| With the rapid development of the market for information security,firms can have more choices to develop security protection of firm's information security.Traditionally,firms will choose to outsource information security to a managed security service provider(MSSP)or develop security protection in-house.Emerging research regarding the economics of outsourcing information security recommends that firms utilize full outsourcing due to its cost advantages but ignores the risk of information leakage inherent in full—and even in partial—outsourcing strategies.Once the firm chooses to outsource information security,this makes the managed security provider have the access to firm's information assets.Apart from two strategies mentioned above,we introduce a partial outsourcing strategy that divides a firm's information assets into critical and non-critical assets in our model.Then,we demonstrate the conditions for selecting from among three security strategies,i.e.,in-house development,partial outsourcing and full outsourcing.In contrast to prior studies examining high-risk information environments,we do not recommend outsourcing,including when the managed security service provider(MSSP)provides greater cost advantages.We further demonstrate that a firm should shift from outsourcing to developing security in-house as the percentage of critical assets increases.In addition,our results demonstrate that outsourcing only critical assets is a strictly dominated strategy and that outsourcing non-critical assets is an alternative strategy. |
PDF Full Text Request