Contracting Information Security in the Presence of Double Moral Hazard

Contracting Information Security in the Presence of Double Moral Hazard

0.00 Avg rating0 Votes
Article ID: iaor20134629
Volume: 24
Issue: 2
Start Page Number: 295
End Page Number: 311
Publication Date: Jun 2013
Journal: Information Systems Research
Authors: , ,
Keywords: computers: information, security, management
Abstract:

In information security outsourcing, it is the norm that the outsourcing firms and the outsourcers (commonly called managed security service providers, MSSPs) need to coordinate their efforts for better security. Nevertheless, efforts are often private and thus both firms and MSSPs can suffer from double moral hazard. Furthermore, the double moral hazard problem in security outsourcing is complicated by the existence of strong externality and the multiclient nature of MSSP services. In this prescriptive research, we first show that the prevailing contract structure in security outsourcing, bilateral refund contract, cannot solve double moral hazard. Adding breach‐contingent sunk cost or external payment cannot solve double moral hazard either. Furthermore, positive externality can worsen double moral hazard. We then propose a new contract structure termed multilateral contract and show that it can solve double moral hazard and induce first‐best efforts from all contractual parties when an MSSP serves two or more client firms, regardless of the externality. Firm‐side externality significantly affects how payments flow under a multilateral contract when a security breach happens. When the number of client firms for an MSSP increases, we show that the contingent payments under multilateral contracts for any security breach scenario can be easily calculated using an additive method, and thus are computationally simple to implement.

Reviews

Required fields are marked *. Your email address will not be published.