Information Governance - JMIS Cyber security
Journal of Management Information Systems / Summer 2013, Vol. 30, No. 1, pp. 123–152.
© 2013 M.E. Sharpe, Inc. All rights reserved. Permissions: www.copyright.com
ISSN 0742–1222 (print) / ISSN 1557–928X (online)
DOI: 10.2753/MIS0742-1222300104
Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements
XIA ZhAO, LINg XuE, AND ANDrEw B. whINStON
Xia Zhao is an assistant professor of information systems at the Bryan School of Business and Economics, university of North Carolina at greensboro. She received her Ph.D. in management science and information systems from the McCombs School of Business at the university of texas at Austin. her research interests include online advertising, information security, electronic commerce, and It governance. She has published in Journal of Management Information Systems, Production and Opera- tions Management, Decision Support Systems, Information Systems Frontiers, IEEE Computer, International Journal of Electronic Commerce, and many conference proceedings.
Ling Xue is an assistant professor of information systems at the Bryan School of Business and Economics, university of North Carolina at greensboro. he received his Ph.D. in management science and information systems from the McCombs School of Business at the university of texas at Austin. his research interests are in the areas of It governance, the business value of It, electronic commerce, and information secu- rity. his papers have been published in Information Systems Research, MIS Quarterly, Academy of Management Journal, Journal of Operations Management, Production and Operations Management, Journal of Management Information Systems, Decision Support Systems, International Journal of Electronic Commerce, Journal of Global Information Management, and the proceedings of the International Conference on Information Systems.
andrew B. whinston is the hugh roy Cullen Centennial Chair in Business Admin- istration, Professor of Information Systems, Computer Science and Economics, John Newton Centennial IC2 Fellow, and Director of the Center for research in Electronic Commerce at the university of texas at Austin. he received his Ph.D. in management from Carnegie Mellon university. he was the editor-in-chief of Decision Support Systems and serves on the editorial or the advisory board of a number of journals. he has published over 400 articles in refereed journals, 27 books, and 62 book chapters. Among other career awards, he received recently the LEO Award for lifetime excep- tional achievement in information systems and AIS Fellowship from the Association for Information Systems in 2005.
aBstract: the interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending.
124 ZhAO, XuE, AND whINStON
however, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (rPAs) and managed security services (MSSs). we show that firms can use an rPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an rPA is not incentive-compatible for firms when the security invest- ments generate positive externalities. we then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small.
Key words and phrases: cyberinsurance, information security, interdependent risks, managed security services, risk management, risk pooling.
in the networK economy, product innovation and value creation are achieved via networks of firms, operating on large scales. the scope of information technology (It) has been expanding beyond the traditional organizational boundaries [17, 40]. As a result, information security risks have become intricately interdependent. For example, interorganizational information systems essentially physically connect firms’ It infrastructure via the Internet and expose the participating firms to network-wide security risks. An organization’s network is at risk if a hacker gains access to its partner’s network. Even firms without close business relationships may be logically interdependent: Strategic hackers often evaluate the security level of firms and select their targets on the basis of whose systems they can break into quickly without being detected [35]. In these examples, a firm’s security risks depend not only on its own security practices but also on the security protections of others.
Firms’ security risks can be either positively interdependent or negatively interde- pendent. the security risk is defined as the probability for a firm to have a security incident. Positive interdependency occurs when a company has higher security risks while other companies also have higher security risks. For example, a security threat that affects a firm may also influence the firm’s partners via the interorganizational information systems. the hacker who breaks into the firm’s network may steal sensi- tive data about the partners or penetrate the partners’ networks via the trust connec- tions. the security risks of the firm and its partners are thus positively interdependent. with positive interdependency, a firm’s security investment not only strengthens its protection but also reduces the likelihood that other firms have security breaches. the security investments therefore generate positive externalities [19, 31].
Negative interdependency occurs when a company has higher security risks while other companies have lower security risks. A typical example of a negatively inter- dependent security risk is a targeted attack. A targeted attack refers to a malware attack aimed at one firm or a small set of firms. Strategic hackers often evaluate the security level of firms using various hacking techniques, such as port scans or eavesdropping, and select as their target firms whose systems can be broken into
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 125
quickly without detection [35]. they usually put more effort into attacking systems with lower security levels [5]. According to the CSI Computer Crime and Security Survey 2010/2011 [6], 22 percent of respondents reported that their companies expe- rienced targeted attacks between July 2009 and June 2010. In this case, a firm’s self- protection, while reducing its own risks, potentially diverts hackers to other firms and thus increases other firms’ risks. therefore, security investments in this case generate negative externalities [5].
