|
|
安全标准约束下的信息安全部分外包研究——基于外部性不对称视角
|
Abstract:
信息技术的快速发展不仅方便了人们的生活,同时也给企业和个人带来了更大的安全隐患。为了应对安全风险的挑战,企业倾向于将部分信息安全外包给专业的管理安全服务提供商(MSSP),MSSP旨在通过专业高效的信息安全管理手段来帮助企业提高信息安全质量。因此,本文考虑了部分外包发生时企业和MSSP之间不对称的安全外部性以及强制性安全标准约束,探究了企业的两种部分外包策略(核心外包策略和非核心外包策略),为企业的安全实践提供了管理启示。我们发现,当企业对MSSP的外部性为负(正)时,在较低的安全标准下,企业付出的安全努力水平总是随着MSSP对企业外部性的增大而增大(减小)。另外,我们发现不同程度的强制性安全标准对企业和MSSP最优决策的影响不同。当企业采取核心外包策略时,在较低的强制性安全标准约束下,企业需设定赔偿比例从而得到最低期望成本;然而,在较高的强制性安全标准约束下,企业无需设立赔偿机制即可达到最优决策。此外,当信息泄露风险较高时,企业总是选择非核心外包策略。
The rapid development of information technology has not only greatly facilitated people’s lives, but also brought greater security risks for firms. In order to meet the challenges of security risks, the firm often chooses to outsource partial information security to a professional managed security service provider (MSSP), which aims to improve the quality of information security through professional and efficient information security management means. Therefore, this paper considers the asymmetric security externality between the firm and the MSSP and the mandatory security standard constraint when partial outsourcing occurs to explore two partial outsourcing strategies, that is, Core Outsourcing Strategy (OC Strategy) and Non-core Outsourcing Strategy (ONC Strategy), and the research results can provide management insights for the firms’ security practice. We find that when the firm’s externality to the MSSP is negative (positive), the firm’s security effort always increases (decreases) as the MSSP’s externality to the firm increases under loose security standards. In addition, we find that different levels of mandatory security standards have different effects on the optimal decision of the firm and MSSP. When the firm adopts OC Strategy, the firm needs to set a compensation ratio to get the minimum expected cost under loose mandatory security standards. However, the firm can reach the optimal decision without setting up the compensation mechanism under stricter mandatory security standards. Besides, the firm always chooses the ONC Strategy when the information leakage risk is higher.
| [1] | 瑞星2021年中国网络安全报告[R]. 北京: 北京瑞星网安技术股份有限公司, 2022. |
| [2] | Sierra Wireless. 无线设备制造公司在遭勒索软件攻击后工厂停产[EB/OL].
https://ti.dbappsecurity.com.cn/info/1796, 2021-03-25. |
| [3] | 哥斯达黎加国家财政系统遭勒索攻击: 税务海关停摆[EB/OL].
https://www.freebuf.com/news/330941.html, 2022-04-25. |
| [4] | MarketsandMarkets (2020) Managed Security Services Market Worth $46.4 Billion by 2025. India. |
| [5] | Fortinet (2021) Cloud Security Report.
https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/report-cybersecurity-cloud-security-report-fortinet-2.5.pdf |
| [6] | 新加坡电信巨头近13万客户信息遭泄露, 涉身份证号等[EB/OL].
https://3g.163.com/dy/article/G358TCLE05129QAF.html, 2021-02-19. |
| [7] | Hoecht, A. and Trott, P. (2006) Outsourcing, Information Leakage and the Risk of Losing Technology-Based Competencies. European Business Review, 18, 395-412. https://doi.org/10.1108/09555340610686967 |
| [8] | Alexander, M. and Young, D. (1996) Strategic Outsourcing. Long Range Planning, 29, 116-119.
https://doi.org/10.1016/0024-6301(95)00075-5 |
| [9] | Lacity, M.C. and Willcocks, L.P. (1998) An Empirical Investigation of Information Technology Sourcing Practices: Lessons from Experience. MIS Quarterly, 22, 363-408. https://doi.org/10.2307/249670 |
| [10] | Lee, C.H., Geng, X.J. and Raghunathan, S. (2013) Contracting Information Security in the Presence of Double Moral Hazard. Information Systems Research, 24, 295-311. https://doi.org/10.1287/isre.1120.0447 |
| [11] | Cezar, A., Cavusoglu, H. and Raghunathan, S. (2017) Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions. Production and Operations Management, 26, 860-879. https://doi.org/10.1111/poms.12681 |
| [12] | Varian, H. (2000) Managing Online Security Risks. The New York Times. |
| [13] | Gao, X. and Zhong, W. (2015) Information Security Investment for Competitive Firms with Hacker Behavior and Security Requirements. Annals of Operations Research, 235, 277-300. https://doi.org/10.1007/s10479-015-1925-2 |
| [14] | Grossman, G.M. and Helpman, E. (2005) Outsourcing in a Global Economy. Review of Economic Studies, 72, 135-159.
