Contracting information security in the presence of double moral hazard

Information Systems Research

Volumn 24, Issue 2, 2013, Pages 295-311

  Lee, Chul Ho ^a   Geng, Xianjun ^b   Raghunathan, Srinivasan ^b  

^a XAVIER UNIVERSITY   (United States)

^b UNIVERSITY OF TEXAS AT DALLAS   (United States)

Author keywords

Double moral hazard; Externality; Information security outsourcing; Managed security service providers

Indexed keywords

OUTSOURCING; RISK MANAGEMENT; SECURITY OF DATA;

ADDITIVE METHODS; CLIENT FIRMS; CONTINGENT PAYMENTS; CONTRACTUAL PARTIES; EXTERNALITY; MANAGED SECURITY SERVICE PROVIDERS; MORAL HAZARD; SECURITY BREACHES;

ECONOMICS;

EID: 84878838952     PISSN: 10477047     EISSN: 15265536     Source Type: Journal    
DOI: 10.1287/isre.1120.0447     Document Type: Article

References (44)

1. Allen J, Gabbard D, May C (2003) Outsourcing managed security services. Whitepaper, Carnegie Mellon Software Engineering Institute. Available at http://www.cert.org/archive/pdf/omss.pdf.
2. Al-Najjar N (1997) Incentive contracts in two-sided moral hazards with multiple agents. J. Econom. Theory 74(1):174-195.
3. Anderson R, Moore T (2006) The economics of information security. Science 314(27):610-613.
4. Arce I (2003) The weakest link revisited. IEEE Security and Privacy 1(2):72-76.
5. Balachandran KR, Radhakrishnan S (2005) Quality implications of warranties in a supply chain. Management Sci. 51(8):1266-1277.
6. Bastide K (2011) Health care reform presents challenges for Howard Regional Health system. Indiana Economic Digest (April 15). Available at http://www.indianaeconomicdigest.net/main.asp ?SectionIDD31&SubSectionIDD135&ArticleIDD59429.
7. Bhattacharyya S, Lafontaine F (1995) Double-sided hazard and the nature of share contracts. RAND J. Econom. 26(4):761-781.
8. Cezar A (2009) Essays on information security and risk management. Ph.D. Dissertation, The University of Texas at Dallas.
9. Cezar A, Cavusoglu H, Raghunathan S (2010) Outsourcing information security: Contracting issues and security implications. Ninth Workshop on Economics of Information Security, (WEIS 2010), Cambridge, MA.
10. Chalos P, Sung J (1998) Outsourcing decisions and managerial incentives. Decision Sci. 29(4):901-919.
11. Cooper R, Ross TW (1985) Product warranties and double moral hazard. RAND J. Econom. 16(1):103-113.
12. Corbett CJ, DeCroix GA, Ha AY (2005) Optimal shared-savings contracts in supply chains: Linear contracts and double moral hazard. Eur. J. Oper. Res. 163(3):653-667.
13. Crothall Healthcare (2011) Patient Satisfaction News (Jan. 13). Available at http://media.crothall.com/global/news/2011-01_Patient_Satisfaction_News.pdf
14. Dey D, Fan M, Zhang C (2010) Design and analysis of contracts for software outsourcing. Inform. Systems Res. 21(1):93-114.
15. Ding W, Yurcik W (2005) Outsourcing Internet security: The effect of transaction costs on managed service providers. Internat. Conf. Telecommunication Systems, Modeling Anal., Dallas, TX, 17-20.
16. Ding W, Yurcik W (2006) Economics of Internet security outsourcing: Simulation results based on the Schneider model. Fifth Workshop on the Economics of Securing the Information Infrastructure, (WEIS 2006), Washington, DC, 1-22.
17. Ding W, Yrucik W, Yin X (2005) Outsourcing Internet security: Economic analysis of incentives for managed security service providers. First Internat. Workshop on Internet and Network Econom., Hong Kong, China, 947-958.
18. Fenn C, Shooter R, Allan K (2002) IT security outsourcing: How safe is your IT security? Comput. Law and Security Rep. 18(2):109-111.
19. Fudenberg D, Tirole J (1998) Game Theory (The MIT Press, Cambridge, MA).