Because of the network externalities of security investments, firms often invest inefficiently from the perspective of a central decision maker who maximizes the total payoffs of all stakeholders. researchers from previous literature have identified both the underinvestment and overinvestment issues caused by the interdependency of security risks [5, 19, 31]. when the firms’ security investments generate positive externalities, a firm’s security investments strengthen not only its own security but also other firms’ security. Often, self-interested firms invest at a level lower than the opti- mal level, which maximizes the total profit of all firms [19, 31]. Examples of security investments that generate positive externalities include antivirus software and firewalls. the installation of antivirus software helps prevent viruses from widely propagating, and therefore benefits others. however, underinvestment in antivirus protection is prevalent. A study by McAfee reported that 17 percent of computers around the world had no antivirus protection installed or that the antivirus subscriptions had expired. Furthermore, the united States outpaced the average, with 19 percent of computers unprotected, according to the data [37]. when the firms’ security investments gener- ate negative externalities, self-interested firms invest at a level that is higher than the optimal level for all firms. Security measures that are used to defend against distributed denial of service (DDoS) attacks, such as content caching and redundant network devices, are more likely to generate negative externalities. Many e-commerce web sites, for example, prepare for 10 times the amount of peak traffic when designing their networks to defend the DDoS attacks. Such cost of risk mitigation is fairly high given that the possibility of DDoS attack is usually very low [29, 41].
this paper examines risk management solutions to the investment inefficiency caused by interdependent information security risks. Cyberinsurance has been proposed as a promising approach to managing information security risks and optimizing security expenditures [12, 31, 42]. Cyberinsurance is a range of first-party and third-party coverage that enables firms to transfer their security risks to the commercial insurance market. with cyberinsurance, firms can balance their expenditures between investing in security protections and acquiring insurance. however, cyberinsurance is ineffective in addressing the issue of investment inefficiency caused by interdependent security risks [31]. It does not internalize the externalities of security investments and cannot mitigate firms’ incentives to underinvest or overinvest. In addition, the cyberinsurance market is still underdeveloped. Only a few insurers offer cyberinsurance, and actuarial data on information security, breaches, and damages is scarce. the ever-changing nature of security threats also impedes the development of the third-party cyberinsurance market. the deficiency of cyberinsurance calls for new risk management solutions to address issues related to information security risks.
126 ZhAO, XuE, AND whINStON
we consider two potential risk management solutions: risk pooling arrangements (rPAs) and managed security services (MSSs). we study whether and how these solu- tions can be used to address the investment inefficiency and whether the self-interested firms have incentives to adopt these solutions. An rPA is a mutual form of insurance organization in which the policyholders are also the owners. Mutual insurance was widely adopted in the insurance market for medical malpractice and municipal liability during the late 1980s [22] and has since also been used in other lines of insurance, such as employee pension and employee health insurance. the traditional advantages of an rPA over commercial insurance include tax benefits, reduced overhead expenses, and flexible policy development [32].
rPAs are different from third-party cyberinsurance in terms of risk transfer. rPAs can never completely eliminate the risks for an individual policyholder. Even though the risk pool can issue full coverage for the firms’ security losses, each individual firm still bears part of the risk pool’s loss through its equity position. table 1 compares cyberinsurance and rPAs.
we find that even though an rPA endogenizes the network externalities of security investments for firms, the adoption of the rPA is incentive-compatible for firms only when security investments generate negative externalities. the key reason is that by pooling the risks of individual firms, the rPA induces moral hazard in teams, which refers to firms’ reluctance to invest in loss prevention when they can transfer security losses to others [15]. this type of moral hazard is shown to be desirable when security investments generate negative externalities. however, in the case of positive externali- ties, moral hazard further reduces the firms’ investment incentives and exacerbates the underinvestment problem.
the second solution is MSSs, or It security outsourcing. MSS providers (MSSPs) provide a range of security services, such as security monitoring and vulnerability assessments, network protection and penetration testing, managed spam services, antivirus and content filtering services, incident management and forensic analysis, data archiving and restoration, and on-site audits and consulting [1, 3]. the CSI Computer Crime and Security Survey 2010/2011 reported that as many as 36 percent of respondents outsourced part or all of their computer security functions to MSSPs. In addition, 14.1 percent of respondents indicated that their companies outsourced more than 20 percent of their security functions [6]. the global MSS market is fore-
table 1. Comparison Between Cyberinsurance and rPAs
Cyberinsurance rPA
Owner Third-party insurers Policyholders Risk transfer Policyholders can completely
transfer risks to insurers Policyholders always retain some
risks Examples AIG’s NetAdvantage,
Lloyd’s eComprehensive, Chubb’s CyberSecurity, Hiscox’s Hacker
Captives, risk retention groups, self-insurance groups
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 127
casted to more than double between 2011 and 2015, when it is expected to reach $16.8 billion [24].
