Abstract
Firms in a close business partnership could choose to either outsource to the same or different Managed Security Service Providers (MSSPs) when making outsourcing decisions. Apart from security investments, compensation ratios, and network externalities, the firms in a close business partnership face the new challenge of correlated loss when making the outsourcing decisions. We first show that if the two firms in the business partnership outsource to the same MSSP, the security investments on the two firms are greater under positive externalities and vice versa. More importantly, we further find out that under positive externality the two firms are better off outsourcing to the same MSSP if the correlated loss level is lower (greater) than a threshold when the compensation ratios are less (greater) than 1; under negative externality the two firms are better off outsourcing to the same MSSP if the correlated loss level is lower (greater) than a threshold when the compensation ratios are greater (less) than 1. Our analytical results offer important managerial implications to firms in a close business partnership when deciding on their outsourcing strategies.
Similar content being viewed by others
References
Cezar, A., Cavusoglu, H., & Raghunathan, S. (2013). Outsourcing information security: Contracting issues and security implications. Management Science, 60(3), 638–657.
Chalos, P., & Sung, J. (1998). Outsourcing decisions and managerial incentives. Decision Sciences, 29(4), 901–919.
Dey, D., Fan, M., & Zhang, C. (2010). Design and analysis of contracts for software outsourcing. Information Systems Research, 21(1), 93–114.
Ding, W., & Yurcik, W. (2005). Outsourcing internet security: The effect of transaction costs on managed service providers. In international conference on telecommunication systems—Modeling and analysis, Dallas, TX, November (pp. 17-20).
Ding, W., & Yurcik, W. (2006). Economics of internet security outsourcing: Simulation results based on the Schneier model. In workshop on the economics of securing the information infrastructure (WESII), Washington DC, October (pp. 23-24).
Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information Sciences., 256, 57–73.
Feng, N., Chen, Y., Feng, H., Li, D., & Li, M. (2020). To outsource or not: The impact of information leakage risk on information security strategy. Information & Management. https://doi.org/10.1016/j.im.2019.103215.
Fischer, G. (2013). Contract structure, risk-sharing, and investment choice. Econometrica, 81(3), 883–939.
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.
Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438.
George R. (2016). Security to go: Is it time to shop MSSPs? InformationWeek, Available at http://www.informationweek.com/.
Hausken, K. (2014). Returns to information security investment: Endogenizing the expected loss. Information Systems Frontiers, 16(2), 329–336.
Heidt, M., Gerlach, J. P., & Buxmann, P. (2019). Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Information Systems Frontiers, 21(6), 1285–1305.
Kauffman, R. J., & Sougstad, R. (2008). Risk management of contract portfolios in IT services: The profit-at-risk approach. Journal of Management Information Systems, 25(1), 17–48.
Kunreuther, H., & Heal, G. (2003). Interdependent security. Journal of Risk and Uncertainty, 26(2–3), 231–249.
Lee, Y. J., Kauffman, R. J., & Sougstad, R. (2011). Profit-maximizing firm investments in customer information security. Decision Support Systems, 51(4), 904–920.
Lee, C. H., Geng, X., & Raghunathan, S. (2013). Contracting information security in the presence of double moral hazard. Information Systems Research, 24(2), 295–311.
Liu, D., Ji, Y., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107.
Richmond, W. B., Seidmann, A., & Whinston, A. B. (1992). Incomplete contracting issues in information systems development outsourcing. Decision Support Systems, 8(5), 459–477.
Rowe, B. R. (2008). Will outsourcing IT security lead to a higher social level of security? In workshop on the economics of information security, Pittsburgh, PA, June, (pp. 16-22).
Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: A systematic literature review. Information Systems Frontiers, 19(5), 1205–1228.
Schneier, B. (2002). The case for outsourcing security. Computer, 35(4), 20–26.
Sen, S., Raghu, T. S., & Vinze, A. (2009). Demand heterogeneity in IT infrastructure services: Modeling and evaluation of a dynamic approach to defining service levels. Information Systems Research, 20(2), 258–276.
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 441–469.
Swar, B., Moon, J., Oh, J., & Rhee, C. (2012). Determinants of relationship quality for IS/IT outsourcing success in public sector. Information Systems Frontiers, 14(2), 457–475.
Wang, E. T., Barron, T., & Seidmann, A. (1997). Contracting structures for custom software development: The impacts of informational rents and uncertainty on internal development and outsourcing. Management Science, 43(12), 1726–1744.
Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218.
Whang, S. (1992). Contracting for software development. Management Science, 38(3), 307–324.
Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1), 123–152.
Acknowledgements
The research was supported by the National Natural Science Foundations of China (Grant numbers: 71871155 and 71631003).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendices
1.1 Proof of Proposition 1
When the two firms outsource to different MSSPs, the two MSSPs’ profits are given as follows.
The equilibrium security investments are given by the following FOC conditions.
For ease of exposition, denote by \( \left({e}_1^{D\ast },{e}_2^{D\ast}\right) \) the equilibrium security investments yielded by the equations.
When the two firms outsource to the same MSSP, the MSSP’s expected payoff is
The security investments on the two firms are given by the First-order Conditions.
Denote by \( \left({e}_1^{S\ast },{e}_2^{S\ast}\right) \) the equilibrium security investments yielded by the equations. Assume that ∂Pi(e)/∂ei is independent of ej, j ≠ i. Define the following functions.
The first-order conditions when the two firms outsource to different MSSPs can then be written as follows.
Similarly, the first-order conditions when the two firms outsource to the same MSSP can be written as follows.
Notice that
because both Pi(E), Ci(E) are convex functions. Based on eq. (6) and (7), we can derive the following equations.
Under positive externality (\( \frac{\partial {P}_1(E)}{\partial {e}_2},\frac{\partial {P}_2(E)}{\partial {e}_1}<0 \)), we then know that
Because Gi(.), i ∈ {1, 2} are decreasing functions, we know that \( {e}_i^{S\ast }>{e}_i^{D\ast } \), which implies that the security investments are greater when the two firms outsource to the same MSSP.
Under negative externality (\( \frac{\partial {P}_1(E)}{\partial {e}_2},\frac{\partial {P}_2(E)}{\partial {e}_1}>0 \)), we then know that
Because Gi(.), i ∈ {1, 2}are decreasing functions, we know that \( {e}_i^{S\ast }<{e}_i^{D\ast } \), which implies that the security investments are less when the two firms outsource to the same MSSP.
1.2 Proof of Proposition 2
Denote by ∆1 the difference of probability that firm 1 is attacked when the two firms outsource to the same and different MSSPs (i.e., \( \Delta 1={P}_1\left({e}_1^{D\ast },{e}_2^{D\ast}\right)-{P}_2\left({e}_1^{S\ast },{e}_2^{S\ast}\right) \)). Similarly, ∆2 is defined as \( \Delta 2={P}_1\left({e}_1^{D\ast },{e}_2^{D\ast}\right)-{P}_2\left({e}_1^{S\ast },{e}_2^{S\ast}\right) \). For ease of convenience, make the following notations
When the two firms outsource to different MSSPs, their expected payoffs then can be written as follows.
Similarly, when the two firms outsource to different MSSPs, their expected payoffs then can be written as follows.
Because \( {P}_1^{S\ast }={P}_1^{D\ast }-\Delta 1 \) and \( {P}_2^{S\ast }={P}_2^{D\ast }-\Delta 2 \), we can write \( {U}_F^{1S\ast },{U}_F^{2S\ast } \) as follows.
Under positive externality, we know that both ∆1 and ∆2 are positive as more efforts are exerted to protect the security of the firms when they outsource to the same MSSP.
1.2.1 When the compensation ratio is less than 1
Firm 1 is better off outsourcing to the same MSSP if and only if
Moving −∆1(1 − α1) to the right-hand side, we then have the following inequality.
Because the compensation ratio is less than 1, we then know that 1 − α1 > 0, which implies that ∆1(1 − α1) > 0. Given that l is positive, the inequality is satisfied if
Even if \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) is positive, the inequality is satisfied if and only if
Notice that \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) can also be written as \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2 \). To summarize, when two firms outsource to the same MSSP and the compensation ratio is less than 1 and the compensation ratios are less than 1, firm 1 is better off if and only if
or
Similarly, firm 2 is better off outsourcing to the same MSSP if and only if
or
1.2.2 When the compensation ratio is greater than 1
Similar as in subsection 2.1, firm 1 is better off outsourcing to the same MSSP if and only if
Because the compensation ratios are greater than 1, 1 − α1 < 0, which implies that ∆1(1 − α1) < 0. Therefore, the inequality can never be satisfied if
If \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2<0 \) the inequality is satisfied if and only
To summarize, when the compensation ratios are greater than 1 and the two firms outsource to the same MSSP, firm 1 is better off if and only if
When the two firms outsource to the same MSSP, firm 2 is better off if and only if
1.3 Proof of Proposition 3
Under positive externality, we know that both ∆1 and ∆2 are negative as less efforts are exerted to protect the security of the firms when they outsource to the same MSSP.