20. Gal-Or E, Ghose A (2005) The economic incentives for sharing security information. Inform. Systems Res. 16(2):186-208.
21. George R (2008) Security to go: Is it time to shop MSSPs? InformationWeek (November 1). Available at http://www.informationweek.com/news/showArticle.jhtml?articleIDD211800247.
22. Goo J (2010) Structure of service level agreements (SLA) in IT outsourcing: The construct and measurement. Inform. Systems Frontiers 12(2):185-205.
23. Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. System Security 5(4):438-457.
24. Granger S (2001) Social Engineering Fundamentals, Part 1: Hacker Tactics. SecurityFocus (December 18), http://www.securityfocus.com/infocus/1527.
25. Gupta S, Romano RE (1998) Monitoring the principal with multiple agents. RAND J. Econom. 29(2):427-442.
26. Hayes F (2008) Frankly speaking: Business partners are a prime attack vector. Computerworld (June 23), http://www.computerworld.com/s/article/320953/Attack_Vector.
27. Jayanth R, Jacob VS, Radhakrishnan S (2010) Vendor and client interaction for requirement assessment in software development: Implications for feedback process. Inform. Systems Res. 22(2):289-305.
28. Kim SK, Wang S (1998) Linear contracts and the double moralhazard. J. Econom. Theory 82(2):342-378.
29. Liu Z, Squillante MS, Wolf JL (2001) On maximizing service-levelagreement profits. Proc. 3rd ACM Conf. Electronic Commerce, New York, NY, 213-223.
30. Mayne M (2008) Outsourcing made easy. SC Magazine (December 1) 26. Available at http://www.scmagazineuk.com/outsourcing-made-easy/article/121804/.
31. Richmond W, Seidmann A, Whinston A (1992) Incomplete contracting issues in information systems development outsourcing. Decision Support Systems 8(5):459-477.
32. Rothke B, Mundhenk D (2009) Sue the Auditor and Shut Down the Firm (July 9). Available at http://www.csoonline.com/article/496923/Sue_the_Auditor_and_Shut_Down_the_Firm.
33. Rowe B (2007) Will outsourcing IT security lead to a higher social level of security? Sixth Workshop on Economics of Information Security, (WEIS 2007) Pittsburgh, PA.
34. Schneier B (2002) The case for outsourcing security. Computer 35(4):20-26.
35. Sen S, Raghu TS, Vinze A (2009) Demand heterogeneity in IT infrastructure services: Modeling and evaluation of a dynamic approach to defining service levels. Inform. Systems Res. 20(2):258-276.
36. Straub DW, Welke RJ (1998) Coping with systems risk: Security planning models for management decision making. MIS Quart. 22(4):441-469.
37. Vanauken J (2006) Hired guns. Network Comput. (August 3):39-50.
38. Varian HR (2000) Managing online security risks. NewYork Times (June 1), http://people.ischool.berkeley.edu/~hal/people/hal/NYTimes/2000-06-01.html
39. Varian HR (2003) System reliability and free riding. Sadeh, ed. Fifth Internat. Conf. Electronic Commerce (ACM, New York), 355-366.
40. Wang ET, Barron T, Seidmann A (1997) Contracting structures for custom software development: The impacts of informational rents and uncertainty on internal development and outsourcing. Management Sci. 43(12):1726-1744.
41. Whang S (1992) Contracting for software development. Management Sci. 38(3):307-324.
42. Wood-Buhlman N, Matthes N (2011) The time to prepare for value-based purchasing is now. Whitepaper, Press Ganey. Available at http://www.pressganey.com/Documents_secure/White%20Papers/VBP_TimeToPrepareIsNow.pdf?viewFile.
43. Zetter K (2009) In Legal First, Data-Breach Suit Targets Auditor, Wired (June 2). Available at http://www.wired.com/threatlevel/2009/06/auditor_sued/.
44. Zwiener M (2011) Overview of CMS Proposal for Value Based Purchasing. Available at http://www.nrcpicker.com/Events/Conferences/Documents/Forms/AllItems.aspx.