Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities

Abstract

Firms in a close business partnership could choose to either outsource to the same or different Managed Security Service Providers (MSSPs) when making outsourcing decisions. Apart from security investments, compensation ratios, and network externalities, the firms in a close business partnership face the new challenge of correlated loss when making the outsourcing decisions. We first show that if the two firms in the business partnership outsource to the same MSSP, the security investments on the two firms are greater under positive externalities and vice versa. More importantly, we further find out that under positive externality the two firms are better off outsourcing to the same MSSP if the correlated loss level is lower (greater) than a threshold when the compensation ratios are less (greater) than 1; under negative externality the two firms are better off outsourcing to the same MSSP if the correlated loss level is lower (greater) than a threshold when the compensation ratios are greater (less) than 1. Our analytical results offer important managerial implications to firms in a close business partnership when deciding on their outsourcing strategies.

Appendices

Appendices

1.1 Proof of Proposition 1

When the two firms outsource to different MSSPs, the two MSSPs’ profits are given as follows.

$$ \left\{\begin{array}{c}{U}_M^1(E)={f}_1-{C}_1\left({e}_1\right)-{P}_1(E){\alpha}_1d\\ {}{U}_M^2(E)={f}_2-{C}_2\left({e}_2\right)-{P}_2(E){\alpha}_2d\end{array}\right. $$

(1)

The equilibrium security investments are given by the following FOC conditions.

$$ \left\{\begin{array}{c}\frac{\partial {U}_M^1(E)}{\partial {e}_1}=-{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}d-{C}_1^{\prime}\left({e}_1\right)=0\\ {}\frac{\partial {U}_M^2(E)}{\partial {e}_2}=-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_2}d-{C}_2^{\prime}\left({e}_2\right)=0\end{array}\right. $$

(2)

For ease of exposition, denote by \( \left({e}_1^{D\ast },{e}_2^{D\ast}\right) \) the equilibrium security investments yielded by the equations.

When the two firms outsource to the same MSSP, the MSSP’s expected payoff is

$$ {U}_M(E)={f}_1+{f}_2-{C}_1\left({e}_1\right)+{C}_2\left({e}_2\right)-{P}_1(E){\alpha}_1d-{P}_2(E){\alpha}_2d. $$

(3)

The security investments on the two firms are given by the First-order Conditions.

$$ \left\{\begin{array}{c}\frac{\partial {U}_M(E)}{\partial {e}_1}=-{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}d-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}d-{C}_1^{\prime}\left({e}_1\right)=0\\ {}\frac{\partial {U}_M(E)}{\partial {e}_2}=-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_2}d-{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_2}d-{C}_2^{\prime}\left({e}_2\right)=0\end{array}\right. $$

(4)

Denote by \( \left({e}_1^{S\ast },{e}_2^{S\ast}\right) \) the equilibrium security investments yielded by the equations. Assume that ∂P_i(e)/∂e_i is independent of e_j, j ≠ i. Define the following functions.

$$ {G}_i\left({e}_i\right)=-{\alpha}_i\frac{\partial {P}_i(E)}{\partial {e}_i}d-{C}_i^{\prime}\left({e}_i\right)=0 $$

(5)

The first-order conditions when the two firms outsource to different MSSPs can then be written as follows.

$$ \left\{\begin{array}{c}{G}_1\left({e}_1^{D\ast}\right)=0\\ {}{G}_2\left({e}_2^{D\ast}\right)=0\end{array}\right. $$

(6)

Similarly, the first-order conditions when the two firms outsource to the same MSSP can be written as follows.

$$ \left\{\begin{array}{c}{G}_1\left({e}_1^{S\ast}\right)-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}d=0\\ {}{G}_2\left({e}_2^{S\ast}\right)-{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_2}d=0\end{array}\right. $$

(7)

Notice that

$$ \frac{\partial {G}_i\left({e}_i\right)}{\partial {e}_i}=-{\alpha}_i\frac{\partial^2{P}_i(E)}{\partial {e}_i^2}-{C}_i^{\prime \prime}\left({e}_i\right)<0,i\in \left\{1,2\right\} $$

(8)

because both P_i(E), C_i(E) are convex functions. Based on eq. (6) and (7), we can derive the following equations.

