Bilateral Liability-Based Contracts in Information Security Outsourcing

References

• Abrams R (2014) Target puts data breach costs at $148 million, and forecasts profit drop. New York Times (August 5), http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html.Google Scholar
• Aksin OZ, de Véricourt F, Karaesmen F (2008) Call center outsourcing contract analysis and choice. Management Sci. 54(2):354–368.Link, Google Scholar
• Ashford W (2012) Best practice in outsourcing security. Comput. Weekly (July 16), http://www.computerweekly.com/feature/Best-practice-in-outsourcing-security.Google Scholar
• August T, Niculescu MF, Shin H (2014) Cloud implications on software network structure and security risks. Inform. Systems Res. 25(3):489–510.Link, Google Scholar
• Bahirwani K (2015) Should security providers be held liable for data breaches? Daily News Anal. (April 6), http://www.dnaindia.com/scitech/report-should-security-providers-be-held-liable-for-data-breaches-2075017.Google Scholar
• Beaver K (2011) Do Web application firewalls complicate enterprise security strategy? TechTarget (February 9), http://searchnetworking.techtarget.com/tip/Do-Web-application-firewalls-complicate-enterprise-security-strategy.Google Scholar
• Bhattacharyya S, Lafontaine F (1995) Double-sided moral hazard and the nature of share contracts. RAND J. Econom. 26(4):761–781.Crossref, Google Scholar
• Bhattacharya S, Gupta A, Hasija S (2014) Joint product improvement by client and customer support center: The role of gain-share contracts in coordination. Inform. Systems Res. 25(1):137–151.Link, Google Scholar
• Cavusoglu H, Raghunathan S, Cavusoglu H (2009) Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Inform. Systems Res. 20(2):198–217.Link, Google Scholar
• Cezar A, Cavusoglu H, Raghunathan S (2014) Outsourcing information security: Contracting issues and security implications. Management Sci. 60(3):638–657.Link, Google Scholar
• Chandler J (2010) Information security, contract and liability. Chicago-Kent Law Rev. 84(1):841–849.Google Scholar
• Chuvakn A (2014) MSSP: Integrate, NOT outsource! Gartner (November 5), http://blogs.gartner.com/anton-chuvakin/2014/11/05/mssp-integrate-not-outsource/.Google Scholar
• Cooper R, Ross TW (1985) Product warranties and double moral hazard. RAND J. Econom. 16(1):103–113.Crossref, Google Scholar
• Cooter RD, Ulen TS (1986) An economic case for comparative negligence. New York Univ. Law Rev. 61(6):1067–1110.Google Scholar
• Cucurull J, Puiggali J (2016) Distributed immutabilization of secure logs. Barthe G, Markatos E, Samarati P, eds. Proc. 12th Internat. Workshop Security Trust Management (Heraklion, Crete, Greece), 122–137.Crossref, Google Scholar
• Czarnik A (2014) How to justify risk-based security investments. Tripwire (July 10), http://www.tripwire.com/state-of-security/featured/justifying-security-investments/.Google Scholar
• Dey D, Fan M, Zhang C (2010) Design and analysis of contracts for software outsourcing. Inform. Systems Res. 21(1):93–114.Link, Google Scholar
• Ding W, Yurcik W (2005) Outsourcing Internet security: The effect of transaction costs on managed service providers. Proc. Internat. Conf. Telecomm. Systems—Model. Anal., Dallas.Google Scholar
• Ding W, Yurcik W (2006) Economics of Internet security outsourcing: Simulation results based on the Schneier model. Proc. Workshop Econom. Securing Inform. Infrastructure, Washington, DC.Google Scholar
• Ding W, Yurcik W, Yin X (2005) Outsourcing Internet security: Economic analysis of incentives for managed security service providers. Deng X, Ye Y, eds. Internet and Network Economics—WINE 2005, Lecture Notes in Computer Science, vol. 3828 (Springer, Berlin), 947–958.Crossref, Google Scholar
• Dulleck U, Kerschbamer R (2006) On doctors, mechanics, and computer specialists: The economics of credence goods. J. Econom. Literature 44(1):5–42.Crossref, Google Scholar
• Emons W (1988) Warranties, moral hazard, and the lemons problem. J. Econom. Theory 46(1):16–33.Crossref, Google Scholar
