Information Security Decision-making Of Firms ——The Case With Knowledge Sharing And The Case With Information Asymmetry

Nowadays,firms achieve value creation with the help of advanced information and communication technologies.While information technology benefits business activities in numerous ways,unfortunately,it also presents unprecedented challenges.Facing the challenge of security risks,firms usually choose to defend themselves or outsource information security to managed security service providers.We investigate the effect on the information security strategy in the case of knowledge sharing and explore the impact of information asymmetry on the design of outsourcing contracts from the perspective of information asymmetry.Firstly,this paper examines the interaction between the firm and a strategic hacker by formulating a contract theory model and proposes reasonable incentive mechanisms for coordinating the security risks caused by risk interdependency.Information knowledge has been shared to promote the business operations of firms.However,the connection of business knowledgesharing interfaces between firms has increased the attack surface.This paper comprehensively considers the impact of risk interdependency and strategic attacks on firms' security strategies.We show that as two kinds of security efforts,security investment and security knowledge sharing act as strategic substitutes when business-sharing degree is low while act as strategic complements vice versa.Moreover,as a specific characteristic in the security domain,the risk interdependency first enhances then suppresses both firms' security investments and the hacker's attack effort,which causes the free-riding problem of two firms.Then,we compare the information security level in individual and joint decision-making.Two coordination mechanisms,investment-based and liability-based are proposed,to help firms coordinate their strategies.For an investment-based mechanism,the system should specify the appropriate portion of the reward.For a liability-based mechanism,the proportion of liability should exceed the indirect loss to other firms to overcome the negative security risk.Finally,we extend the main model to three cases to make our model more general.This paper evaluates the risk of firm information security from the perspective of knowledge sharing.Secondly,we model managed security services as a collaborative service with the protection quality shaped by the contribution of both the service provider and the firm.Outsourcing practice shows that the relationship between firms and managed security service providers(MSSPs)will likely move toward a more integrated partnership instead of just an outsourcing vendor-client relationship.Efforts are often private and thus both firms and MSSP can suffer from the double moral hazard in contract enforcement.MSSP owns the private cost information,which is difficult to be evaluated by the firm in advance maybe lead to service inefficiency.The paper focuses on analyzing the unverifiable effort and the adverse effects of the MSSP's private cost information and proposes an incentive contract to screen private cost information.The paper investigates that the bilateral refund contract in information security outsourcing will cause double moral hazard issues.We also characterize the effect of double moral hazard which is called effort verifiable value and provide a reference for the firm to carry out information gathering activities to verify the MSSP's security effort and to solve double moral hazard issues.When MSSP has private cost information,the refund rate of low-cost MSSP remains the same as that under symmetric information,but the refund rate of high-cost MSSP is affected by the distribution and cost ratio of the two types of service provider.The paper shows that under private cost information,no matter what kind of the service provider is,the firm will suffer some loss due to lack of information.The firm has an incentive to collect information from management security service providers to reduce information asymmetry and thus reduce losses.The numerical analysis demonstrates that the double moral hazard worsens when both parties take on nearly equal responsibilities.Furthermore,the cost information of the service provider is relatively uncertain when the market distribution of the two types of service providers is close,and the firm should carry out information search activities to expose the cost information.