$$ \left\{\begin{array}{c}{G}_1\left({e}_1^{S\ast}\right)-{G}_1\left({e}_1^{D\ast}\right)={\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}d\\ {}{G}_2\left({e}_2^{S\ast}\right)-{G}_2\left({e}_2^{D\ast}\right)={\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_2}d\end{array}\right. $$

(9)

Under positive externality (\( \frac{\partial {P}_1(E)}{\partial {e}_2},\frac{\partial {P}_2(E)}{\partial {e}_1}<0 \)), we then know that

$$ \left\{\begin{array}{c}{G}_1\left({e}_1^{S\ast}\right)-{G}_1\left({e}_1^{D\ast}\right)={\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}d<0\\ {}{G}_2\left({e}_2^{S\ast}\right)-{G}_2\left({e}_2^{D\ast}\right)={\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_2}d<0\end{array}\right. $$

(10)

Because G_i(.), i ∈ {1, 2} are decreasing functions, we know that \( {e}_i^{S\ast }>{e}_i^{D\ast } \), which implies that the security investments are greater when the two firms outsource to the same MSSP.

Under negative externality (\( \frac{\partial {P}_1(E)}{\partial {e}_2},\frac{\partial {P}_2(E)}{\partial {e}_1}>0 \)), we then know that

$$ \left\{\begin{array}{c}{G}_1\left({e}_1^{S\ast}\right)-{G}_1\left({e}_1^{D\ast}\right)={\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}d>0\\ {}{G}_2\left({e}_2^{S\ast}\right)-{G}_2\left({e}_2^{D\ast}\right)={\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_2}d>0\end{array}\right. $$

(11)

Because G_i(.), i ∈ {1, 2}are decreasing functions, we know that \( {e}_i^{S\ast }<{e}_i^{D\ast } \), which implies that the security investments are less when the two firms outsource to the same MSSP.

1.2 Proof of Proposition 2

Denote by ∆1 the difference of probability that firm 1 is attacked when the two firms outsource to the same and different MSSPs (i.e., \( \Delta 1={P}_1\left({e}_1^{D\ast },{e}_2^{D\ast}\right)-{P}_2\left({e}_1^{S\ast },{e}_2^{S\ast}\right) \)). Similarly, ∆2 is defined as \( \Delta 2={P}_1\left({e}_1^{D\ast },{e}_2^{D\ast}\right)-{P}_2\left({e}_1^{S\ast },{e}_2^{S\ast}\right) \). For ease of convenience, make the following notations

$$ \left\{\begin{array}{c}{P}_1^{X\ast }={P}_1\left({e}_1^{X\ast },{e}_2^{X\ast}\right)\\ {}{P}_2^{X\ast }={P}_2\left({e}_1^{X\ast },{e}_2^{X\ast}\right)\end{array},X\in \left\{D,S\right\}\right.. $$

(12)

When the two firms outsource to different MSSPs, their expected payoffs then can be written as follows.

$$ \left\{\begin{array}{c}{U}_F^{1D\ast }=V-{f}_1-\left({P}_1^{D\ast}\left(1-{\alpha}_1\right)+\left(1-{P}_1^{D\ast}\right){P}_2^{\mathrm{D}\ast }l\right)d\\ {}{U}_F^{2D\ast }=V-{f}_2-\left({P}_2^{D\ast}\left(1-{\alpha}_2\right)+\left(1-{P}_2^{D\ast}\right){P}_1^{D\ast }l\right)d\end{array}\right. $$

(13)

Similarly, when the two firms outsource to different MSSPs, their expected payoffs then can be written as follows.

$$ \left\{\begin{array}{c}{U}_F^{1S\ast }=V-{f}_1-\left({P}_1^{S\ast}\left(1-{\alpha}_1\right)+\left(1-{P}_1^{S\ast}\right){P}_2^{S\ast }l\right)d\\ {}{U}_F^{2S\ast }=V-{f}_2-\left({P}_2^{S\ast}\left(1-{\alpha}_2\right)+\left(1-{P}_2^{S\ast}\right){P}_1^{S\ast }l\right)d\end{array}\right. $$

(14)

Because \( {P}_1^{S\ast }={P}_1^{D\ast }-\Delta 1 \) and \( {P}_2^{S\ast }={P}_2^{D\ast }-\Delta 2 \), we can write \( {U}_F^{1S\ast },{U}_F^{2S\ast } \) as follows.

$$ \left\{\begin{array}{c}{U}_F^{1S\ast }={U}_F^{1D\ast }-\left(-\Delta 1\left(1-{\alpha}_1\right)+\left(-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2\right)l\right)d\\ {}{U}_F^{2S\ast }={U}_F^{D\ast }-\left(-\Delta 2\left(1-{\alpha}_2\right)+\left(-\Delta 1+\Delta 1{P}_2^{D\ast }+\Delta 2{P}_1^{D\ast }-\Delta 1\Delta 2\right)l\right)d\end{array}\right. $$

(15)

Under positive externality, we know that both ∆1 and ∆2 are positive as more efforts are exerted to protect the security of the firms when they outsource to the same MSSP.