1.3.1 When the compensation ratio is less than 1
Firm 1 is better off outsourcing to the same MSSP if and only if
Moving −∆1(1 − α1) to the right-hand side, we then have the following inequality.
Because the compensation ratio is less than 1, we then know that 1 − α1 > 0, which implies that ∆1(1 − α1) < 0. Given that l is positive, the inequality cannot be satisfied if
If \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) is negative, the inequality is satisfied if and only if
Notice that \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) can also be written as \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2 \). To summarize, when two firms outsource to the same MSSP and the compensation ratio is less than 1 and the compensation ratios are less than 1, firm 1 is better off if and only if
Similarly, firm 2 is better off outsourcing to the same MSSP if and only if
1.3.2 When the compensation ratio is greater than 1
Similar as in subsection 3.1, firm 1 is better off outsourcing to the same MSSP if and only if
Because the compensation ratios are greater than 1, 1 − α1 < 0, which implies that ∆1(1 − α1) > 0. Therefore, the inequality is always satisfied if
If \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2>0 \) the inequality is satisfied if and only
To summarize, when the compensation ratios are greater than 1 and the two firms outsource to the same MSSP, firm 1 is better off if and only if
or
When the two firms outsource to the same MSSP, firm 2 is better off if and only if
or
1.4 Proof of Proposition 4
Recall that proposition 4 gives the optimal compensation rate and fixed payment when the the firm outsources to different MSSPs. We first solve the maximization problem for outsourcing firm 1. Recall that the maximization problem that the first outsourcing firm solves is as follows.
The first equation is the IC constraint and the second inequality is the IR constraint. Denote by λ, μ the Lagrange Multiplier of the IC and IR constraints, respectively. The Lagrangian that we construct is then as follows.
Differentiate the Lagrangian with respect to f1, we have the following derivative.
Differentiate the Lagrangian with respect to α1, we derive the following partial derivative.
From the first equation, we can solve the value of μ, which is 1. Substitute μ with 1 in the second equation, we solve the value of λ, which is 0. Substitute λ, μ with their values 0, 1, we then have the following Lagrangian.
Differentiate the Lagrangian with respect to e1, we derive the following partial derivative.
Combine the above equation with the IC constraint, we have the following equation.
, which is equivalent to the following equation.
Divide the equation by \( \frac{\partial {P}_1(E)}{\partial {e}_1} \), the equation becomes as follows.
Substitute α1 with \( {\alpha}_1^{\ast } \) in the IR constraint, we could then derive the optimal f1 as follows.
The solution process is very similar for the second outsourcing firm and we directly write down the solution. The new Lagrangian is written as follows.
Differentiate the Lagrangian with respect to the security investment e2, we have the following derivative.
The optimal compensation rate is given as follows.
Follows is the optimal fixed payment.
1.5 Proof of Proposition 5
Recall that proposition 5 present the optimal compensation rates and service fees when the two firms outsource to the same MSSP.
Because the two firms decide to the same MSSP, they then decide the two compensation rates and fixed payment together to maximize their total benefit. Formally speaking, they solve the following programming problem.
Denote by f the sum of f1 and f2. Compared to outsourcing to different MSSPs, outsourcing to the same MSSP makes the security investment account for the security externality between the two outsourcing firms. We now following a similar procedure to derive the security investment expression.
Denote by λ, μ, σ the Lagrange multiplier of the IC and IR constraints, respectively. The Lagrangian that we construct is then as follows.
Differentiate the Lagrangian with respect to the fixed payment f, we have the following derivative.
Differentiate the Lagrangian with respect to the compensation ratio for the first outsourcing firm, we derive the following derivative.
Similarly, we differentiate the Lagrangian with respect to the second outsourcing firm’s derivative.
According to the first derivative, we can solve the value of σ, which is 1. Replace σ with 1 in the two equations, we two partial derivatives then become as follows.
Move the first equation into the second equation, we then have the following equation.
Because
We then know that
, which implies that λ = 0. Further, we solve the value of μ, which is also 0. Substitute λ, μ, σ with their solved values, we have the following Lagrangian.
We find out the optimal e1 by differentiate the new Lagrangian with respect to e1.
Combine the above equation with the first IC constraint, we have the following derivative.
Similarly, we find out the optimal investment on the second outsourcing firm by differentiating the new Lagrangian with respect to e2.
Combine the above derivative with the second IC constraint, we have the following equation. We then solve the optimal compensation rates based on eq. (66) and (67) as follows.