• Fisher JA (2013) Secure my data or pay the price: Consumer remedy for the negligent enablement of data breach. William Mary Bus. Law Rev. 4(1):215–239.Google Scholar
• Fitoussi D, Gurbaxani V (2012) IT outsourcing contracts and performance measurement. Inform. Systems Res. 23(1):129–143.Link, Google Scholar
• Fryer H, Moore R, Chown T (2013) On the viability of using liability to incentivise Internet security. Proc. Workshop Econom. Inform. Security (WEIS 2013), Washington, DC.Google Scholar
• Gal-Or E, Ghose A (2005) The economic incentives for sharing security information. Inform. Systems Res. 16(2):186–208.Link, Google Scholar
• Gartner (2017) Market share analysis: Managed security services, worldwide, 2016. Gartner (May 23), https://www.gartner.com/doc/3726517/market-share-analysis-managed-security.Google Scholar
• Goldstein M, Sood A (2014) Dispelling the myths of cyber security. Dark Reading (May 14), http://www.darkreading.com/risk/dispelling-the-myths-of-cyber-security/a/d-id/1251171.Google Scholar
• Gopal A, Sivaramakrishnan K, Krishnan MS, Mukhopadyay T (2003) Contracts in offshore software development: An empirical analysis. Management Sci. 49(12):1671–1683.Link, Google Scholar
• Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. System Security 5(4):438–457.Crossref, Google Scholar
• Graves K (2010) CEH Certified Ethical Hacker Study Guide (John Wiley & Sons, Indianapolis).Google Scholar
• Green J (1976) On the optimal structure of liability laws. Bell J. Econom. 7(2):553–574.Crossref, Google Scholar
• Grossklags J, Christin N, Chuang J (2008) Security investment (failures) in five economic environments: A comparison of homogeneous and heterogeneous user agents. Proc. Workshop Econom. Inform. Security (WEIS 2008), Hanover, NH.Google Scholar
• Gupta A, Zhdanov D (2012) Growth and sustainability of managed security services networks: An economic perspective. MIS Quart. 36(4):1109–1130.Crossref, Google Scholar
• Hui KL, Hui W, Yue WT (2013) Information security outsourcing with system interdependency and mandatory security requirement. J. Management Inform. Systems. 29(3):117–156.Crossref, Google Scholar
• Hurley E (2004) Cyberspace security liability lawsuits on the rise? TechTarget (February 1), http://searchsecurity.techtarget.com/Cyberspace-security-liability-lawsuits-on-the-rise.Google Scholar
• Iansiti M, Lakhani KR (2017) The truth about Blockchain. Harvard Bus. Rev. 95(1):118–127.Google Scholar
• IBM (2008) IBM managed security services for network intrusion detection and intrusion prevention. IBM Global Services. Retrieved September 21, 2017, http://www-935.ibm.com/services/us/igs/pdf-iss-contracts/uk-7805-00.pdf.Google Scholar
• Jain N, Hasija S, Popescu DG (2013) Optimal contracts for outsourcing of repair and restoration services. Oper. Res. 61(6):1295–1311.Link, Google Scholar
• Jayanth R, Jacob VS, Radhakrishnan S (2011) Vendor and client interaction for requirements assessment in software development: Implications for feedback process. Inform. Systems Res. 22(2):289–305.Link, Google Scholar
• Kambhu J (1982) Optimal product quality under asymmetric information and moral hazard. Bell J. Econom. 13(2):483–492.Crossref, Google Scholar
• Kirk J (2014) Google expands bug bounty program, ups patch reward. PC World (February 5), https://www.pcworld.idg.com.au/article/537538/.Google Scholar
• Kolochenko I (2015) DDoS attacks: A perfect smoke screen for APTs and silent data breaches. CSO Magazine (September 28), http://www.csoonline.com/article/2986967.Google Scholar
• Lee CH, Geng X, Raghunathan S (2013) Contracting information security in the presence of double moral hazard. Inform. Systems Res. 24(2):295–311.Link, Google Scholar
• Lee CH, Geng X, Raghunathan S (2016) Mandatory standards and organizational information security. Inform. Systems Res. 27(1):70–86.Link, Google Scholar
• Lichtman D, Posner E (2006) Holding Internet service providers accountable. Supreme Court Econom. Rev. 14:221–259.Crossref, Google Scholar
