Decisions making in information security outsourcing: Impact of complementary and substitutable firms

doi:10.1016/j.cie.2017.05.018

Computers & Industrial Engineering

Volume 110, August 2017, Pages 1-12

https://doi.org/10.1016/j.cie.2017.05.018 Get rights and content

Highlights

•
We model the impact of an MSSP’s characteristics on its decisions.
•
More cost-effective MSSP invests more in security.
•
The degree of complementation (substitution) lowers (improves) an MSSP’s investment.
•
An MSSP has a maximum number of clients when serving substitutable firms.

Abstract

This paper constructs a contract-theory model to investigate how an MSSP’s (Managed Security Service Provider) operating characteristics of cost efficiency, multiple clients, security externality and firms’ information nature affect the MSSP’s strategic decisions, including the contract structure and the optimum investment level for firms. The analysis shows that firms’ information nature, either complementary or substitutable, plays a crucial role in influencing an MSSP’s decisions. First, the MSSP tends to provider a contract with a lower refund and exert a lower security investment level when the degree of complementation is higher while tending to provider a contract with a higher refund and exert a higher security investment level when the degree of substitution is higher. Second, there is a lot of differences that how the security externality affects the decisions of the MSSP who serves complementary firms and that who serves substitutable firms. Third, the MSSP’s optimum refund (service fee) to complementary firms is greater than firms’ expected loss (expected cost), while the MSSP’s optimum refund (service fee) to substitutable firms is smaller than firms’ expected loss (expected cost). Fourth, serving a smaller number of substitutable firms is more economic for an MSSP while serving complementary firms the more the better. In addition, the optimum contract structures between an MSSP and complementary (and substitutable) firms are discussed in this paper. These findings give some insights that can guide an MSSP to determine an optimum contract structure and investment level for firms. Future research directions are discussed based on the limitations and possible extensions of this study.

Introduction

Information security is facing many challenges nowadays, such as the rising cost of security breaches, increasing scale, scope, and sophistication of security attacks, complexity of information technology (IT) environments, and compliance as well as regulatory obligations (Cezar, Cavusoglu, & Raghunathan, 2014). These challenges have motivated firms to outsource their information security functions to a Managed Security Service Provider (MSSP). Typical security services that are outsourced vary from perimeter protection including managing services for firewalls, IDSs (Intrusion detection Systems), VPNs (Virtual Private Networks) to security event monitoring, incident management (e.g., emergency response and forensic analysis). The MSSP industry is relatively new, but growing quickly. According to a CSI (Computer Security Institute) survey, 36 percent of respondents outsource their security functions to MSSPs in 2010 (Richardson, 2011), and the managed security service market in North America is expected to reach $3.9 billion in 2016 (Schwartz, 2010).

In practice, an MSSP is often more cost-efficient in managing security than firms who manage information in-house because of the better technology, more experienced staff, and higher operational efficiency (Zhao, Xue, & Whinston, 2013). To capitalize on cost efficiency, an MSSP usually serves multiple firms, as it is prevalent in information security outsourcing industry. Owing to multiple clients, the MSSP industry exhibits significant security externalities of investment, where an MSSP’s investment in one firm affects other firms’ security. For instance, investment in one firm may lead to broader improvement of security technologies and implementation that benefit other firms in the same group (Anderson & Moore, 2006), which is referred to as positive security externality. On the other hand, investment in one firm to reduce its security risk potentially diverts strategic hackers to other firms and thus increases other firms’ risks, and in this case an MSSP’s investment generates negative security externality (Cremonini & Nizovtsev, 2009).

