Essays on information security and risk management

In this dissertation, we study three problems within the context of information security and risk management. The first essay focuses on risk management in an adversarial classification setting. The remaining two essays address issues related to managing information security through outsourcing.In the first essay, we consider a firm that faces strategic agents that actively fake their data to obtain favorable outcomes for them. We analyze the impact of faking by strategic agents on the firm and on agents specifically we focus on the impact of faking cost on the firm and agents. Our results indicate that the firm is not always hurt when agents fake a reduction in the faking cost may improve firm's payoff. From the agents' perspective, agents do not always benefit when they can fake. Sometimes, agents are better off when they cannot fake than when they can, and a reduction in the faking cost may actually hurt them. Our findings suggest that taking faking cost into account in the selection of attributes in the adversarial classification contexts can lead to a better classification.The second essay studies the impact of competitive externalities associated with IT security breaches on firms' decisions to outsource security. We show that when security breaches impose competitive externalities, a quality advantage of MSSP over in-house is neither a prerequisite nor a guarantee for a firm to outsource security. The type and degree of externality imposed on firms by security breaches, the breach characteristics, and the nature of the security function outsourced, in addition to quality, determine firms' outsourcing decisions. Security experts advise not to outsource protection and detection services to the same MSSP since the MSSP may not reveal security breaches. The third essay analyzes how outsourcing both services to a single MSSP and outsourcing each service to a different MSSP affect a firm's overall security and contract characteristics. We show that by an appropriate reward structure, hiding behavior can be eliminated in the single MSSP outsourcing. However when contract terms are constrained by limits, the less-than-first-best efforts can still be a problem in the single MSSP outsourcing. We showed that this problem can be mitigated using two MSSPs.