Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities
Information Systems Frontiers, 23 (3), 773-790, 2021
45 Pages Posted: 28 Mar 2022
Date Written: November 26, 2015
Abstract
Firms in a close business partnership could choose to either outsource to the same or different Managed Security Service Providers (MSSPs) when making outsourcing decisions. Apart from security investments, compensation ratios, and network externalities, the firms in a close business partnership face the new challenge of correlated loss when making the outsourcing decisions. We first show that if the two firms in the business partnership outsource to the same MSSP, the security investments on the two firms are greater under positive externalities and vice versa. More importantly, we further find out that under positive externality the two firms are better off outsourcing to the same MSSP if the correlated loss level is lower (greater) than a threshold when the compensation ratios are less (greater) than 1; under negative externality the two firms are better off outsourcing to the same MSSP if the correlated loss level is lower (greater) than a threshold when the compensation ratios are greater (less) than 1. Our analytical results offer important managerial implications to firms in a close business partnership when deciding on their outsourcing strategies.
Keywords: Information Security, Outrsourcing, MSSP, Externality, Correlated Losses
JEL Classification: D21
Suggested Citation: Suggested Citation