Managed security service

Abstract: In information security outsourcing, it is the norm that the outsourcing firms and the outsourcers (commonly called managed security service providers, MSSPs) need to coordinate their efforts for better security. Nevertheless, efforts are often private and thus both firms and MSSPs can suffer from double moral hazard. Furthermore, the double moral hazard problem in security outsourcing is complicated by the existence of strong externality and the multiclient nature of MSSP services. In this prescriptive research, we first show that the prevailing contract structure in security outsourcing, bilateral refund contract, cannot solve double moral hazard. Adding breach-contingent sunk cost or external payment cannot solve double moral hazard either. Furthermore, positive externality can worsen double moral hazard. We then propose a new contract structure termed multilateral contract and show that it can solve double moral hazard and induce first-best efforts from all contractual parties when an MSSP serves two ...

Abstract: Managed security service provider (MSSP) networks are a form of collaboration where several firms share resources such as diagnostics, prevention tools, and policies to provide security for their computer networks. While the decision to outsource the security operations of an organization may seem counterintuitive, there are potential benefits from joining an MSSP network that include pooling of risk and access to more securityenabling resources and expertise. We examine structural results explaining the reasons firms join an MSSP network, and characterize the growth of MSSP network size under different forms of ownership (monopoly versus consortium). We find that the need for an initial investment in MSSP networks (which is necessary to overcome the stalling effect) only affects the optimal network size for a consortium but has no impact on the optimal network size for a profit-maximizing monopolist. Our results provide an explanation why the majority of the MSSPs are for-profit entities and consortium-based MSSPs are less common. Such a market structure can be attributed to the potential for larger size by the for-profit MSSP owner combined with beneficial pricing structure and a lack of growth uncertainty for the early clients.

Abstract: A unique challenge in information security outsourcing is that neither the outsourcing firm nor the managed security service provider MSSP perfectly observes the outcome, the occurrence of a security breach, of prevention effort. Detection of security breaches often requires specialized effort. The current practice is to outsource both prevention and detection to the same MSSP. Some security experts have advocated outsourcing prevention and detection to different MSSPs. We show that the former outsourcing contract leads to a significant disincentive to provide detection effort. The latter contract alleviates this problem but introduces misalignment of incentives between the firm and the MSSPs and eliminates the advantages offered by complementarity between prevention and detection functions, which may lead to a worse outcome than the current contract. We propose a new contract that is superior to these two on various dimensions. This paper was accepted by Lorin Hitt, information systems.

Abstract: Firms hesitate to outsource their network security to outside security providers (called Managed Security Service Providers or MSSPs) because an MSSP may shirk secretly to increase profits. In economics this secret shirking behavior is commonly referred to as the Moral Hazard problem. There is a counter argument that this moral hazard problem is not as significant for the Internet security outsourcing market because MSSPs work hard to build and maintain their reputations which are crucial to surviving competition. Both arguments make sense and should be considered to write a successful contract. This paper studies the characteristics of optimal contracts (payment to MSSPs) for security outsourcing market by setting up an economic framework that combines both effects. It is shown that an optimal contract should be performance-based. The degree of performance dependence decreases if the reputation effect becomes more significant. We also show that if serving a large group of customers helps the provider to improve service quality significantly (which is observed in the internet security outsourcing market), an optimal contract should always be performance-based even if a strong reputation effect exists.