https://doi.org/10.1111/0034-6527.00327 |
| [15] | Shy, O. and Stenbacka, R. (2005) Partial Outsourcing, Monitoring Cost, and Market Structure. Canadian Journal of Economics/Revue Canadienne d’économique, 38, 1173-1190. https://doi.org/10.1111/j.0008-4085.2005.00320.x |
| [16] | Alvarez, L.H.R. and Stenbacka, R. (2007) Partial Outsourcing: A Real Options Perspective. International Journal of Industrial Organization, 25, 91-102. https://doi.org/10.1016/j.ijindorg.2006.01.003 |
| [17] | Rowe, B.R. (2007) Will Outsourcing IT Security Lead to a Higher Social Level of Security? Proceedings of the 6th Workshop on the Economics of Information Security, Pittsburgh, 7-8 June 2007. |
| [18] | Wu, Y., Tayi, G.K., Feng, G. and Fung, R.Y.K. (2021) Managing Information Security Outsourcing in a Dynamic Cooperation Environment. Journal of the Association for Information Systems, 22, 827-850.
https://doi.org/10.17705/1jais.00681 |
| [19] | Cezar, A., Cavusoglu, H. and Raghunathan, S. (2014) Outsourcing Information Security: Contracting Issues and Security Implications. Management Science, 60, 638-657. https://doi.org/10.1287/mnsc.2013.1763 |
| [20] | Yang, M., Jacob, V.S. and Raghunathan, S. (2020) Cloud Service Model’s Role in Provider and User Security Investment Incentives. Production and Operations Management, 30, 419-437. https://doi.org/10.1111/poms.13274 |
| [21] | Zhao, X., Xue, L. and Whinston, A.B. (2013) Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements. Journal of Management Information Systems, 30, 123-152.
https://doi.org/10.2753/MIS0742-1222300104 |
| [22] | Wu, Y., Feng, G. and Fung, R.Y.K. (2018) Comparison of Information Security Decisions under Different Security and Business Environments. Journal of the Operational Research Society, 69, 747-761.
https://doi.org/10.1057/s41274-017-0263-y |
| [23] | Zhang, C., Feng, N., Chen, J., Li, D. and Li, M. (2020) Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities. Information Systems Frontiers, 23, 773-790.
https://doi.org/10.1007/s10796-020-10009-4 |
| [24] | Wu, Y., Xu, M., Cheng, D. and Dai, T. (2022) Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker. Decision Analysis, 19, 99-122. https://doi.org/10.1287/deca.2021.0442 |
| [25] | Miller, A. and Tucker, C. (2010) Encryption and Data Loss. The 9th Workshop on Economics of Information Security, Arlington, 7-8 June 2010. |
| [26] | Ghose, A. and Rajan, U. (2006) The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare. The 5th Workshop on Economics of Information Security, Cambridge, 26-28 June 2006. |
| [27] | Lee, C.H., Geng, X. and Raghunathan, S. (2016) Mandatory Standards and Organizational Information Security. Information Systems Research, 27, 70-86. https://doi.org/10.1287/isre.2015.0607 |
| [28] | Gao, X., Gong, S., Wang, Y., Wang, X. and Qiu, M. (2022) An Economic Analysis of Information Security Decisions with Mandatory Security Standards in Resource Sharing Environments. Expert Systems with Applications, 206, Article ID: 117894. https://doi.org/10.1016/j.eswa.2022.117894 |
| [29] | Smith, G. (2011) Quantifying Information Flow Using Min-Entropy. 2011 Eighth International Conference on Quantitative Evaluation of SysTems, Aachen, 5-8 September 2011, 159-167. https://doi.org/10.1109/QEST.2011.31 |
| [30] | Wheatman, V., Smith, B.S., Pescatore, J., Nicollet, M., Allan, A. and Mogull, R. (2005) What Your Organization Should Be Spending for Information Security. |
| [31] | Gupta, A. and Zhdanov, D. (2012) Growth and Sustainability of Managed Security Services Networks: An Economic Perspective. MIS Quarterly, 36, 1109-1130. https://doi.org/10.2307/41703500 |
| [32] | Schwartz, R. (1997) Legal Regimes, Audit Quality and Investment. Accounting Review, 72, 385-406. |
| [33] | Temizkan, O., Park, S. and Saydam, C. (2017) Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities. Information Systems Research, 28, 828-849.
https://doi.org/10.1287/isre.2017.0722 |