1.2.1 When the compensation ratio is less than 1

Firm 1 is better off outsourcing to the same MSSP if and only if

$$ -\Delta 1\left(1-{\alpha}_1\right)+\left(-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2\right)l<0. $$

(16)

Moving −∆1(1 − α₁) to the right-hand side, we then have the following inequality.

$$ \left(-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2\right)l<\Delta 1\left(1-{\alpha}_1\right) $$

(17)

Because the compensation ratio is less than 1, we then know that 1 − α₁ > 0, which implies that ∆1(1 − α₁) > 0. Given that l is positive, the inequality is satisfied if

$$ -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2<0 $$

(18)

Even if \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) is positive, the inequality is satisfied if and only if

$$ l<\frac{\Delta 1\left(1-{\alpha}_1\right)}{-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2} $$

(19)

Notice that \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) can also be written as \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2 \). To summarize, when two firms outsource to the same MSSP and the compensation ratio is less than 1 and the compensation ratios are less than 1, firm 1 is better off if and only if

$$ \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2<0 $$

(20)

or

$$ \left\{\begin{array}{c}\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2>0\\ {}l<\frac{\Delta 1\left(1-{\alpha}_1\right)}{\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(21)

Similarly, firm 2 is better off outsourcing to the same MSSP if and only if

$$ \left\{\begin{array}{c}\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2>0\\ {}l<\frac{\Delta 2\left(1-{\alpha}_2\right)}{\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(22)

or

$$ \Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2<0 $$

(23)

1.2.2 When the compensation ratio is greater than 1

Similar as in subsection 2.1, firm 1 is better off outsourcing to the same MSSP if and only if

$$ \left(\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2\right)l<\Delta 1\left(1-{\alpha}_1\right). $$

(24)

Because the compensation ratios are greater than 1, 1 − α₁ < 0, which implies that ∆1(1 − α₁) < 0. Therefore, the inequality can never be satisfied if

$$ \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2>0. $$

(25)

If \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2<0 \) the inequality is satisfied if and only

$$ l>\frac{\Delta 1\left(1-{\alpha}_1\right)}{\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2} $$

(26)

To summarize, when the compensation ratios are greater than 1 and the two firms outsource to the same MSSP, firm 1 is better off if and only if

$$ \left\{\begin{array}{c}\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2<0\\ {}l>\frac{\Delta 1\left(1-{\alpha}_1\right)}{\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(27)

When the two firms outsource to the same MSSP, firm 2 is better off if and only if

$$ \left\{\begin{array}{c}\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2<0\\ {}l>\frac{\Delta 2\left(1-{\alpha}_2\right)}{\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(28)

1.3 Proof of Proposition 3

Under positive externality, we know that both ∆1 and ∆2 are negative as less efforts are exerted to protect the security of the firms when they outsource to the same MSSP.

1.3.1 When the compensation ratio is less than 1

Firm 1 is better off outsourcing to the same MSSP if and only if

$$ -\Delta 1\left(1-{\alpha}_1\right)+\left(-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2\right)<0 $$

(29)

Moving −∆1(1 − α₁) to the right-hand side, we then have the following inequality.

$$ \left(-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2\right)<\Delta 1\left(1-{\alpha}_1\right) $$

(30)

Because the compensation ratio is less than 1, we then know that 1 − α₁ > 0, which implies that ∆1(1 − α₁) < 0. Given that l is positive, the inequality cannot be satisfied if

$$ -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2>0. $$

(31)

If \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) is negative, the inequality is satisfied if and only if

$$ l>\frac{\Delta 1\left(1-{\alpha}_1\right)}{-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2} $$

(32)