Substitute α1, α2 with the solved values, we then find out the optimal fixed payment.
1.6 Proof of Proposition 6
We now prove that the two firms are always better off outsourcing to the same MSSP, compared to outsourcing to different MSSPs. To prove this, we need to use the expressions in eq. (46), (52), and (64). Notice that the sum of the right-hand expressions of eq. (46) and (52) are always to the right hand side expression of eq. (64). The interpretation is that the two firms’ total profit has the same expression, which is independent of the two firms’ outsourcing strategies. Suppose that the optimal investments are \( {e}_1^{D\ast },{e}_2^{D\ast } \) when the firms outsourcing to different MSSPs. The interpretation is that given the choice of \( {e}_2^{D\ast } \), the \( {e}_1^{D\ast } \) maximizes the first outsourcing firm’s profit. Similarly, given the choice of \( {e}_1^{D\ast } \), the \( {e}_2^{D\ast } \) maximizes the first outsourcing firm’s profit. It is easy to see that the such optimal investments do not necessarily benefit the total profits of the two outsourcing firms. In contrast, the optimal security investments \( {e}_1^{S\ast },{e}_2^{S\ast } \) by definition maximizes the total profit, which has exactly the same expression as that when they outsource to different MSSPs. Therefore, the two firms are always weakly better off outsourcing to the same MSSP.
Based on the three expressions, we can see that the difference between the security investments in the two cases depends on whether the following expression is equal to 0.
We can ignore the second term in the above expression because both the security externality and correlated loss should play a secondary role in the security investments. We know that the third term is always negative because increased security investments decreases the breach probability. As for the first term, it is positive if the security externality is negative and vice versa. When the security externality is positive, both the first term and third term are negative. When the correlated loss level increases, the third term becomes even more negative. Because the expression in (70) becomes farther away from 0, the advantage of outsourcing to the same MSSP becomes greater. However, when the security externality is negative, the firs term is positive and the third term is still negative. Because of the two different signs, the whole expression in (70) does not necessarily becomes farther away from 0 as the increased correlated loss level leads to the third term more negative.
1.7 Proof of Proposition 7
(a) When the compensation ratios are less than 1, proposition 2 (a) tells that the threshold for l is
Note that both the numerator and denominators are positive. As ∆i increases, both the numerator and denominator increases, which implies that the threshold does not necessarily increase or decrease.
(b) When the compensation ratios are greater than 1, proposition 2 (b) tells that the threshold for l is the same, which is
Note that both the numerator and denominators are negative. As ∆i increases, the numerator becomes more negative and the denominator becomes less negative as it increases. Therefore, the express increases in ∆i. The interpretation is that a larger l is required for firms to have higher payoffs when outsourcing to the same MSSP.
1.8 Proof of Proposition 8
(a) When the compensation ratios are less than 1, proposition 3 (a) tells that the threshold for l is
Note that both the numerator and denominators are negative. As ∆i decreases (negative externality becomes stronger), the numerator becomes more negative and the denominator also becomes more negative. Therefore, not necessarily a larger l is required for firms to have higher payoffs outsourcing to the same MSSP.
(b) When the compensation ratios are greater than 1, proposition 3 (b) tells that the threshold for l is the same, which is
Note that both the numerator and denominators are positive. As ∆i decreases, the numerator becomes more positive and the denominator becomes less positive. Therefore, the express increases in ∆i. The interpretation is that a lower l is not required for firms to have higher payoffs outsourcing to the same MSSP.
1.9 Proof of Proposition 9
Based on the utility expressions, firm i, i ∈ {1, 2} is better off outsourcing to the same MSSP if and only if
Differentiating the left expression with respect to \( {P}_j^{D\ast } \), we have the derivative
(a) Under positive externality both ∆1 and ∆2 are positive, which implies that the derivative are positive. Therefore, inequality (75) is less likely to be satisfied. The interpretation is that the firms are less likely to have higher payoffs outsourcing to the same MSSP if they also invest on securities themselves.
(b) Under negative externality both ∆1 and ∆2 are negative, which implies that thederivative are negative. Therefore, inequality (75) is more likely to be satisfied. The interpretation is that the firms are more likely to have higher payoffs outsourcing to the same MSSP if they also invest on securities themselves.
Rights and permissions
About this article
Cite this article
Zhang, C., Feng, N., Chen, J. et al. Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities. Inf Syst Front 23, 773–790 (2021). https://doi.org/10.1007/s10796-020-10009-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-020-10009-4