Information security outsourcing with system interdependency and mandatory security requirement

Kai Lung Hui, Wendy HUI, Wei Yue

Research output: Journal PublicationsJournal Article (refereed)

22 Citations (Scopus)

Abstract

The rapid growth of computer networks has led to a proliferation of information security standards. To meet these security standards, some organizations outsource security protection to a managed security service provider (MSSP). However, this may give rise to system interdependency risks. This paper analyzes how such system interdependency risks interact with a mandatory security requirement to affect the equilibrium behaviors of an MSSP and its clients. We show that a mandatory security requirement will increase the MSSP's effort and motivate it to serve more clients. Although more clients can benefit from the MSSP's protection, they are also subjected to greater system interdependency risks. Social welfare will decrease if the mandatory security requirement is high, and imposing verifiability may exacerbate social welfare losses. Our results imply that recent initiatives such as issuing certification to enforce computer security protection, or encouraging auditing of managed security services, may not be advisable.

Original languageEnglish
Pages (from-to)117-156
Number of pages39
JournalJournal of Management Information Systems
Volume29
Issue number3
DOIs
Publication statusPublished - 1 Dec 2012
Externally publishedYes

Fingerprint

Outsourcing
Security of data
Computer networks
Information security
Interdependencies

Keywords

  • information security
  • information security outsourcing
  • interdependency risks
  • mandatory security requirement
  • security compliance

Cite this

@article{ef25176382b4421ebacec1604d4649cc,
title = "Information security outsourcing with system interdependency and mandatory security requirement",
abstract = "The rapid growth of computer networks has led to a proliferation of information security standards. To meet these security standards, some organizations outsource security protection to a managed security service provider (MSSP). However, this may give rise to system interdependency risks. This paper analyzes how such system interdependency risks interact with a mandatory security requirement to affect the equilibrium behaviors of an MSSP and its clients. We show that a mandatory security requirement will increase the MSSP's effort and motivate it to serve more clients. Although more clients can benefit from the MSSP's protection, they are also subjected to greater system interdependency risks. Social welfare will decrease if the mandatory security requirement is high, and imposing verifiability may exacerbate social welfare losses. Our results imply that recent initiatives such as issuing certification to enforce computer security protection, or encouraging auditing of managed security services, may not be advisable.",
keywords = "information security, information security outsourcing, interdependency risks, mandatory security requirement, security compliance",
author = "Hui, {Kai Lung} and Wendy HUI and Wei Yue",
year = "2012",
month = "12",
day = "1",
doi = "10.2753/MIS0742-1222290304",
language = "English",
volume = "29",
pages = "117--156",
journal = "Journal of Management Information Systems",
issn = "0742-1222",
publisher = "M.E. Sharpe Inc.",
number = "3",

}

Information security outsourcing with system interdependency and mandatory security requirement. / Hui, Kai Lung; HUI, Wendy; Yue, Wei.

In: Journal of Management Information Systems, Vol. 29, No. 3, 01.12.2012, p. 117-156.

Research output: Journal PublicationsJournal Article (refereed)

TY - JOUR

T1 - Information security outsourcing with system interdependency and mandatory security requirement

AU - Hui, Kai Lung

AU - HUI, Wendy

AU - Yue, Wei

PY - 2012/12/1

Y1 - 2012/12/1

N2 - The rapid growth of computer networks has led to a proliferation of information security standards. To meet these security standards, some organizations outsource security protection to a managed security service provider (MSSP). However, this may give rise to system interdependency risks. This paper analyzes how such system interdependency risks interact with a mandatory security requirement to affect the equilibrium behaviors of an MSSP and its clients. We show that a mandatory security requirement will increase the MSSP's effort and motivate it to serve more clients. Although more clients can benefit from the MSSP's protection, they are also subjected to greater system interdependency risks. Social welfare will decrease if the mandatory security requirement is high, and imposing verifiability may exacerbate social welfare losses. Our results imply that recent initiatives such as issuing certification to enforce computer security protection, or encouraging auditing of managed security services, may not be advisable.

AB - The rapid growth of computer networks has led to a proliferation of information security standards. To meet these security standards, some organizations outsource security protection to a managed security service provider (MSSP). However, this may give rise to system interdependency risks. This paper analyzes how such system interdependency risks interact with a mandatory security requirement to affect the equilibrium behaviors of an MSSP and its clients. We show that a mandatory security requirement will increase the MSSP's effort and motivate it to serve more clients. Although more clients can benefit from the MSSP's protection, they are also subjected to greater system interdependency risks. Social welfare will decrease if the mandatory security requirement is high, and imposing verifiability may exacerbate social welfare losses. Our results imply that recent initiatives such as issuing certification to enforce computer security protection, or encouraging auditing of managed security services, may not be advisable.

KW - information security

KW - information security outsourcing

KW - interdependency risks

KW - mandatory security requirement

KW - security compliance

UR - http://www.scopus.com/inward/record.url?scp=84878001717&partnerID=8YFLogxK

U2 - 10.2753/MIS0742-1222290304

DO - 10.2753/MIS0742-1222290304

M3 - Journal Article (refereed)

VL - 29

SP - 117

EP - 156

JO - Journal of Management Information Systems

JF - Journal of Management Information Systems

SN - 0742-1222

IS - 3

ER -