考虑安全标准的互补企业信息安全决策研究
Research on Information Security Decision of Complementary Firms Considering Security Standard
摘要: 随着全球合作化的深入,企业间信息不再彼此独立而是呈现出一种互补的信息资产结构。为了应对越来越频繁的信息安全事件,很多企业选择将安全外包给专业的安全管理服务提供商(MSSP)。此外,政府也逐渐开始重视企业的信息安全管理,会通过安全标准和安全补贴等措施来试图提高企业的安全水平。本文基于企业的互补信息特征,研究了在考虑安全标准时,互补企业在不同安全条件下的最优信息安全决策,也为实际的安全决策提供一定的管理启示。本文发现无论是内部管理还是安全外包,随着安全补贴的增加,企业和MSSP都会提高安全质量。但是过于严格的强制安全标准会让企业选择将安全外包给MSSP来规避责任,即使企业知道MSSP不会实际提供和强制安全标准一样的安全质量。此外,本文发现当企业选择自我管理时,严格的强制安全标准会扭曲企业的均衡行为,造成不必要的社会福利损害。
Abstract: With the deepening of global cooperation, information among firms is no longer independent, but presents complementation each other. To solve more and more frequent information security incidents, many firms choose to outsource security to managed security service providers (MSSP). In addition, the government gradually begins to pay attention to the information security management, and try to improve the firm’s security level through security standard and security subsidy. Based on the complementary information characteristics of firms, this paper studies the firm’s optimal information security decisions under different security conditions when considering security standard, and also provides some management implications for practical security decisions. This study finds that both firms and MSSPs improve the security quality as security subsidy increases, whether managed in-house or outsourced. But overly strict mandatory security standard may induce firms to choose to outsource security to MSSP to avoid security liability, even when firms know that MSSPs do not actually provide the same security quality as the mandatory security standard. In addition, we find that when firms choose to manage in-house, strict mandatory security standard can distort firms' equilibrium behavior and cause unnecessary social welfare damage.
文章引用:王楠, 吴勇. 考虑安全标准的互补企业信息安全决策研究[J]. 管理科学与工程, 2024, 13(1): 292-306. https://doi.org/10.12677/MSE.2024.131029

参考文献

[1] Statista (2020) Managed Security Services Market Size Worldwide in 2020 and 2026.
https://www.statista.com/statistics/1230718/managed-security-services-market-it/
[2] Zhao, X., Xue, L. and Whinston, A.B. (2013) Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements. Journal of Management Information Systems, 30, 123-152. [Google Scholar] [CrossRef
[3] Ulltveit-Moe, N. (2014) A roadmap towards Improving Managed Security Services from a Privacy Perspective. Ethics and Information Technology, 16, 227-240. [Google Scholar] [CrossRef
[4] 吴勇, 王林萍, 冯耕中. 双边道德风险下供应链互补企业信息安全外包激励契约研究[J]. 系统工程理论与实践, 2022, 42(11): 2916-2926.
[5] Liu, D., Ji, Y. and Mookerjee, V. (2011) Knowledge Sharing and Investment Decisions in Information Security. Decision Support Systems, 52, 95-107. [Google Scholar] [CrossRef
[6] UK G (2022) National Cyber Strategy 2022.
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1053023/national-cyber-strategy-amend.pdf
[7] Gao, X. and Zhong, W. (2015) Information Security Investment for Competitive Firms with Hacker Behavior and Security Requirements. Annals of Operations Research, 235, 277-300. [Google Scholar] [CrossRef
[8] Wu, Y., Fung, R.Y.K., Feng, G., et al. (2017) Decisions Making in Information Security Outsourcing: Impact of Complementary and Substitutable Firms. Computers & Industrial Engineering, 110, 1-12. [Google Scholar] [CrossRef
[9] Li, X. (2020) Decision Making of Optimal Investment in Information Security for Complementary Enterprises Based on Game Theory. Technology Analysis & Strategic Management, 33, 755-769. [Google Scholar] [CrossRef
[10] Qian, X., Yang, W., Pei, J., et al. (2021) A Game of Information Security Investment Considering Security Insurance and Complementary Information Assets. International Transactions in Operational Research, 29, 1791-1824. [Google Scholar] [CrossRef
[11] Ross, R. (2007) Managing Enterprise Security risk with NIST Standards. Computer, 40, 88-91. [Google Scholar] [CrossRef
[12] Anderson, R. and Moore, T. (2006) The Economics of Information Security. Science, 314, 610-613. [Google Scholar] [CrossRef] [PubMed]
[13] Lee, C.H., Geng, X. and Raghunathan, S. (2013) Contracting Information Security in the Presence of Double Moral Hazard. Information Systems Research, 24, 295-311. [Google Scholar] [CrossRef
[14] Cezar, A., Cavusoglu, H. and Raghunathan, S. (2017) Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions. Production and Operations Management, 26, 860-879. [Google Scholar] [CrossRef
[15] 赵柳榕, 刘健楠, 朱晓峰. 竞争企业的信息安全策略选择:自主防御或外包[J]. 情报理论与实践, 2019(42): 94-100+159.
[16] Feng, N., Chen, Y., Feng, H., et al. (2020) To Outsource or Not: The Impact of Information Leakage Risk on Information Security Strategy. Information & Management, 57, Article ID: 103215. [Google Scholar] [CrossRef
[17] Wu, Y., Tayi, G.K., Feng, G., et al. (2021) Managing Information Security Outsourcing in a Dynamic Cooperation Environment. Journal of the Association for Information Systems, 22, 827-850. [Google Scholar] [CrossRef
[18] Hui, K.-L., Hui, W. and Yue, W.T. (2012) Information Security Outsourcing with System Interdependency and Mandatory Security Requirement. Journal of Management Information Systems, 29, 117-156. [Google Scholar] [CrossRef
[19] Lee, C.H., Geng, X. and Raghunathan, S. (2016) Mandatory Standards and Organizational Information Security. Information Systems Research, 27, 70-86. [Google Scholar] [CrossRef
[20] Hui, K.-L., Ke, P.F., Yao, Y., et al. (2019) Bilateral Liability-Based Contracts in Information Security Outsourcing. Information Systems Research, 30, 411-429. [Google Scholar] [CrossRef
[21] Gao, X., Gong, S., Wang, Y., et al. (2022) An Economic Analysis of Information Security Decisions with Mandatory Security Standards in Resource Sharing Environments. Expert Systems with Applications, 206, Article ID: 117894. [Google Scholar] [CrossRef
[22] 董坤祥, 谢宗晓, 甄杰. 强制性约束下企业信息安全投资与网络保险的最优决策分析[J]. 中国管理科学, 2021(29): 70-81.
[23] Avasant (2009) Use of IT Security Outsourcing Low but Rising as Threats Grow.
https://avasant.com/report/it-security-outsourcing-still-small-but-promising/

为你推荐