Information security relationship between firms includes not only the security externality but also the nature of firms’ information. Nowadays, firms achieve product innovation or value creation via the network economy. As a result, many firms’ information is complementary or substitutable with each other in varying degrees. In the information security context, when firms’ information is complementary, the combined information from various firms is very valuable, while that of a single firm may of little value to hackers. For example, a commercial airplane outsources the design of a major component of a new airplane to a vendor firm. A hacker who is interested in getting business intelligence regarding the entire design of the new airplane would have to obtain design information from both the airplane company and the vendor firm (Liu, Ji, & Mookerjee, 2011). Firms’ information is substitutable means the information held by firms is very equivalent to hackers, and hackers can achieve benefit by breaching any of them. It is well known that Walmart and Proctor & Gamble (P&G) share retail sales information on P&G products at Walmart stores (Grean & Shaw, 2002). If a hacker is interested in obtaining such sales information, then successfully penetrating either Walmart’s or P&G's systems would achieve this goal (Liu et al., 2011). In conclusion, the operations of an MSSP are related to four characteristics: cost efficiency, multiple clients, (positive or negative) security externality, and firms’ information nature (complementary and substitutable), as explained above.

An MSSP should design an appropriate contract structure to make sure that firms could receive a higher or at least the same expected payoff compared to doing it in-house, while making a reasonable profit simultaneously. In practice, bilateral refund contracts are widely adopted in security practice in the form of service level agreements (SLAs), which determine a fixed payment from a firm to an MSSP, and a refund paid by the MSSP to the firm in the event of security breach to the firm (Cezar et al., 2014, Lee et al., 2013). For example, IBM Internet Security Systems, as one of the largest MSSPs, pays $5000 refund each time to firms who suffer a breach. Once firms decide to accept the contract structure provided by an MSSP, the MSSP should decide an appropriate security investment level to firms, which has become one of the critical decisions faced by the CEO (Chief Security Offers) (Berinato, 2002). Although firms normally understand the contract structure well, they would not be able to effectively evaluate or monitor the MSSP’s investment levels, and thus suffer from moral hazard problems (Cezar et al., 2014). Consequently, MSSPs may invest inefficiently. When deciding the security investment level, the MSSP faces two risks: the risk of loss from security breach (security risk) and the risk of over-spending in security (investment risk). An MSSP’s security risk is high when the refund level is high and the investment risk is high when the investment level is high. In conclusion, an MSSP has two important strategic decisions, including the contract structure and the optimum investment for firms.

Thus, the following research questions are important to an MSSP’s decision marker. First, is it necessary to distinguish firms’ information nature, and if necessary, how does the degree of complementation (or substitution) between firms affects the MSSP’s decisions? Second, how does cost efficiency affects the MSSP’s optimum investment level? Third, for complementary firms and substitutable firms, what is the optimum contract structure and security investment that the MSSP should exert? Fourth, is there any differences that the security externality affects the decisions of the MSSP who serves complementary firms and that who serves substitutable firms? Fifth, when serving clients with different information nature, how does the number of the MSSP’s clients changes? To answer the above research questions, this paper constructs a contract-theory model to investigate how an MSSP’s operating characteristics of cost efficiency, multiple clients, security externality and firms’ information nature affect the MSSP’s strategic decisions, including the contract structure and the optimum investment level for firms.

The rest of the paper is organized as follows. The next section reviews the related literature. In Section 3, the preliminaries of a model for an MSSP severing complementary or substitutable firms are introduced. Effects of all operating characteristics on an MSSP’s decisions are analysed in two subsequent sections. Section 4 studies the contract between an MSSP and complementary firms in detail while the case of substitutable firms is discussed briefly in Section 5. The basic model is extended to the case of three or more firms in Section 6. Managerial and policy implications of implementing the proposal models are concluded, and potential future work is discussed in Section 7.

Section snippets

Literature review

Since the present paper discusses information security outsourcing contracts, it is related to the vast literature on IT outsourcing. Rather than attempting to identify the difference between the present paper and the voluminous IT outsourcing/contracting literature, here confines the discussion to those references that related to information security outsourcing contracts. In one of the earlier paper on information security outsourcing, Ding, Yurcik, and Yin (2005) examine the characteristics

Model preliminaries

In this section, the assumptions of the basic model are introduced. To begin with, the key notations in the following discussion are collected in Table 1 for convenience.

The model consists of one MSSP and $n$ homogenous firms, where $n ⩾ 2$ . The main body of this paper discusses the case of $n = 2$ . Results for the case of $n > 2$ are qualitatively similar to the ones under $n = 2$ , and will be discussed in Section 6.

