Outsourcing information security: : contracting issues and security implications
- Autores: Asunur Cezar, Huseyin Cavusoglu, Srinivasan Raghunathan
- Localización: Management science: journal of the Institute for operations research and the management sciences, ISSN 0025-1909, Vol. 60, Nº. 3, 2014, págs. 638-657
- Idioma: inglés
- Texto completo no disponible (Saber más ...)
-
Resumen
A unique challenge in information security outsourcing is that neither the outsourcing firm nor the managed security service provider (MSSP) perfectly observes the outcome, the occurrence of a security breach, of prevention effort. Detection of security breaches often requires specialized effort. The current practice is to outsource both prevention and detection to the same MSSP. Some security experts have advocated outsourcing prevention and detection to different MSSPs. We show that the former outsourcing contract leads to a significant disincentive to provide detection effort. The latter contract alleviates this problem but introduces misalignment of incentives between the firm and the MSSPs and eliminates the advantages offered by complementarity between prevention and detection functions, which may lead to a worse outcome than the current contract. We propose a new contract that is superior to these two on various dimensions.
