Outsourcing Information Security: Contracting Issues and Security Implications
研究了信息安全外包中预防与检测职能由同一服务商或不同服务商承担的合同问题,发现现有合同削弱检测激励,而分离合同虽缓解此问题但可能更糟,并提出更优的新合同。
A unique challenge in information security outsourcing is that neither the outsourcing firm nor the managed security service provider (MSSP) perfectly observes the outcome, the occurrence of a security breach, of prevention effort. Detection of security breaches often requires specialized effort. The current practice is to outsource both prevention and detection to the same MSSP. Some security experts have advocated outsourcing prevention and detection to different MSSPs. We show that the former outsourcing contract leads to a significant disincentive to provide detection effort. The latter contract alleviates this problem but introduces misalignment of incentives between the firm and the MSSPs and eliminates the advantages offered by complementarity between prevention and detection functions, which may lead to a worse outcome than the current contract. We propose a new contract that is superior to these two on various dimensions. This paper was accepted by Lorin Hitt, information systems.