In the problem, the MSSP offers contracted security services to two complementary (or

The MSSP’s optimum security investment and contract structure

Consider an MSSP serves two similar firms with complementary information assets. Similar means the two firms have the same breach probability function, the same cost function, and the same loss if breached. Before examining the MSSP’s decisions, the firm’s in-house expected payoff is analysed first. Here, both firms participate in a game in which information security investment is the decision variable, and assume both firms make investment decisions simultaneously.

Firm $i^{'} s$ expected payoff is $π_{i}$

Modeling contract with substitutable firms

In this section, the case of the MSSP serves two similar firms with substitutable information assets is discussed. The main focus in this section is on the differences between complementary case and substitutable case. Similar to the analysis in the complementary case, here examines firms’ in-house expected payoff first. Firm $i^{'} s$ expected payoff is $π_{i}^{H} = - (p (s_{i}) + θ p (s_{j}) - θ p (s_{i}) p (s_{j})) L - C (s_{i})$ . The optimum security investment of in-house firm $i$ satisfies (here the symmetric solution is focused, i.e., $s$

Extension to three or more firms

In this section, the model is extended from two firms to any finite number, $n$ , of firms, where integer $n > 2$ . It is straightforward to show that the above results apply to any number of firms, thus here focus on the fifth question raised in the introduction, that is, when serving clients with different information nature, how does the number of the MSSP’s clients changes? For simplicity, assume that all $n$ symmetric firms are fully complementary (or substitutable) to each other, i.e., the degree

Conclusions

This paper investigates the importance of an MSSP’s operating characteristics on its information security decisions, including the optimum contract structure and investment level for firms. Cost efficiency, multiple clients, security externality, and firms’ information nature (complementary or substitutable) are four important operating characteristics of an MSSP in this study.

Some insights for information security management are gained through the analyses are as follows. (1) More

Acknowledgements

The authors are extremely grateful to the anonymous referees for their valuable and helpful comments and suggestions. This work was supported by the National Natural Science Foundation of China (Project Nos.: 71390333, 71572145).

References (27)

V.M. Bier et al.
Protection of simple series and parallel systems with components of different values
Reliability Engineering & System Safety
(2005)
K. Hausken
Strategic defense and attack for series and parallel reliability systems
European Journal of Operational Research
(2008)
C.D. Huang et al.
Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints
International Journal of Production Economics
(2013)
C.D. Huang et al.
Optimal information security investment in a healthcare information exchange: An economic analysis
Decision Support Systems
(2014)
D.P. Liu et al.
Knowledge sharing and investment decisions in information security
Decision Support Systems
(2011)
Y. Wu et al.
Game of information security investment: Impact of attack types and network vulnerability
Expert Systems with Applications
(2015)
R. Anderson et al.
The economics of information security
Science
(2006)
S. Berinato
Finally, a real return on security spending
CIO-FRAMINGHAM MA-
(2002)
H. Cavusoglu et al.
Decision-theoretic and game-theoretic approaches to IT security investment
Journal of Management Information Systems
(2008)
A. Cezar et al.
Competition, speculative risks, and IT security outsourcing
Economics of Information Security and Privacy
(2010)

A. Cezar et al.

Outsourcing information security: Contracting issues and security implications

Management Science

(2014)

M. Cremonini et al.

Risks and benefits of signaling information system characteristics to strategic attackers

Journal of Management Information Systems

(2009)

W. Ding et al.

Outsourcing Internet security: Economic analysis of incentives for managed security service providers

Internet and Network Economics

(2005)

Cited by (20)

