Managing partial outsourcing on information security in the presence of security externality

Abstract

To efficiently manage information security, firms typically outsource the security of partial business (core and non-core) to a managed security service provider (MSSP). Four options can be adopted for a firm on security strategy, that is, all business is managed in-house (IN Strategy), all business is outsourced to the MSSP (OA Strategy), the core business is outsourced and non-core is managed in-house (OC Strategy), and the core is managed in-house and non-core is outsourced (ONC Strategy). We consider the impact of security externality on the firm’s partial outsourcing strategies and find that if the firm wants a higher security quality of the core business, it is better to manage the core business by itself under an environment where the security externality is negative and the security loss ratio between core and non-core business is low. In addition. The security externality has different effects on both parties’ security decisions under the OC and ONC strategies. Moreover, we show the firm will adopt the partial outsourcing strategy only under a very high security externality when the security loss ratio is high, and the OC strategy is always the worst strategy when the MSSP’s cost coefficient is low. Finally, we extend the main model to an asymmetric case to make our model more general.