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(7), pages 2748-2758, October.
    7. Krishnan S. Anand & Manu Goyal, 2019. "Ethics, Bounded Rationality, and IP Sharing in IT Outsourcing," Management Science, INFORMS, vol. 65(11), pages 5252-5267, November.
    8. Huang, Min & Tu, Jun & Chao, Xiuli & Jin, Delong, 2019. "Quality risk in logistics outsourcing: A fourth party logistics perspective," European Journal of Operational Research, Elsevier, vol. 276(3), pages 855-879.
    9. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    10. Tejaswini C. Herath & Hemantha S. B. Herath & David Cullum, 2023. "An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks," Information Systems Frontiers, Springer, vol. 25(2), pages 681-721, April.
    11. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    12. Xiaowei Zhu, 2017. "Outsourcing management under various demand Information Sharing scenarios," Annals of Operations Research, Springer, vol. 257(1), pages 449-467, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Eduard Marinov, 2016. "The 2016 Nobel Prize in Economics," Economic Thought journal, Bulgarian Academy of Sciences - Economic Research Institute, issue 6, pages 97-149.
    2. Fleckinger, Pierre & Martimort, David & Roux, Nicolas, 2023. "Should They Compete or Should They Cooperate? The View of Agency Theory," TSE Working Papers 23-1421, Toulouse School of Economics (TSE), revised Jan 2024.
    3. Suraj Prasad, 2009. "Task assignments and incentives: generalists versus specialists," RAND Journal of Economics, RAND Corporation, vol. 40(2), pages 380-403, June.
    4. David Rietzke & Yu Chen, 2020. "Push or pull? Performance‐pay, incentives, and information," RAND Journal of Economics, RAND Corporation, vol. 51(1), pages 301-317, March.
    5. Hilmer, Michael, 2013. "Fiscal treatment of managerial compensation - a welfare analysis," VfS Annual Conference 2013 (Duesseldorf): Competition Policy and Regulation in a Global Economic Order 79703, Verein für Socialpolitik / German Economic Association.
    6. Verbeck, Matthias, 2015. "Contracting with Researchers," VfS Annual Conference 2015 (Muenster): Economic Development - Theory and Policy 112963, Verein für Socialpolitik / German Economic Association.
    7. Robert Gibbons, 2010. "Inside Organizations: Pricing, Politics, and Path Dependence," Annual Review of Economics, Annual Reviews, vol. 2(1), pages 337-365, September.
    8. Jokivuolle, Esa & Keppo, Jussi, 2014. "Bankers' compensation: Sprint swimming in short bonus pools?," Bank of Finland Research Discussion Papers 2/2014, Bank of Finland.
    9. Joshua Graff Zivin & Lisa B. Kahn & Matthew Neidell, 2021. "Incentivizing Learning-by-Doing: The Role of Compensation Schemes," Research in Labor Economics, in: Workplace Productivity and Management Practices, volume 49, pages 139-178, Emerald Group Publishing Limited.
    10. repec:bof:bofrdp:urn:nbn:fi:bof-201503041096 is not listed on IDEAS
    11. Balmaceda, Felipe, 2016. "Optimal task assignments," Games and Economic Behavior, Elsevier, vol. 98(C), pages 1-18.
    12. Bengt Holmstrom, 1999. "Managerial Incentive Problems: A Dynamic Perspective," NBER Working Papers 6875, National Bureau of Economic Research, Inc.
    13. repec:zbw:bofrdp:urn:nbn:fi:bof-201503041096 is not listed on IDEAS
    14. Dye, Ronald A. & Sridharan, Sri S., 2014. "Agency conflicts in the presence of random private benefits from project implementation," Economics Letters, Elsevier, vol. 123(3), pages 308-312.
    15. John M. Barron & Kathy Paulson Gjerde, 1996. "Who Adopts Total Quality Management (TQM): Theory and An Empirical Test," Journal of Economics & Management Strategy, Wiley Blackwell, vol. 5(1), pages 69-106, March.
    16. Jokivuolle, Esa & Keppo, Jussi & Yuan, Xuchuan, 2015. "Bonus caps, deferrals and bankers' risk-taking," Bank of Finland Research Discussion Papers 5/2015, Bank of Finland.
    17. Chen, Bo, 2012. "All-or-nothing payments," Journal of Mathematical Economics, Elsevier, vol. 48(3), pages 133-142.
    18. Jokivuolle, Esa & Keppo, Jussi & Yuan, Xuchuan, 2015. "Bonus caps, deferrals and bankers' risk-taking," Research Discussion Papers 5/2015, Bank of Finland.
    19. Alex Edmans & Xavier Gabaix, 2016. "Executive Compensation: A Modern Primer," Journal of Economic Literature, American Economic Association, vol. 54(4), pages 1232-1287, December.
    20. Bartsch, Elga, 1996. "Enforcement of environmental liability in the case of uncertain causality and asymmetric information," Kiel Working Papers 755, Kiel Institute for the World Economy (IfW Kiel).
    21. Bentley W. MacLeod, 2003. "Optimal Contracting with Subjective Evaluation," American Economic Review, American Economic Association, vol. 93(1), pages 216-240, March.
    22. Ricard Gil & Jordi Mondria, 2011. "Introducing managerial attention allocation in incentive contracts," SERIEs: Journal of the Spanish Economic Association, Springer;Spanish Economic Association, vol. 2(3), pages 335-358, September.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:60:y:2014:i:3:p:638-657. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.