Notice that \( -\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2 \) can also be written as \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2 \). To summarize, when two firms outsource to the same MSSP and the compensation ratio is less than 1 and the compensation ratios are less than 1, firm 1 is better off if and only if

$$ \left\{\begin{array}{c}\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2<0\\ {}\mathrm{l}>\frac{\Delta 1\left(1-{\alpha}_1\right)}{\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(33)

Similarly, firm 2 is better off outsourcing to the same MSSP if and only if

$$ \left\{\begin{array}{c}\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2<0\\ {}l>\frac{\Delta 2\left(1-{\alpha}_2\right)}{\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(34)

1.3.2 When the compensation ratio is greater than 1

Similar as in subsection 3.1, firm 1 is better off outsourcing to the same MSSP if and only if

$$ -\Delta 1\left(1-{\alpha}_1\right)+\left(-\Delta 2+\Delta 2{P}_1^{D\ast }+\Delta 1{P}_2^{D\ast }-\Delta 1\Delta 2\right)<0 $$

(35)

Because the compensation ratios are greater than 1, 1 − α₁ < 0, which implies that ∆1(1 − α₁) > 0. Therefore, the inequality is always satisfied if

$$ \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2>0. $$

(36)

If \( \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2>0 \) the inequality is satisfied if and only

$$ l<\frac{\Delta 1\left(1-{\alpha}_1\right)}{\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2} $$

(37)

To summarize, when the compensation ratios are greater than 1 and the two firms outsource to the same MSSP, firm 1 is better off if and only if

$$ \Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2<0 $$

(38)

or

$$ \left\{\begin{array}{c}\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2>0\\ {}l<\frac{\Delta 1\left(1-{\alpha}_1\right)}{\Delta 1{P}_2^{D\ast }-\Delta 2\left(1-{P}_1^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(39)

When the two firms outsource to the same MSSP, firm 2 is better off if and only if

$$ \Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2<0 $$

(40)

or

$$ \left\{\begin{array}{c}\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2>0\\ {}l<\frac{\Delta 2\left(1-{\alpha}_2\right)}{\Delta 2{P}_1^{D\ast }-\Delta 1\left(1-{P}_2^{D\ast}\right)-\Delta 1\Delta 2}\end{array}\right. $$

(41)

1.4 Proof of Proposition 4

Recall that proposition 4 gives the optimal compensation rate and fixed payment when the the firm outsources to different MSSPs. We first solve the maximization problem for outsourcing firm 1. Recall that the maximization problem that the first outsourcing firm solves is as follows.

$$ ma{x}_{\alpha_1,{f}_1}V-{f}_1-\left({P}_1(E)\left(1-{\alpha}_1\right)+\left(1-{P}_1(E)\right){P}_2(E)l\right)d $$

$$ {\displaystyle \begin{array}{ll}s.t.& -{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}d-{C}_1^{\prime}\left({e}_1\right)=0\\ {}& {f}_1-{C}_1\left({e}_1\right)-{P}_1(E){\alpha}_1d\ge 0\end{array}} $$

(42)

The first equation is the IC constraint and the second inequality is the IR constraint. Denote by λ, μ the Lagrange Multiplier of the IC and IR constraints, respectively. The Lagrangian that we construct is then as follows.

$$ L=V-{f}_1-\left({P}_1(E)\left(1-{\alpha}_1\right)+\left(1-{P}_1(E)\right){P}_2(E)l\right)d+\lambda \left(-{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}d-{C}_1^{\prime}\left({e}_1\right)\right)+\mu \left({f}_1-{C}_1\left({e}_1\right)-{P}_1(E){\alpha}_1d-u\right) $$

(43)

Differentiate the Lagrangian with respect to f₁, we have the following derivative.

$$ \frac{\partial L}{\partial {f}_1}=-1+\mu =0 $$

(44)

Differentiate the Lagrangian with respect to α₁, we derive the following partial derivative.

$$ \frac{\partial L}{\partial {\alpha}_1}={P}_1(E)d-\lambda \frac{\partial {P}_1(E)}{\partial {e}_1}d-\mu {P}_1(E)d=0 $$

(45)

From the first equation, we can solve the value of μ, which is 1. Substitute μ with 1 in the second equation, we solve the value of λ, which is 0. Substitute λ, μ with their values 0, 1, we then have the following Lagrangian.

$$ L=V-\left({P}_1(E)+\left(1-{P}_1(E)\right){P}_2(E)l\right)d-{C}_1\left({e}_1\right)-u $$

(46)

Differentiate the Lagrangian with respect to e₁, we derive the following partial derivative.

