Managing Partial Outsourcing On Information Security Considering Security Externality Under Security Standard Constraint

The rapid development of information technology has not only greatly facilitated and enriched people’s lives and promoted the development of the national economy and comprehensive strength,but also brought greater security risks for enterprises.In order to meet the challenges of security risks,firms often choose to outsource their information security to professional managed security service providers(MSSPs),which aim to improve the quality of information security through professional and efficient information security management means.However,when firms outsource information security to MSSPs,they often face the risk of information leakage due to the migration of business,so firms usually outsource partial business security to MSSPs to reduce information leakage loss.When partial outsourcing occurs,the increase in the number of management entities will bring about security externality.At the same time,the government or industry associations will set mandatory security standard for the core business to improve the information security level of the industry.To sum up,this paper considers the security externality and the mandatory security standard constraint when partial outsourcing occurs to conduct the following research,and the research results can provide management insights for the firms’ security practice.First,Chapter 3 of this paper considers the symmetric security externalities between the firm and the MSSP and investigates four strategy choices when the firm manages information security,that is,(1)all business is managed in-house(IN Strategy),(2)all business is outsourced to the MSSP(OA Strategy),(3)the core business is outsourced to the MSSP and non-core business is managed in-house(OC Strategy),and(4)the core business is managed inhouse and non-core business is outsourced to the MSSP(ONC Strategy).Then,this paper considers the impact of security externality on the firm’s partial outsourcing strategies and optimal strategy choice when the firm faces the information leakage risk and security externality.We find that security externality has different impacts on the firm’s and the MSSP’s security investments under OC and ONC Strategy,so it is necessary for both the firm and the MSSP to evaluate the magnitude of security externality and make optimal security investments accordingly.In addition,we find that the firm will choose a partial outsourcing strategy(OC and ONC strategies)only under a high security externality,and the OC strategy is always the worst strategy when the cost advantage of the MSSP is very obvious.Besides,we consider the mandatory security standard set by the government or industry associations for the core business,and we find that the optimal decisions of the firm and the MSSP are different when facing different levels of mandatory security standards.Second,the externality between the firm and MSSP often acts asymmetrically due to the different nature of their operations.Therefore,Chapter 4 of this paper considers asymmetric security externalities between the firm and the MSSP and different cost coefficients in managing core and non-core business,and adds some new management insights.We find that when the firm’s externality to the MSSP is negative(positive),the firm’s security effort always increases(decreases)as the MSSP’s externality to the firm increases.Meanwhile,in the asymmetric externality scenario,four security strategies can still be adopted and the optimal strategy choice will vary with the corresponding risk increases.In addition,we find that different levels of mandatory security standards have different effects on the optimal decision of the firm and MSSP.When a firm adopts OC Strategy,the firm needs to set a compensation ratio to get the minimum expected cost under loose mandatory security standard.However,the firm can reach the optimal decision without setting up the compensation mechanism under stricter mandatory security standards.