Who should own the data? The impact of data value creation on data ownership
2024, Computers and Industrial Engineering
With the popularization and application of the Industrial Internet of Things, equipment manufacturers as upstream enterprises can collect in real time the operational data of their downstream enterprise customers’ devices. As the notion of “data as an asset” gains acceptance, enterprises increasingly value the data value chain. In the current market mechanism, ownership of data is not clear, which hinders the creation of data value. This study establishes a theoretical analytical model that considers the influences of the benefits and losses derived from value co-creation on claiming data ownership. Benefits obtained by upstream and downstream enterprises through data and losses incurred owing to data breaches are distinct, which impact their investments in data security and data authorization. Results reveal that investments in data security by upstream businesses are affected by benefits and losses and also correlated with data ownership. Conversely, if the downstream enterprise owns the data, its expected benefits can inversely affect the upstream's data security investment—increasing the downstream's benefits can lead to reduced security investment by the upstream, even though other factors may encourage the upstream to invest more in data security. The impact of who owns the data on the security investments of both upstream and downstream enterprises becomes less pronounced when the expected benefits or potential losses for one side grow. Lastly, the current study provides guiding principles for upstream businesses to claim data ownership, thereby facilitating the exploration and utilization of data value co-creation opportunities for upstream and downstream businesses.
Information security investment for complementary and substitutable firms: The role of technology similarity
2023, Expert Systems with Applications
While technology similarity in network security aggravates breach interdependence, it can improve the efficiency of security information sharing. This paper examines the effect of technology similarity on information security investment with mandatory standards through constructing a game-theoretic model with two firms whose information assets are complementary and substitutable respectively. We show that for strict mandatory standards, while technology similarity first decreases and then increases the cost functions of complementary firms, it always decreases the cost functions of substitutable firms. We find that security information sharing always decreases the cost functions of both complementary and substitutable firms and thus should be encouraged. We reveal that when mandatory standards become much stricter, the cost functions of complementary firms always increase but the cost functions of substitutable firms increase if and only if the substitution degree remains relatively high. Finally, we demonstrate that hacker learning, as a factor to intensify breach interdependence, benefits substitutable firms and harms complementary firms in the case of strict mandatory standards.
Contracting managed security service: Double moral hazard and risk interdependency
2021, Electronic Commerce Research and Applications
Citation Excerpt :
Cezar et al. (2014) divided the security functions into prevention and detection and proposed a new form of contract combining reward and penalty, which can eliminate the conflict between these two functions and gain the complementary advantages of outsourcing both the tasks to the same MSSP. Wu et al. (2017) showed that a firm’s information characteristic, either complementary or substitutable, influences an MSSP’s decision of contract structure and optimal investment. Feng et al. (2020) examined the impact of data leakage and suggested that partial outsourcing can be a feasible strategy.
The problem of double moral hazard seriously affects the efficiency of information security outsourcing. The interdependency risk of information security between managed security service providers (MSSPs) and client firms further complicates the double moral hazard problem. In the loss-based contract, both positive and negative risk interdependencies make outsourcing more inefficient in most instances. To solve the problem, a relational contract is proposed. We find that this relational contract leads to a greater social welfare with increase of discount factor, and the double moral hazard problem can be solved within the range that the discount factor is high. Furthermore, both positive and negative risk interdependencies can help relational contract to eliminate double moral hazard within a larger discount range. Finally, as some MSSPs’ efforts are considered to be verifiable, we find that by specifying thresholds in a relational contract, the benefits of an MSSP’s default can be limited, thereby ensuring that the relational contract achieves social optimal outcomes in more general cases.
Information security decisions of firms considering security risk interdependency
2021, Expert Systems with Applications
Citation Excerpt :
However, prior studies have considered absolute complementation or absolute substitution, the degree of complementation or substitution between firms was ignored. To our best knowledge, Wu et al. (2017) is the only paper that considers the degree of complementation or substitution. In their pioneer study, they focus on the contract issue and discuss the impact of complementation or substitution on the optimal security decisions of the MSSP in information security outsourcing.