$$ \frac{\partial L}{\partial {e}_1}=-\left(\frac{\partial {P}_1(E)}{\partial {e}_1}-\frac{\partial {P}_1(E)}{\partial {e}_1}{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_1}\left(1-{P}_1(E)\right)l\right)d-{C}_1^{\prime}\left({e}_1\right)=0 $$

(47)

Combine the above equation with the IC constraint, we have the following equation.

$$ -{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}d+\left(\frac{\partial {P}_1(E)}{\partial {e}_1}-\frac{\partial {P}_1(E)}{\partial {e}_1}{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_1}\left(1-{P}_1(E)\right)l\right)d=0 $$

(48)

, which is equivalent to the following equation.

$$ {\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}=\frac{\partial {P}_1(E)}{\partial {e}_1}-\frac{\partial {P}_1(E)}{\partial {e}_1}{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_1}\left(1-{P}_1(E)\right)l $$

(49)

Divide the equation by \( \frac{\partial {P}_1(E)}{\partial {e}_1} \), the equation becomes as follows.

$$ {\alpha}_1^{\ast }=1-{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_1}/\frac{\partial {P}_1(E)}{\partial {e}_1}\left(1-{P}_1(E)\right)l $$

(50)

Substitute α₁ with \( {\alpha}_1^{\ast } \) in the IR constraint, we could then derive the optimal f₁ as follows.

$$ {f}_1^{\ast }={C}_1\left({e}_1\right)+{P}_1(E)d\left(1-{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_1}/\frac{\partial {P}_1(E)}{\partial {e}_1}\left(1-{P}_1(E)\right)l\right) $$

(51)

The solution process is very similar for the second outsourcing firm and we directly write down the solution. The new Lagrangian is written as follows.

$$ L=V-\left({P}_2(E)+\left(1-{P}_2(E)\right){P}_1(E)l\right)d-{C}_2\left({e}_2\right)-u $$

(52)

Differentiate the Lagrangian with respect to the security investment e₂, we have the following derivative.

$$ \frac{\partial L}{\partial {e}_2}=-\left(\frac{\partial {P}_2(E)}{\partial {e}_2}-\frac{\partial {P}_2(E)}{\partial {e}_2}{P}_1(E)l+\frac{\partial {P}_1(E)}{\partial {e}_2}\left(1-{P}_2(E)\right)l\right)d-{C}_2^{\prime}\left({e}_2\right)=0 $$

(53)

The optimal compensation rate is given as follows.

$$ {\alpha}_2^{\ast }=1-{P}_1(E)l+\frac{\partial {P}_1(E)}{\partial {e}_2}/\frac{\partial {P}_2(E)}{\partial {e}_2}\left(1-{P}_2(E)\right)l $$

(54)

Follows is the optimal fixed payment.

$$ {f}_2^{\ast }=u+{C}_2\left({e}_2\right)+{P}_2(E)d\left(1-{P}_1(E)l+\frac{\partial {P}_1(E)}{\partial {e}_2}/\frac{\partial {P}_2(E)}{\partial {e}_2}\left(1-{P}_2(E)\right)l\right) $$

(55)

1.5 Proof of Proposition 5

Recall that proposition 5 present the optimal compensation rates and service fees when the two firms outsource to the same MSSP.

Because the two firms decide to the same MSSP, they then decide the two compensation rates and fixed payment together to maximize their total benefit. Formally speaking, they solve the following programming problem.

$$ ma{x}_{\alpha_1,{f}_1,{\alpha}_2,{f}_2}2V-{f}_1-{f}_2-\left({P}_1(E)\left(1-{\alpha}_1\right)+{P}_2(E)\left(1-{\alpha}_2\right)+\left(1-{P}_1(E)\right){P}_2(E)l+\left(1-{P}_2(E)\right){P}_1(E)l\right)d $$

$$ {\displaystyle \begin{array}{ll}s.t.& -{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}d-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}d-{C}_1^{\prime}\left({e}_1\right)=0\\ {}& -{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_2}d-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_2}d-{C}_2^{\prime}\left({e}_2\right)=0\\ {}& {f}_1+{f}_2-{C}_1\left({e}_1\right)-{C}_2\left({e}_2\right)-{P}_1(E){\alpha}_1d-{P}_2(E){\alpha}_2d\ge 0\end{array}} $$

(56)

Denote by f the sum of f₁ and f₂. Compared to outsourcing to different MSSPs, outsourcing to the same MSSP makes the security investment account for the security externality between the two outsourcing firms. We now following a similar procedure to derive the security investment expression.

