管理工程学报2024,Vol.38Issue(4):196-208,13.DOI:10.13587/j.cnki.jieem.2024.04.013
考虑成本信息不对称的信息安全外包契约设计
Contract design in information security outsourcing under cost information asymmetry
摘要
Abstract
The increasing complexity,regulatory requirements,and cost associated with managing information security have motivated many firms to outsource information security functions to managed security service providers(MSSPs).MSSP services are popular for security infrastructure functions where specialized and experienced MSSPs may provide expertise at a lower cost.In information security outsourcing,it is popular that the outsourcing firms and MSSPs coordinate their efforts for better security.For example,firms often outsource prevention and detection functions to an MSSP and operate basic security fundamentals such as updating and employee education in-house.In practice,a bilateral refund contract is widely adopted in the information security outsourcing industry.Nevertheless,efforts are often private and thus both firms and MSSP can suffer from the double moral hazard in contract enforcement.It is essential to coordinate the efforts of both parties to ensure the firm and MSSP invest the necessary efforts to protect the firm's system.In addition,another problem that hinders the effective execution of the contract is cost information asymmetry.MSSP owns the private cost information,which is difficult to be evaluated by the firm in advance.Private cost information may lead to opportunistic behavior of MSSP to obtain extra profits by misstating the security efforts.These challenges raise some questions.Whether a bilateral refund contract can induce double moral hazard?How does the firm ensure that the MSSP will invest the necessary efforts and disclose cost information? To answer the above research questions,we construct a game-theoretical model.In this paper,we explore the validity of bilateral refund contracts in information security service outsourcing.We consider the firm offering a service contract to the MSSP.The MSSP will protect the system jointly with the firm if it accepts the contract.Otherwise,the firm must undertake the protection himself.A bilateral refund contract between the MSSP and firm consists of two payments:a fixed payment from the firm to the MSSP upon signing the security contract and a refund rate from the MSSP to the firm if it suffers from security breaches.We start with a benchmark case,in which we assume that there is no occurrence of moral hazard because efforts can be verified by each other and the firm can control the security efforts of the MSSP.The benchmark helps assess the performance of the bilateral refund contract later.When the MSSP and the firms aim to maximize their respective payoffs,their incentives may not be aligned.Under a collaborative setting,the firm and the MSSP naturally want each other to assume more.We find that the bilateral refund contract cannot solve the double moral hazard problem.We further analyze equilibrium efforts under the bilateral refund contract.We also characterize the effect of double moral hazard which is called effort verifiable value and provide a reference for the firm to carry out information gathering activities to verify the MSSP's security effort.Then,we consider the case that MSSP has private cost information and find that contracts mentioned above cannot disclose the real cost information of MSSP.The results show that the bilateral refund contract under information symmetry might lead to opportunism:MSSP has an incentive to exaggerate service cost.Our model highlights the influence of cost information asymmetry on firms'profit in a collaborative service environment and identifies a set of service contracts that disclose cost information. Next,we analyze the optimal contract under asymmetric information,and we investigate the service environment characteristics'impact on the contract design.The results indicate that under symmetric cost information the refund rate only depends on the relative importance and cost coefficients of the collaborative parties.However,when the MSSP has private cost information,the refund rate of low-cost MSSP remains the same as that under symmetric information,but the refund rate of high-cost MSSP is affected by the distribution and cost ratio of the two types of service provider.In addition,the paper further compares the benefits of firms and service providers.The paper shows that under private cost information,no matter what kind of the service provider is,the firm will suffer some loss due to lack of information.The firm has an incentive to collect information from MSSP to reduce information asymmetry and thus reduce losses.The numerical analysis demonstrates that the double moral hazard worsens when both parties take on nearly equal responsibilities.Furthermore,the cost information of the service provider is relatively uncertain when the market distribution of the two types of service providers is close,and the firm should carry out information search activities to expose the cost information.To sum up,the paper provides management insights and implications for designing service contracts under asymmetric information.关键词
信息安全外包/双重道德风险/私有成本信息/契约设计Key words
Information security outsourcing/Double moral hazard/Cost information asymmetry/Contract design分类
管理科学引用本文复制引用
吴勇,徐梦瑶,冯耕中..考虑成本信息不对称的信息安全外包契约设计[J].管理工程学报,2024,38(4):196-208,13.基金项目
国家自然科学基金项目(71801035) (71801035)
国家社会科学基金重大项目(20&ZD053) (20&ZD053)
中央高校基本科研业务费专项资金(2232018H-07) The National Natural Science Foundation of China(71801035) (2232018H-07)
The Major Program of the National Social Science Foundation of China(20&ZD053) (20&ZD053)
The Fundamental Research Funds for the Central Universities(2232018H-07) (2232018H-07)