we show that MSSs can address investment inefficiency caused by both positive and negative externalities of security investments when the total number of firms is small. using MSSs with a service level agreement (SLA), firms not only delegate the security operations but also transfer their security risks to MSSPs. Because the MSSP collectively manages the interdependent security risks for multiple client firms, it can internalize the externalities of security investments. however, collective outsourcing may not always arise as an equilibrium because of the interdependent nature of secu- rity risks. when the total number of firms is large, an individual firm can leverage the MSSP’s collective operations for others and receive a higher payoff by managing security in-house. Even if the MSSP is better able to manage security (i.e., is more cost-efficient in managing security) than the firms, this result still holds. this paper characterizes the condition under which all firms will adopt the MSS solution.
this paper contributes to the research on alternative risk transfer (Art) solutions. rPAs, as an Art approach, have been recognized by practitioners as having the advan- tages of reduced overhead expense and flexible policy development [32]. we find that, in addition to these advantages, rPAs can serve as a potential solution to investment inefficiency caused by interdependent security risks and can optimize firms’ security spending. this finding helps policymakers recognize the potential benefit of rPAs in security management and guide the development of policies for the mutual insurance industry. this paper also contributes to the literature on It security outsourcing. It has been well recognized that firms outsourcing security services can benefit from cost savings, reduced staffing needs, broader skills acquisition, security awareness, dedicated facilities, liability protection, and around-the-clock service [1]. we illus- trate that the use of MSSs can also be justified from the perspective of mitigating the investment inefficiency caused by risk interdependency.
the rest of the paper is organized as follows. In the next section, we review related literature on the economics of information security, cyberinsurance, rPAs, and MSSs. we then outline the model setup, followed by the analysis of the cyberinsurance, rPAs, and MSSs solutions. we also extend the model to account for heterogeneous firms. Finally, we draw managerial and policy implications and conclude this paper with future extensions.
related Literature
researchers in prior studies on the economics of information security have examined many issues related to information security investments (e.g., [14, 16, 18]). Anderson and Moore [2] discussed how moral hazard and adverse selection distort firms’ incen- tives to invest in information security. gordon and Loeb [10] developed an economic model to determine the optimal level of investment in information security. gal-Or and ghose [9] examined firms’ incentives to share security information and showed that information sharing and security investment complement each other. kunreuther and heal [19] characterized a class of interdependent security risks and demonstrated
128 ZhAO, XuE, AND whINStON
that firms generally underinvest in security protections when their security risks are interdependent. Our paper complements this stream of research by exploring risk management solutions to the investment inefficiency associated with interdependent information security risks.
there is an emerging body of literature that has examined the use of insurance in information security management. gordon et al. [12] discussed the advantages of using cyberinsurance to manage information security risks. Ogut et al. [31] used an economic model to examine firms’ investments in security protections and the use of cyberinsurance in the context of interdependent security risks. they showed that inter- dependence of security risks reduces firms’ incentives to invest in security technologies and to buy insurance coverage. All these studies focused on third-party commercial cyberinsurance, whereas in this paper, we propose and examine two alternative risk management approaches to information security risks: rPAs and MSSs.
Prior literature on risk management has justified the existence of rPAs from various perspectives. For example, the mutual form of insurance organization is more efficient when the distribution of risks prevents independent insurers from using the law of large numbers to eliminate risks [8, 25]. the mutual form of insurance can also address the conflicts of interest between insurers and policyholders because policyholders them- selves are the owners of a mutual insurer [7, 26, 27]. Moreover, mutual insurers can coexist with independent insurers as a result of the adverse selection of risk-averse policyholders [22]. this paper complements these studies by illustrating the use of mutual insurance to endogenize network externalities of security investments.
Our work is also related to prior work on contracting in It outsourcing, especially It security outsourcing. richmond et al. [34] analytically characterized the condi- tions under which an organization outsources its software enhancements, considering information asymmetry and different profit-sharing rules. whang [45] proposed a contract for outsourcing software development that achieves the outcome of in-house development. wang et al. [44] characterized the efficiency loss resulting from invest- ment externalities for both in-house software development and outsourced custom software development. Sen et al. [38] proposed a dynamic, priority-based, price-penalty scheme for outsourcing It services and found that it is more effective than a fixed-price approach. It security outsourcing has not received adequate research attention until recently. Allen et al. [1], Axelrod [3], and McQuillan [28] provided organizations with general guidance to help them knowledgeably engage MSSPs. gupta and Zhdanov [13] analytically explained the growth and sustainability of MSSP networks and found that the initial investment is critical in determining the size of MSS networks with positive externalities. In their setting, the issue of free-riding never occurred. Our paper exam- ines the use of MSSs to address interdependent information security risks that often lead to free-riding. hui et al. [16] examined both an MSSP and its clients’ equilibrium effort decisions when risk interdependency arose among the MSSP’s clients. In our paper, firms’ security risks are interdependent even though firms do not use an MSSP. Lee et al. [20] proposed a multilateral contract to solve the double moral hazard issues between the client firm and the MSSP. Our paper complements this stream of research by examining the use of It security outsourcing to address the investment inefficiency caused by interdependent information security risks among firms.