Denote by λ, μ, σ the Lagrange multiplier of the IC and IR constraints, respectively. The Lagrangian that we construct is then as follows.

$$ {\displaystyle \begin{array}{ll}L=& 2V-f-\left({P}_1(E)\left(1-{\alpha}_1\right)+{P}_2(E)\left(1-{\alpha}_2\right)+\left(1-{P}_1(E)\right){P}_2(E)l+\left(1-{P}_2(E)\right){P}_1(E)l\right)d\\ {}& +\lambda \left(-{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}d-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}-{C}_1^{\prime}\left({e}_1\right)\right)+\mu \left(-{\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_2}d-{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_2}-{C}_2^{\prime}\left({e}_2\right)\right)\\ {}& +\sigma \left(f-{C}_1\left({e}_1\right)-{C}_2\left({e}_2\right)-{P}_1(E){\alpha}_1d-{P}_2(E){\alpha}_2d\right)\end{array}} $$

Differentiate the Lagrangian with respect to the fixed payment f, we have the following derivative.

$$ \frac{\partial L}{\partial f}=-1+\sigma =0 $$

(57)

Differentiate the Lagrangian with respect to the compensation ratio for the first outsourcing firm, we derive the following derivative.

$$ \frac{\partial L}{\partial {\alpha}_1}={P}_1(E)d-\lambda \frac{\partial {P}_1(E)}{\partial {e}_1}d-\mu \frac{\partial {P}_1(E)}{\partial {e}_2}d-\sigma {P}_1(E)d=0 $$

(58)

Similarly, we differentiate the Lagrangian with respect to the second outsourcing firm’s derivative.

$$ \frac{\partial L}{\partial {\alpha}_2}={P}_2(E)d-\lambda \frac{\partial {P}_2(E)}{\partial {e}_1}-\mu \frac{\partial {P}_2(E)}{\partial {e}_2}-\sigma {P}_2(E)d=0 $$

(59)

According to the first derivative, we can solve the value of σ, which is 1. Replace σ with 1 in the two equations, we two partial derivatives then become as follows.

$$ \left\{\begin{array}{c}\lambda \frac{\partial {P}_1(E)}{\partial {e}_1}+\mu \frac{\partial {P}_1(E)}{\partial {e}_2}=0\\ {}\lambda \frac{\partial {P}_2(E)}{\partial {e}_1}+\mu \frac{\partial {P}_2(E)}{\partial {e}_2}=0\end{array}\right. $$

(60)

Move the first equation into the second equation, we then have the following equation.

$$ \lambda \left(\frac{\partial {P}_2(E)}{\partial {e}_1}/\frac{\partial {P}_2(E)}{\partial {e}_2}-\frac{\partial {P}_1(E)}{\partial {e}_1}/\frac{\partial {P}_1(E)}{\partial {e}_2}\right)=0 $$

(61)

Because

$$ \left\{\begin{array}{c}\mid \frac{\partial {P}_j(E)}{\partial {e}_i}/\frac{\partial {P}_j(E)}{\partial {e}_j}\mid <1\\ {}\mid \frac{\partial {P}_j(E)}{\partial {e}_j}/\frac{\partial {P}_j(E)}{\partial {e}_i}\mid >1\end{array}\right. $$

(62)

We then know that

$$ \frac{\partial {P}_2(E)}{\partial {e}_1}/\frac{\partial {P}_2(E)}{\partial {e}_2}-\frac{\partial {P}_1(E)}{\partial {e}_1}/\frac{\partial {P}_1(E)}{\partial {e}_2}\ne 0 $$

(63)

, which implies that λ = 0. Further, we solve the value of μ, which is also 0. Substitute λ, μ, σ with their solved values, we have the following Lagrangian.

$$ L=2V-\left({P}_1(E)+\left(1-{P}_1(E)\right){P}_2(E)l+{P}_2(E)+\left(1-{P}_2(E)\right){P}_1(E)l\right)d-{C}_1\left({e}_1\right)-{C}_2\left({e}_2\right)-u $$

(64)

We find out the optimal e₁ by differentiate the new Lagrangian with respect to e₁.

