安全标准约束下的信息安全部分外包研究——基于外部性不对称视角

doi:10.12677/MSE.2023.121001

期刊菜单

安全标准约束下的信息安全部分外包研究——基于外部性不对称视角
Managing Partial Outsourcing on Information Security under Security Standard Constraint—Based on Asymmetric Externality

DOI: 10.12677/MSE.2023.121001, PDF,
作者: 刘艺浩, 吴勇：东华大学旭日工商管理学院，上海
关键词: 部分外包；安全外部性；信息泄露；强制性安全标准；Partial Outsourcing； Security Externality； Information Leakage； Mandatory Security Standard

摘要: 信息技术的快速发展不仅方便了人们的生活，同时也给企业和个人带来了更大的安全隐患。为了应对安全风险的挑战，企业倾向于将部分信息安全外包给专业的管理安全服务提供商(MSSP)，MSSP旨在通过专业高效的信息安全管理手段来帮助企业提高信息安全质量。因此，本文考虑了部分外包发生时企业和MSSP之间不对称的安全外部性以及强制性安全标准约束，探究了企业的两种部分外包策略(核心外包策略和非核心外包策略)，为企业的安全实践提供了管理启示。我们发现，当企业对MSSP的外部性为负(正)时，在较低的安全标准下，企业付出的安全努力水平总是随着MSSP对企业外部性的增大而增大(减小)。另外，我们发现不同程度的强制性安全标准对企业和MSSP最优决策的影响不同。当企业采取核心外包策略时，在较低的强制性安全标准约束下，企业需设定赔偿比例从而得到最低期望成本；然而，在较高的强制性安全标准约束下，企业无需设立赔偿机制即可达到最优决策。此外，当信息泄露风险较高时，企业总是选择非核心外包策略。

Abstract: The rapid development of information technology has not only greatly facilitated people’s lives, but also brought greater security risks for firms. In order to meet the challenges of security risks, the firm often chooses to outsource partial information security to a professional managed security service provider (MSSP), which aims to improve the quality of information security through professional and efficient information security management means. Therefore, this paper considers the asymmetric security externality between the firm and the MSSP and the mandatory security standard constraint when partial outsourcing occurs to explore two partial outsourcing strategies, that is, Core Outsourcing Strategy (OC Strategy) and Non-core Outsourcing Strategy (ONC Strategy), and the research results can provide management insights for the firms’ security practice. We find that when the firm’s externality to the MSSP is negative (positive), the firm’s security effort always increases (decreases) as the MSSP’s externality to the firm increases under loose security standards. In addition, we find that different levels of mandatory security standards have different effects on the optimal decision of the firm and MSSP. When the firm adopts OC Strategy, the firm needs to set a compensation ratio to get the minimum expected cost under loose mandatory security standards. However, the firm can reach the optimal decision without setting up the compensation mechanism under stricter mandatory security standards. Besides, the firm always chooses the ONC Strategy when the information leakage risk is higher.

文章引用：刘艺浩, 吴勇. 安全标准约束下的信息安全部分外包研究——基于外部性不对称视角[J]. 管理科学与工程, 2023, 12(1): 1-18. https://doi.org/10.12677/MSE.2023.121001