Information security management becomes more challenging nowadays due to the diverse security risk interdependency between firms. Prior researches rarely consider the impact of risk interdependency on security decisions. This paper comprehensively considers two types of security risk interdependency caused by the nature of information assets and the technical similarity. We find that it is necessary to distinguish the complementary and substitutable information assets since they have different effects on the firm’s investment incentive. As for the risk interdependency caused by the nature of the information assets, although both the high complementation degree and high substitution degree inhibit firms’ incentives to invest, the underlying reasons are different. Besides, for another risk interdependency, the technical similarity enhances the investment incentive of the complementary firms but suppresses that of the substitutable firms. Moreover, the free-riding problem is unavoidable when the firm makes security decisions independently. Thus, we propose two efficient mechanisms to coordinate the firm’s investment incentive: the effort-based mechanism and the liability-based mechanism. The effort-based mechanism demands the firm obtain a reward from its cooperative firm according to its security effort level. The liability-based mechanism demands the breached firm take the liability by compensating the non-breached firm. We find that both two mechanisms are efficient, and could guide firms to solve the problem of opportunism and shirking responsibility in practice. Finally, for generality, we extend our model to an asymmetric case and find that most of the results are robust.
To outsource or not: The impact of information leakage risk on information security strategy
2020, Information and Management
Citation Excerpt :
Positive externality allows an MSSP to prevent recognized attacks using information obtained from other firms. However, there is also a negative externality when hackers target firms with lower security capabilities [20]. Furthermore, in a study of the scenario when competitors outsource to a single MSSP, Cezar et al. [21,22] suggests that competitive externality may lead to customer switching and that quality advantage is not a prerequisite for a firm to outsource security.
Emerging studies advocate that firms shall completely outsource their information security for cost and technical advantages. However, the risk of information leakage in outsourcing to managed security service providers (MSSPs) is overlooked and poses a confidentiality threat. We develop analytical models to describe several strategies for firms to consider when they decide to outsource to MSSPs. Based on our results, we suggest partial outsourcing as an alternative strategy when the firm faces information leakage risk. Besides, we suggest that in-house information security strategy is the optimal solution when the risk of being attacked is low regardless of the risk of information leakage. We then extend scenarios to the competitive environment where firms that are in the same market are highly likely to choose the same strategy.
Designing a model for learning self-organized innovation network: Using embedded case studies
2018, Computers and Industrial Engineering
Citation Excerpt :
Learning ability is also dependent on the accumulated knowledge and skills of the members of a network and the network as a whole. Wu, Fung, Feng, and Wang (2017), also indicate the degree of complementation between firms improve network performance, especially in the financial aspects of their relations. Moller and Rajala (2007) have introduced define innovation networks as ‘relatively loose science and technology-based research networks involving universities, research institutions, and research organizations of major corporations…guided by the ethos of scientific discovery’.
Innovation is considered the advantage cause for the nations in creating wealth and access to the development. Different countries have specific plans and policies to promote innovation. One of the strategies to develop high-technologies and innovation is the innovation networks approach. These networks work based on collaboration and learning. In recent decade, a considerable emphasis has been placed on learning self-organized innovation networks in different researches; nevertheless, despite such affirmation, a gap does exist for studying ways of improving and explaining the exact effects and its prerequisites. This research aims to study such gap(s) in innovation networks. Embedded case studies have been used as research methodology in this research. Besides the semi-structured interviews, a questionnaire was distributed among¹ Ahwaz Science and Technology Park firms. The model, then, was restudied among 232 information technology firms throughout seven provinces in Iran. In order to analyze the data, regression test and goodness of fit test of the structural equations modeling was conducted. According to the obtained results, various factors such as cooperation capabilities, network embeddedness and favorable environment have been found to be effective on the learning, self-organization and cooperation of the network. Self-organizing and learning capabilities of the network also have various effects on increasing the innovation output and effectiveness of the network.

View all citing articles on Scopus

View full text

Decisions making in information security outsourcing: Impact of complementary and substitutable firms

Highlights

Abstract

Introduction

Section snippets

Literature review

Model preliminaries

The MSSP’s optimum security investment and contract structure

Modeling contract with substitutable firms

Extension to three or more firms

Conclusions

Acknowledgements

Reliability Engineering & System Safety

European Journal of Operational Research

International Journal of Production Economics

Decision Support Systems

Decision Support Systems

Expert Systems with Applications

The economics of information security

Science

Finally, a real return on security spending

CIO-FRAMINGHAM MA-

Decision-theoretic and game-theoretic approaches to IT security investment

Journal of Management Information Systems

Competition, speculative risks, and IT security outsourcing

Economics of Information Security and Privacy

Outsourcing information security: Contracting issues and security implications

Management Science

Risks and benefits of signaling information system characteristics to strategic attackers

Journal of Management Information Systems

Outsourcing Internet security: Economic analysis of incentives for managed security service providers

Internet and Network Economics