Managing Security Outsourcing in the Presence of Strategic Hackers

Nowadays, firms tend to outsource security operations to professional managed security service providers (MSSPs) as a result of the sophistication of strategic hackers. Thus, how an MSSP makes security decisions according to a strategic hacker's action is worth researching. Constructing a contract theory model, this paper examines the interaction between an MSSP and a strategic hacker based on both parties' characteristics. We find that the hacker will give up less valuable information assets, and thus not all information assets are worth protecting for the MSSP. For both parties, their optimal efforts do not necessarily increase with their respective efficiency, and the firm's reputation loss has an opposite effect on its respective efforts. Moreover, we distinguish two types of security externalities including MSSP-side externality and hacker-side externality, and we find that the two types of security externalities have different effects on both parties' optimal efforts and expected payoffs. We also find that as a result of the trade-off between the integration effect of the MSSP and the effect of MSSP-side externality, firms are still willing to outsource their security operations to the MSSP even when an MSSP devotes fewer security efforts than those of firms that manage security in-house. Last, we extend our base model from two aspects to generalize the main results.