参考文献

[1]	瑞星2021年中国网络安全报告[R]. 北京: 北京瑞星网安技术股份有限公司, 2022.
[2]	Sierra Wireless. 无线设备制造公司在遭勒索软件攻击后工厂停产[EB/OL]. https://ti.dbappsecurity.com.cn/info/1796, 2021-03-25.
[3]	哥斯达黎加国家财政系统遭勒索攻击: 税务海关停摆[EB/OL]. https://www.freebuf.com/news/330941.html, 2022-04-25.
[4]	MarketsandMarkets (2020) Managed Security Services Market Worth $46.4 Billion by 2025. India.
[5]	Fortinet (2021) Cloud Security Report. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/report-cybersecurity-cloud-security-report-fortinet-2.5.pdf
[6]	新加坡电信巨头近13万客户信息遭泄露, 涉身份证号等[EB/OL]. https://3g.163.com/dy/article/G358TCLE05129QAF.html, 2021-02-19.
[7]	Hoecht, A. and Trott, P. (2006) Outsourcing, Information Leakage and the Risk of Losing Technology-Based Competencies. European Business Review, 18, 395-412. [Google Scholar] [CrossRef]
[8]	Alexander, M. and Young, D. (1996) Strategic Outsourcing. Long Range Planning, 29, 116-119. [Google Scholar] [CrossRef]
[9]	Lacity, M.C. and Willcocks, L.P. (1998) An Empirical Investigation of Information Technology Sourcing Practices: Lessons from Experience. MIS Quarterly, 22, 363-408. [Google Scholar] [CrossRef]
[10]	Lee, C.H., Geng, X.J. and Raghunathan, S. (2013) Contracting Information Security in the Presence of Double Moral Hazard. Information Systems Research, 24, 295-311. [Google Scholar] [CrossRef]
[11]	Cezar, A., Cavusoglu, H. and Raghunathan, S. (2017) Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions. Production and Operations Management, 26, 860-879. [Google Scholar] [CrossRef]
[12]	Varian, H. (2000) Managing Online Security Risks. The New York Times.
[13]	Gao, X. and Zhong, W. (2015) Information Security Investment for Competitive Firms with Hacker Behavior and Security Requirements. Annals of Operations Research, 235, 277-300. [Google Scholar] [CrossRef]
[14]	Grossman, G.M. and Helpman, E. (2005) Outsourcing in a Global Economy. Review of Economic Studies, 72, 135-159. [Google Scholar] [CrossRef]
[15]	Shy, O. and Stenbacka, R. (2005) Partial Outsourcing, Monitoring Cost, and Market Structure. Canadian Journal of Economics/Revue Canadienne d’Économique, 38, 1173-1190. [Google Scholar] [CrossRef]
[16]	Alvarez, L.H.R. and Stenbacka, R. (2007) Partial Outsourcing: A Real Options Perspective. International Journal of Industrial Organization, 25, 91-102. [Google Scholar] [CrossRef]
[17]	Rowe, B.R. (2007) Will Outsourcing IT Security Lead to a Higher Social Level of Security? Proceedings of the 6th Workshop on the Economics of Information Security, Pittsburgh, 7-8 June 2007.
[18]	Wu, Y., Tayi, G.K., Feng, G. and Fung, R.Y.K. (2021) Managing Information Security Outsourcing in a Dynamic Cooperation Environment. Journal of the Association for Information Systems, 22, 827-850. [Google Scholar] [CrossRef]
[19]	Cezar, A., Cavusoglu, H. and Raghunathan, S. (2014) Outsourcing Information Security: Contracting Issues and Security Implications. Management Science, 60, 638-657. [Google Scholar] [CrossRef]
[20]	Yang, M., Jacob, V.S. and Raghunathan, S. (2020) Cloud Service Model’s Role in Provider and User Security Investment Incentives. Production and Operations Management, 30, 419-437. [Google Scholar] [CrossRef]
[21]	Zhao, X., Xue, L. and Whinston, A.B. (2013) Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements. Journal of Management Information Systems, 30, 123-152. [Google Scholar] [CrossRef]
[22]	Wu, Y., Feng, G. and Fung, R.Y.K. (2018) Comparison of Information Security Decisions under Different Security and Business Environments. Journal of the Operational Research Society, 69, 747-761. [Google Scholar] [CrossRef]
[23]	Zhang, C., Feng, N., Chen, J., Li, D. and Li, M. (2020) Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities. Information Systems Frontiers, 23, 773-790. [Google Scholar] [CrossRef]
[24]	Wu, Y., Xu, M., Cheng, D. and Dai, T. (2022) Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker. Decision Analysis, 19, 99-122. [Google Scholar] [CrossRef]
[25]	Miller, A. and Tucker, C. (2010) Encryption and Data Loss. The 9th Workshop on Economics of Information Security, Arlington, 7-8 June 2010.
[26]	Ghose, A. and Rajan, U. (2006) The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare. The 5th Workshop on Economics of Information Security, Cambridge, 26-28 June 2006.
[27]	Lee, C.H., Geng, X. and Raghunathan, S. (2016) Mandatory Standards and Organizational Information Security. Information Systems Research, 27, 70-86. [Google Scholar] [CrossRef]
[28]	Gao, X., Gong, S., Wang, Y., Wang, X. and Qiu, M. (2022) An Economic Analysis of Information Security Decisions with Mandatory Security Standards in Resource Sharing Environments. Expert Systems with Applications, 206, Article ID: 117894. [Google Scholar] [CrossRef]
[29]	Smith, G. (2011) Quantifying Information Flow Using Min-Entropy. 2011 Eighth International Conference on Quantitative Evaluation of SysTems, Aachen, 5-8 September 2011, 159-167. [Google Scholar] [CrossRef]
[30]	Wheatman, V., Smith, B.S., Pescatore, J., Nicollet, M., Allan, A. and Mogull, R. (2005) What Your Organization Should Be Spending for Information Security.
[31]	Gupta, A. and Zhdanov, D. (2012) Growth and Sustainability of Managed Security Services Networks: An Economic Perspective. MIS Quarterly, 36, 1109-1130. [Google Scholar] [CrossRef]
[32]	Schwartz, R. (1997) Legal Regimes, Audit Quality and Investment. Accounting Review, 72, 385-406.
[33]	Temizkan, O., Park, S. and Saydam, C. (2017) Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities. Information Systems Research, 28, 828-849. [Google Scholar] [CrossRef]

为你推荐

友情链接