Outsourcing Information Security: Contracting Issues and Security Implications

We examine the implications of a firm outsourcing both (i) security device management which attempts to prevent security breaches and (ii) security monitoring which attempts to detect security breaches to managed security service providers (MSSPs). In the context of security outsourcing, the firm not only faces the traditional moral hazard problem as it cannot observe an MSSP’s prevention or detection effort, but also observes the security breach outcome only imperfectly. Furthermore, outsourced prevention and detection services are separate but interrelated security functions, and thereby cannot be considered independently. Hence, the firm needs to carefully design a contract or contracts to induce the desired efforts from the service providers to effectively manage the cost of information security. We first show that the current practice of outsourcing both device management and monitoring functions to the same MSSP using a contract that imposes a penalty on MSSP when the MSSP is deemed responsible for a breach results in a higher than the first-best prevention effort and zero (and less than the first-best) detection effort. This is due to the conflict of interest faced by the MSSP and the substitutable nature of prevention and detection services. We then propose two new contracts, both of which achieve the firstbest outcomes. The first contract imposes a penalty for a breach and offers a reward for detecting and revealing breaches to the firm and the second contract calls for the firm to use two different MSSPs one for prevention and the other for detection. The required penalty and reward are smaller when the firm uses two MSSPs than when it uses a single MSSP. It is possible for all three types of contracts to fail to satisfy the fairness criterion – the penalty does not exceed the firm’s loss from a security breach -, and also fail to achieve the first-best efforts when there are limits on penalty and/or reward. However, the two-MSSP contract meets the fairness criterion whenever the other two contracts do. An increase in the prevention cost relative to the detection cost increases the likelihood that the two-MSSP contract meets the fairness criterion, making the two-MSSP contract even more attractive relative to the single MSSP contract with penalty and reward. Despite these advantages of the two-MSSP contract over single MSSP contracts, the firm may be better off outsourcing both prevention and detection functions to the same MSSP with a penalty-and-reward-based contract if a strong cost complementarity exists between the two functions.