• Lloyd’s (2017) Closing the gap: Insuring your business against evolving cyber threats. Retrieved September 21, 2017, https://www.lloyds.com/lloyds/about-us/what-do-we-insure/what-lloyds-insures/cyber/cyber-risk-insight/closing-the-gap.Google Scholar
• Mani D, Barua A, Whinston AB (2012) An empirical analysis of the contractual and information structures of business process outsourcing relationships. Inform. Systems Res. 23(3):618–634.Link, Google Scholar
• Mann DP, Wissink JP (1988) Money-back contracts with double moral hazard. RAND J. Econom. 19(2):285–292.Crossref, Google Scholar
• Moitra SD, Konda SL (2000) The survivability of network systems: An Empirical analysis. Technical Report CMU/SEI-2000-TR-021, Carnegie Mellon Software Engineering Institute, Pittsburgh.Google Scholar
• Naldi M, Flamini M, D’Acquisto G (2013) Information security investments: When being idle equals negligence. Altmann J, Vanmechelen K, Rana O, eds. Economics of Grids, Clouds, Systems, and Services—GECON 2013, Lecture Notes in Computer Science, vol. 7150 (Springer, Cham, Switzerland), 268–279.Crossref, Google Scholar
• National Institute of Standards and Technology (2012) Guide for conducting risk assessments. NIST Special Publication: 800-30 Revision 1, 1–95, National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, MD.Google Scholar
• Overby S (2012) IT service providers and customers battle over data breaches. CIO Magazine (March 9), http://www.cio.com/article/2395626.Google Scholar
• Rees J (2012) Tackling the PCI DSS challenges. Comput. Fraud Security 2012(1):15–17.Crossref, Google Scholar
• Riley M, Elgin B, Lawrence D, Matlack C (2014) Missed alarms and 40 million stolen credit card numbers: How Target blew it. Bloomberg (March 13), http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data.Google Scholar
• Roels G, Karmarkar US, Carr S (2010) Contracting for collaborative services. Management Sci. 56(5):849–863.Link, Google Scholar
• Rubinfeld DL (1987) Efficiency of comparative negligence. J. Legal Stud. 16(2):375–394.Crossref, Google Scholar
• Rustad ML, Koenig TH (2007) Extending Learned Hand's negligence formula to information security breaches. I/S J. Law Policy Inform. Soc. 3(2):236–270.Google Scholar
• Schneier B (2002) The case for outsourcing security. Computer 35(4):20–26.Crossref, Google Scholar
• Schwartz M (2013). How South Korean bank malware spread. Dark Reading (March 25), https://www.darkreading.com/d/d-id/1109239.Google Scholar
• Shavell S (1979) On moral hazard and insurance. Quart. J. Econom. 93(4):541–562.Crossref, Google Scholar
• Susarla A, Subramanyam R, Karhade P (2010) Contractual provisions to mitigate holdup: Evidence from information technology outsourcing. Inform. Systems Res. 21(1):37–55.Link, Google Scholar
• Technavio (2016) Global managed security services market 2016–2020. Retrieved September 21, 2017, https://www.technavio.com/report/global-it-security-managed-security-market.Google Scholar
• Tipton HF, Krause M (2007) Information Security Management Handbook (CRC Press, Boca Raton, FL).Crossref, Google Scholar
• van der Walt A (2003) Managed security services: who needs it? Comput. Fraud Security 2003(8):15–17.Crossref, Google Scholar
• van Kessel P, Allan K (2014) Get ahead of cybercrime: EY’s global information security survey 2014. Ernst & Young Global Limited. Retrieved September 21, 2017, https://www.ey.com/Publication/vwLUAssets/EY-global-information-security-survey-2014/$FILE/EY-global-information-security-survey-2014.pdf.Google Scholar
• Varian H (2004) System reliability and free riding. Camp LJ, Lewis S, eds. Economics of Information Security, Advances in Information Security, vol. 12 (Springer, Boston), 1–15.Crossref, Google Scholar
• Viebeck E (2015) Premera Blue Cross sued over data breach. TheHill.com (March 27), http://thehill.com/policy/cybersecurity/237181-premera-blue-cross-sued-over-data-breach.Google Scholar
• Zhao X, Xue L, Whinston AB (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. J. Management Inform. Systems 30(1):123–152.Crossref, Google Scholar