Managing Information Security Outsourcing In A Dynamic Cooperation Environment

To efficiently manage information security, firms typically outsource part of their security functions to a managed security service provider (MSSP) under a variety of contractual arrangements. Based on this practice, we study a business setting in which the management of security outsourcing depends on the security efforts of both the MSSP and its clients, taking into account that their allocation of efforts can change during the contract horizon. Since their efforts are private to each other, a double moral hazard (DMH) problem can arise with the use of bilateral refund contracts, which have been widely adopted in the MSSP industry. Moreover, both the high probability of undirected attacks and system interdependency can exacerbate the DMH problem. We propose two new types of contracts to solve this problem. One is a monitoring contract, in which a cyberinsurance firm monitors the security efforts of the MSSP and its clients. The other is a liability contract, in which both parties take full liability for breaches through rewarding clients who are well protected and penalizing clients who end up being breached by hackers. Our findings show that monitoring contracts can only solve the DMH problem when variable monitoring costs are negligible. Liability contracts can also solve the DMH problem and are worth implementing when an MSSP encounters (1) a high probability of undirected attack, (2) high system interdependency, (3) a long contract horizon, or (4) when both parties have nearly equal responsibility over the course of the contract horizon. We also compare the proposed contracts in two additional settings: when the MSSP has a spillover effect and when the MSSP serves three or more clients.