Contracting managed security service: Double moral hazard and risk interdependency

Abstract

• Propose a relational contract to ease double moral hazard in security outsourcing. • The contract can eliminate double moral hazard with a large discount factor. • Interdependency risk can strengthen the effect of the proposed contract. • Relevance to real world is improved by setting a threshold for verifiable part. The problem of double moral hazard seriously affects the efficiency of information security outsourcing. The interdependency risk of information security between managed security service providers (MSSPs) and client firms further complicates the double moral hazard problem. In the loss-based contract, both positive and negative risk interdependencies make outsourcing more inefficient in most instances. To solve the problem, a relational contract is proposed. We find that this relational contract leads to a greater social welfare with increase of discount factor, and the double moral hazard problem can be solved within the range that the discount factor is high. Furthermore, both positive and negative risk interdependencies can help relational contract to eliminate double moral hazard within a larger discount range. Finally, as some MSSPs’ efforts are considered to be verifiable, we find that by specifying thresholds in a relational contract, the benefits of an MSSP’s default can be limited, thereby ensuring that the relational contract achieves social optimal outcomes in more general cases.