$$ \frac{\partial L}{\partial {e}_1}=-\left(\frac{\partial {P}_1(E)}{\partial {e}_1}-\frac{\partial {P}_1(E)}{\partial {e}_1}{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_1}\left(1-{P}_1(E)\right)l+\frac{\partial {P}_2(E)}{\partial {e}_1}-\frac{\partial {P}_2(E)}{\partial {e}_1}{P}_1(E)l+\frac{\partial {P}_1(E)}{\partial {e}_1}\left(1-{P}_2(E)\right)l\right)d-{C}_1^{\prime}\left({e}_1\right)=0 $$

(65)

Combine the above equation with the first IC constraint, we have the following derivative.

$$ \frac{\partial {P}_1(E)}{\partial {e}_1}-\frac{\partial {P}_1(E)}{\partial {e}_1}{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_1}\left(1-{P}_1(E)\right)l+\frac{\partial {P}_2(E)}{\partial {e}_1}-\frac{\partial {P}_2(E)}{\partial {e}_1}{P}_1(E)l+\frac{\partial {P}_1(E)}{\partial {e}_1}\left(1-{P}_2(E)\right)l-\left({\alpha}_1\frac{\partial {P}_1(E)}{\partial {e}_1}+{\alpha}_2\frac{\partial {P}_2(E)}{\partial {e}_1}\right)=0 $$

(66)

Similarly, we find out the optimal investment on the second outsourcing firm by differentiating the new Lagrangian with respect to e₂.

$$ \frac{\partial L}{\partial {e}_2}=-\left(\frac{\partial {P}_2(E)}{\partial {e}_2}-\frac{\partial {P}_2(E)}{\partial {e}_2}{P}_1(E)l+\frac{\partial {P}_1(E)}{\partial {e}_2}\left(1-{P}_2(E)\right)l+\frac{\partial {P}_1(E)}{\partial {e}_2}-\frac{\partial {P}_1(E)}{\partial {e}_2}{P}_2(E)l+\frac{\partial {P}_2(E)}{\partial {e}_2}\left(1-{P}_1(E)\right)l\right)d-{C}_2^{\prime}\left({e}_2\right)=0 $$

(67)

Combine the above derivative with the second IC constraint, we have the following equation. We then solve the optimal compensation rates based on eq. (66) and (67) as follows.

$$ \left\{\begin{array}{c}{\alpha}_1^{\ast }=1+l\left(1-2{P}_1(E)\right)\\ {}{\alpha}_2^{\ast }=1+l\left(1-2{P}_2(E)\right)\end{array}\right. $$

(68)

Substitute α₁, α₂ with the solved values, we then find out the optimal fixed payment.

$$ {f}^{\ast }={C}_1\left({e}_1\right)+{C}_2\left({e}_2\right)+{P}_1(E)\left(1+l\left(1-2{P}_1(E)\right)\right)d+{P}_2(E)\left(1+l\left(1-2{P}_2(E)\right)\right)d $$

(69)

1.6 Proof of Proposition 6

We now prove that the two firms are always better off outsourcing to the same MSSP, compared to outsourcing to different MSSPs. To prove this, we need to use the expressions in eq. (46), (52), and (64). Notice that the sum of the right-hand expressions of eq. (46) and (52) are always to the right hand side expression of eq. (64). The interpretation is that the two firms’ total profit has the same expression, which is independent of the two firms’ outsourcing strategies. Suppose that the optimal investments are \( {e}_1^{D\ast },{e}_2^{D\ast } \) when the firms outsourcing to different MSSPs. The interpretation is that given the choice of \( {e}_2^{D\ast } \), the \( {e}_1^{D\ast } \) maximizes the first outsourcing firm’s profit. Similarly, given the choice of \( {e}_1^{D\ast } \), the \( {e}_2^{D\ast } \) maximizes the first outsourcing firm’s profit. It is easy to see that the such optimal investments do not necessarily benefit the total profits of the two outsourcing firms. In contrast, the optimal security investments \( {e}_1^{S\ast },{e}_2^{S\ast } \) by definition maximizes the total profit, which has exactly the same expression as that when they outsource to different MSSPs. Therefore, the two firms are always weakly better off outsourcing to the same MSSP.

