Incentive contracts research of information security outsourcing for complementary firms in supply chain under double moral hazard

In this paper, we study how firms in the supply chain can cooperate with managed security service providers (MSSP), to solve the double moral hazard (DMH) problem in security outsourcing when the firms’ information assets are complementary. The results show that the complementation degree between the firms will reduce their expected loss to some extent, thus not only suppressing the investment incentive of both the firms and the MSSP but also reducing the compensation amount of the MSSP to the firms, whereas increasing the probability of firms being breached. Furthermore, our study shows that both firms and the MSSP would suffer from the DMH problem in a bilateral refund contract, which is commonly used in the information security outsourcing industry, and the DMH problem becomes complicated due to the information complementation of firms. Therefore, we propose the liability contract to solve the DMH problem. Unlike the bilateral refund contract, the implementation of the liability contract is according to the security states of firms. Specifically, when both complementary firms are breached, the MSSP compensates for the two firms, while the MSSP penalizes the breached firm and rewards the un-breached firm if only one firm is breached. Our results show that the liability contract can solve the DMH problem effectively, and the MSSP would like the liability contract when the implementation cost is less than a threshold. These findings give some insights that can guide complementary firms in the supply chain to make an information security outsourcing strategy. © 2022 Systems Engineering Society of China. All rights reserved.