Incentive contracts research of information security outsourcing for complementary firms in supply chain under double moral hazard

被引:0
|
作者
Wu Y. [1 ]
Wang L. [1 ]
Feng G. [2 ]
机构
[1] Glorious Sun School of Business & Management, Donghua University, Shanghai
[2] School of Management, Xi’an Jiaotong University, Xi’an
来源
Xitong Gongcheng Lilun yu Shijian/System Engineering Theory and Practice | 2022年 / 42卷 / 11期
基金
中国国家自然科学基金;
关键词
complementary information; double moral hazard; information security outsourcing; liability contract; supply chain security;
D O I
10.12011/SETP2021-2000
中图分类号
学科分类号
摘要
In this paper, we study how firms in the supply chain can cooperate with managed security service providers (MSSP), to solve the double moral hazard (DMH) problem in security outsourcing when the firms’ information assets are complementary. The results show that the complementation degree between the firms will reduce their expected loss to some extent, thus not only suppressing the investment incentive of both the firms and the MSSP but also reducing the compensation amount of the MSSP to the firms, whereas increasing the probability of firms being breached. Furthermore, our study shows that both firms and the MSSP would suffer from the DMH problem in a bilateral refund contract, which is commonly used in the information security outsourcing industry, and the DMH problem becomes complicated due to the information complementation of firms. Therefore, we propose the liability contract to solve the DMH problem. Unlike the bilateral refund contract, the implementation of the liability contract is according to the security states of firms. Specifically, when both complementary firms are breached, the MSSP compensates for the two firms, while the MSSP penalizes the breached firm and rewards the un-breached firm if only one firm is breached. Our results show that the liability contract can solve the DMH problem effectively, and the MSSP would like the liability contract when the implementation cost is less than a threshold. These findings give some insights that can guide complementary firms in the supply chain to make an information security outsourcing strategy. © 2022 Systems Engineering Society of China. All rights reserved.
引用
收藏
页码:2916 / 2926
页数:10
相关论文
共 26 条
  • [1] Gu J Q, Mei S E, Zhong W J., Cyber insurance as an incentive for information system security[J], Systems Engineering — Theory & Practice, 35, 4, pp. 1057-1062, (2015)
  • [2] Gonzalez Oscar, Cyberattack on border patrol subcontractor worse than previously reported
  • [3] US Customs and Border Protection reportedly suspends subcontractor over cyberattack
  • [4] China Cybersecurity Report 2020, (2020)
  • [5] Cezar A, Cavusoglu H, Raghunathan S., Sourcing information security operations: The role of risk interdependency and competitive externality in outsourcing decisions[J], Production and Operations Management, 26, 5, pp. 860-879, (2017)
  • [6] Cezar A, Cavusoglu H, Raghunathan S., Outsourcing information security: Contracting issues and security implications[J], Management Science, 60, 3, pp. 638-657, (2014)
  • [7] Gu J Q, Mei S E, Zhong W J., Design of incentive contracts for information security outsourcing[J], Systems Engineering — Theory & Practice, 36, 2, pp. 392-399, (2016)
  • [8] George R., Security to go: Is it time to shop MSSPs?
  • [9] Riley M, Elgin B, Lawrence D, Et al., Missed alarms and 40 million stolen credit card numbers: How target blew it
  • [10] Song H, Dan B, Zhang X M., Relational incentive contracts and double moral hazard in service outsourcing[J], Systems Engineering — Theory & Practice, 30, 11, pp. 1944-1953, (2010)
123