%0 Journal Article
%T 安全标准约束下的信息安全部分外包研究——基于外部性不对称视角
Managing Partial Outsourcing on Information Security under Security Standard Constraint—Based on Asymmetric Externality
%A 刘艺浩
%A 吴勇
%J Management Science and Engineering
%P 1-18
%@ 2167-6658
%D 2023
%I Hans Publishing
%R 10.12677/MSE.2023.121001
%X 信息技术的快速发展不仅方便了人们的生活,同时也给企业和个人带来了更大的安全隐患。为了应对安全风险的挑战,企业倾向于将部分信息安全外包给专业的管理安全服务提供商(MSSP),MSSP旨在通过专业高效的信息安全管理手段来帮助企业提高信息安全质量。因此,本文考虑了部分外包发生时企业和MSSP之间不对称的安全外部性以及强制性安全标准约束,探究了企业的两种部分外包策略(核心外包策略和非核心外包策略),为企业的安全实践提供了管理启示。我们发现,当企业对MSSP的外部性为负(正)时,在较低的安全标准下,企业付出的安全努力水平总是随着MSSP对企业外部性的增大而增大(减小)。另外,我们发现不同程度的强制性安全标准对企业和MSSP最优决策的影响不同。当企业采取核心外包策略时,在较低的强制性安全标准约束下,企业需设定赔偿比例从而得到最低期望成本;然而,在较高的强制性安全标准约束下,企业无需设立赔偿机制即可达到最优决策。此外,当信息泄露风险较高时,企业总是选择非核心外包策略。
The rapid development of information technology has not only greatly facilitated people’s lives, but also brought greater security risks for firms. In order to meet the challenges of security risks, the firm often chooses to outsource partial information security to a professional managed security service provider (MSSP), which aims to improve the quality of information security through professional and efficient information security management means. Therefore, this paper considers the asymmetric security externality between the firm and the MSSP and the mandatory security standard constraint when partial outsourcing occurs to explore two partial outsourcing strategies, that is, Core Outsourcing Strategy (OC Strategy) and Non-core Outsourcing Strategy (ONC Strategy), and the research results can provide management insights for the firms’ security practice. We find that when the firm’s externality to the MSSP is negative (positive), the firm’s security effort always increases (decreases) as the MSSP’s externality to the firm increases under loose security standards. In addition, we find that different levels of mandatory security standards have different effects on the optimal decision of the firm and MSSP. When the firm adopts OC Strategy, the firm needs to set a compensation ratio to get the minimum expected cost under loose mandatory security standards. However, the firm can reach the optimal decision without setting up the compensation mechanism under stricter mandatory security standards. Besides, the firm always chooses the ONC Strategy when the information leakage risk is higher.
%K 部分外包,安全外部性,信息泄露,强制性安全标准
Partial Outsourcing
%K Security Externality
%K Information Leakage
%K Mandatory Security Standard
%U http://www.hanspub.org/journal/PaperInformation.aspx?PaperID=60534