Outsourcing Information Security: Contracting Issues and Security Implications
Published Online:27 Sep 2013https://doi.org/10.1287/mnsc.2013.1763
References
- (2003) Outsourcing managed security services. Security Improvement Module CMU/SEI-SIM-012, Carnegie Mellon Software Engineering Institute, Pittsburgh. http://www.cert.org/archive/pdf/omss.pdf.Google Scholar
- (1982) The auditor as an economic agent. J. Accounting Res. 20(2, Part II):503–527.Crossref, Google Scholar
- Arbor Networks (2010) How to use Arbor products and services to deliver in-cloud managed security services. Report, Arbor Networks, Chelmsford, MA. http://www.arbornetworks.com/index.php?option=com_docman&task=doc_download&gid=45.Google Scholar
- (1971) Essays in the Theory of Risk-Bearing (Markham, Chicago).Google Scholar
- (1987) Optimal contracts with a utility-maximizing auditor. J. Accounting Res. 25(2):217–244.Crossref, Google Scholar
- (2011) 2009 Data breach investigations report. Verizon Business, New York. http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf.Google Scholar
- Butler Group (2007) Managed services: How managed services can help IT departments deliver greater value and flexibility. Report, Butler Group, Rockville, MD.Google Scholar
- (1999) Internal controls and the detection of management fraud. J. Accounting Res. 37(1):101–117.Crossref, Google Scholar
- (2004) The effect of internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. Internat. J. Electronic Commerce 9(1):70–104.Crossref, Google Scholar
- (2009) Competition, speculative risks, and IT security outsourcing. Eighth Workshop on Econom. of Inform. Security (WEIS 2009), London.Google Scholar
- (2012) All-or-nothing payments. J. Math. Econom. 48(3):133–142.Crossref, Google Scholar
- (2000) Multitask agency problems: Focus and task clustering. Eur. Econom. Rev. 44(4–6):869–877.Crossref, Google Scholar
- (2010) Design and analysis of contracts for software outsourcing. Inform. Systems Res. 21(1):93–114.Link, Google Scholar
- (2005) Outsourcing Internet security: The effect of transaction costs on managed service providers. Internat. Conf. Telecommunication Systems, Modeling, and Analysis, Dallas, November 17–20.Google Scholar
- (2006) Economics of Internet security outsourcing: Simulation results based on the Schneier model. Workshop on the Economics of Securing the Information Infrastructure (WESII), Washington, DC, October 23.Google Scholar
- (2005) Outsourcing Internet security: Economic analysis of incentives for managed security service providers. Deng X, Ye Y, eds. Internet and Network Economics, Lecture Notes in Computer Science, Vol. 3828 (Springer, Berlin), 947–958.Crossref, Google Scholar
- (1994) Performance measure congruity and diversity in multi-task principal/agent relations. Accounting Rev. 69(3):429–453.Google Scholar
- Frost & Sullivan (2010) Global managed security service providers rollup. Report, Frost & Sullivan, San Antonio, TX.Google Scholar
- (1998) Game Theory (MIT Press, Cambridge, MA).Google Scholar
- (2007) Security breaches cost $90 to $305 per lost record. InformationWeek (April 11), http://www.informationweek.com/security-breaches-cost-90-to-305-per-los/199000222.Google Scholar
- (1983) An analysis of the principal-agent problem. Econometrica 51(1):7–45.Crossref, Google Scholar
- (2012) Growth and sustainability of managed security services networks: An economic perspective. MIS Quart. 36(4):1109–1130.Crossref, Google Scholar
- (1979) Optimal incentive contracts with imperfect information. J. Econom. Theory 20(2):231–259.Crossref, Google Scholar
- (1979) Moral hazard and observability. Bell J. Econom. 10(1):74–91.Crossref, Google Scholar
- (1991) Multitask principal–agent analysis: Incentive contracts, asset ownership, and job design. J. Law, Econom., Organ. 7:24–52.Crossref, Google Scholar