Based on the three expressions, we can see that the difference between the security investments in the two cases depends on whether the following expression is equal to 0.

$$ \frac{\partial {P}_2(E)}{\partial {e}_1}-\frac{\partial {P}_2(E)}{\partial {e}_1}{P}_1(E)l+\frac{\partial {P}_1(E)}{\partial {e}_1}\left(1-{P}_2(E)\right)l $$

(70)

We can ignore the second term in the above expression because both the security externality and correlated loss should play a secondary role in the security investments. We know that the third term is always negative because increased security investments decreases the breach probability. As for the first term, it is positive if the security externality is negative and vice versa. When the security externality is positive, both the first term and third term are negative. When the correlated loss level increases, the third term becomes even more negative. Because the expression in (70) becomes farther away from 0, the advantage of outsourcing to the same MSSP becomes greater. However, when the security externality is negative, the firs term is positive and the third term is still negative. Because of the two different signs, the whole expression in (70) does not necessarily becomes farther away from 0 as the increased correlated loss level leads to the third term more negative.

1.7 Proof of Proposition 7

(a) When the compensation ratios are less than 1, proposition 2 (a) tells that the threshold for l is

$$ \frac{\Delta i\left(1-{\alpha}_i\right)}{\Delta i{P}_j^{D\ast }-\Delta j\left(1-{P}_i^{D\ast}\right)-\Delta i\Delta j},i\in \left\{1,2\right\},j\ne i $$

(71)

Note that both the numerator and denominators are positive. As ∆i increases, both the numerator and denominator increases, which implies that the threshold does not necessarily increase or decrease.

(b) When the compensation ratios are greater than 1, proposition 2 (b) tells that the threshold for l is the same, which is

$$ \frac{\Delta i\left(1-{\alpha}_i\right)}{\Delta i{P}_j^{D\ast }-\Delta j\left(1-{P}_i^{D\ast}\right)-\Delta i\Delta j},i\in \left\{1,2\right\},j\ne i $$

(72)

Note that both the numerator and denominators are negative. As ∆i increases, the numerator becomes more negative and the denominator becomes less negative as it increases. Therefore, the express increases in ∆i. The interpretation is that a larger l is required for firms to have higher payoffs when outsourcing to the same MSSP.

1.8 Proof of Proposition 8

(a) When the compensation ratios are less than 1, proposition 3 (a) tells that the threshold for l is

$$ \frac{\Delta i\left(1-{\alpha}_i\right)}{\Delta i{P}_j^{D\ast }-\Delta j\left(1-{P}_i^{D\ast}\right)-\Delta i\Delta j},i\in \left\{1,2\right\},j\ne i $$

(73)

Note that both the numerator and denominators are negative. As ∆i decreases (negative externality becomes stronger), the numerator becomes more negative and the denominator also becomes more negative. Therefore, not necessarily a larger l is required for firms to have higher payoffs outsourcing to the same MSSP.

(b) When the compensation ratios are greater than 1, proposition 3 (b) tells that the threshold for l is the same, which is

$$ \frac{\Delta i\left(1-{\alpha}_i\right)}{\Delta i{P}_j^{D\ast }-\Delta j\left(1-{P}_i^{D\ast}\right)-\Delta i\Delta j},i\in \left\{1,2\right\},j\ne i $$

(74)

Note that both the numerator and denominators are positive. As ∆i decreases, the numerator becomes more positive and the denominator becomes less positive. Therefore, the express increases in ∆i. The interpretation is that a lower l is not required for firms to have higher payoffs outsourcing to the same MSSP.

1.9 Proof of Proposition 9

Based on the utility expressions, firm i, i ∈ {1, 2} is better off outsourcing to the same MSSP if and only if

$$ -\Delta i\left(1-{\alpha}_i\right)+\left(-\Delta j+\Delta j{P}_i^{D\ast }+\Delta i{P}_J^{D\ast }-\Delta i\Delta j\right)l<0,j\ne i $$

(75)

Differentiating the left expression with respect to \( {P}_j^{D\ast } \), we have the derivative

$$ l\Delta j $$

(76)

(a) Under positive externality both ∆1 and ∆2 are positive, which implies that the derivative are positive. Therefore, inequality (75) is less likely to be satisfied. The interpretation is that the firms are less likely to have higher payoffs outsourcing to the same MSSP if they also invest on securities themselves.

(b) Under negative externality both ∆1 and ∆2 are negative, which implies that thederivative are negative. Therefore, inequality (75) is more likely to be satisfied. The interpretation is that the firms are more likely to have higher payoffs outsourcing to the same MSSP if they also invest on securities themselves.