- (1994) The firm as an incentive system. Amer. Econom. Rev. 84(4):972–991.Google Scholar
- IBM (2007) IBM Managed Security Services. Report, IBM Global Services, Somers, NY. http://www-935.ibm.com/services/us/iss/pdf/gtd00763-usen-01.pdf.Google Scholar
- IRCTC (2011) Request for proposal (RFP) for managed security services (MSS)—2011. RFP document, Indian Railway Catering and Tourism Corporation, New Delhi. https://www.irctc.co.in/betaDoc/tender_Managed_Services.pdf.Google Scholar
- (1991) Incentives to help in multi-agent situations. Econometrica 59(3):611–636.Crossref, Google Scholar
- (1994) Job design, delegation, and cooperation: A principal-agent analysis. Eur. Econom. Rev. 38(3–4):691–700.Crossref, Google Scholar
- (2005) Why outsource to a managed security service provider (MSSP)? White paper, Webfargo Data Security, Durham, NC.Google Scholar
- (2010) Market overview: Managed security services. Report, Forrester Research, Cambridge, MA.Google Scholar
- (2009) Magic Quadrant for MSSPs, North America. Gartner RAS Core Research Note G00166138, Gartner, Stamford, CT. http://www.tatacommunications.com/downloads/enterprise/Tata_Communications_3053.pdf.Google Scholar
- (2009) A review of the IT outsourcing literature: Insights for practice. J. Strategic Inform. Systems 18(3):130–146.Crossref, Google Scholar
- (2002) The information security process: Prevention, detection and response. Report, SANS Institute, Bethesda, MD. http://www.giac.org/paper/gsec/501/information-security-process-prevention-detection-response/101197.Google Scholar
- (2001) Adverse specialization. J. Political Econom. 109(4):864–899.Crossref, Google Scholar
- (1950) The bargaining problem. Econometrica 18(2):155–162.Crossref, Google Scholar
- (2009) Corporate Computer and Network Security, 2nd ed. (Prentice-Hall, Upper Saddle River, NJ).Google Scholar
- Ponemon Institute (2011) Ponemon study shows the cost of a data breach continues to increase. Press release (January 25), Ponemon Institute, Menlo Park, CA. http://www.ponemon.org/news-2/23.Google Scholar
- (2003) Cybersecurity Operations Handbook (Elsevier Digital Press, Amsterdam).Google Scholar
- (2009) How to build the right managed security service level agreement. SearchMidmarketSecurity.com, (August 6), http://searchmidmarketsecurity.techtarget.com/news/1363812/How-to-build-the-right-managed-security-service-level-agreement.Google Scholar
- (1973) The economic theory of agency: The principal's problem. Amer. Econom. Rev. 63(2):681–690.Google Scholar
- Rowe (2007) Will outsourcing IT security lead to a higher social level of security? Sixth Workshop on the Economics of Information Security, Pittsburgh, June 7–8.Google Scholar
- (2001) Managed security monitoring: Network security for the 21st century. Comput. Security 20(6):491–503.Crossref, Google Scholar
- (2002) The case for outsourcing security. Computer 35(4):20–26.Crossref, Google Scholar
- (2007) Managed security monitoring: Network security for the 21st century. Report, British Telecommunications, London. http://www2.computable.nl/downloads/Counterpane_WP5.pdf.Google Scholar
- (2011) Personal communication via email with the authors, January 25.Google Scholar
- (2010) More firms outsourcing security to MSSPs. InformationWeek (June 17), http://www.informationweek.com/security/management/more-firms-outsourcing-security-to-mssps/225700537.Google Scholar
- (1997) Incomplete information, task assignment, and managerial control systems. Management Sci. 43(6):764–778.Link, Google Scholar
- (1992) Contracting for software development. Management Sci. 38(3):307–324.Link, Google Scholar
- (2011) Principles of Information Security, 4th ed. (Cengage Learning, Boston).Google Scholar
- (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. J. Management Inform. Systems 30(1):123–152.Crossref, Google Scholar