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 129
Model
we consider n risK-averse firms. Each firm has an initial wealth A. All firms have an identical payoff function U(.), where U(.) satisfies the conditions that U(.) > 0 and U(.) < 0 (i.e., U(.) is concave). the assumption of an increasing and concave utility function is consistent with the literature on risk management (e.g., [21, 23, 36, 39]). Firms invest in security protection to safeguard their information assets. As we dis- cussed in the Introduction, security investments often generate network externalities. the breach probability for an individual firm, firm i, is affected not only by its own security investment but also by the security investments of others. we let m(x
i , X
–i ) be
firm i ’s breach probability, where x i represents firm i ’s security investment, and where
X –i = [x
1 , ..., x
i–1 , x
i+1 , ..., x
n ] represents the other n – 1 firms’ security investments. A firm
loses L in a security breach. Firm i‘s expected payoff can be represented by
π µ µi i i i i i ix X U A L x x X U A x= ( ) − −( )+ − ( )( ) −( )− −, , .1 It is assumed that the investment cost is linear in the investment level. In particular,
the investment cost is equal to the investment level. the qualitative insights still hold if the investment cost is an increasing and convex function of the investment level. A firm’s security investment decreases its breach probability, and the investment exhibits a diminishing marginal return in reducing the breach probability. that is,
′ ( ) = ∂ ( )
∂ <−
−µ µ
i i i i i
i
x X x X
x ,
, 0
and
′′( ) = ∂ ( )
∂ >−
−µ µ
i i i i i
i
x X x X
x ,
, .
2
2 0
the assumption about the declining marginal return of the security investment is consistent with the CErt (Computer Emergency response team) incident data [30] and is widely used in the literature on security management (e.g., [4, 10, 11]).
we consider two types of network externalities: positive externalities and negative externalities. In the case of positive externalities, a firm’s security investment, while decreasing its breach probability, also decreases the breach probability of other firms (i.e., z
i ′ (x
j , X
–j ) = (∂m(x
j , X
–j )/x
i ) < 0, i ≠ j). In the case of negative externalities, a firm’s
security investment increases the breach probability of other firms (i.e., z i ′ (x
j , X
–j ) =
(∂m(x j , X
–j )/x
i ) > 0, i ≠ j). table 2 summarizes and compares the features of different
network externalities. Although firms’ security risks are interdependent, a firm’s security investment
generally has a greater effect on its own security than on other firms’ security. we therefore assume that
′ ( ) > ′ ( ) ≠− −µ ζi i i i j jx X x X j i, , , . (1)
In addition, we assume that
(2)′′ ( ) >− = ∑ µij j j
j n x X, .
... 0
1
130 ZhAO, XuE, AND whINStON
Condition (2) requires that the second-order effect of a firm’s security investment on its breach probability dominates the aggregate second-order effect of other firms’ investments on its breach probability. these conditions reflect the reality that, even though security risks are interdependent in cyberspace, a firm’s security investment is still an effective strategy for self-protection.
third-Party Cyberinsurance
we estaBLish the BenchmarK case in which firms use cyberinsurance to cover their security risks. we assume that firms can buy an insurance policy from the cyberinsur- ance market to cover their security losses. In practice, before issuing insurance poli- cies, insurance companies often formally audit the client firms to ensure that firms take proper actions to protect themselves. therefore, we assume that the security investment is observable to the insurers. the same assumption has been used in the literature [31].
the timing of events is as follows: (1) each firm chooses its security investment x
i , i = 1, ..., n; (2) each firm purchases cyberinsurance with coverage I
i , i = 1, ..., n,
from third-party insurers; and (3) the security losses are realized and the insurance compensations are made.
In this paper, we consider a mature insurance market in which firms are charged an actuarially fair premium. when firm i purchases an insurance policy with coverage I
i , the insurance premium is P
i = m(x
i , X
–i )I
i . Firm i ’s optimization problem can be
represented by
(3)
According to the first-order condition with respect to (w.r.t.) I i , we get I
i e = L, where
the superscript e denotes the cyberinsurance-only case. Equation (3) can be simpli- fied as
(4)
In the symmetric case, we have m i ′ (x
i e, X e
–i ) = –1/L, where x
i e represents firm i ’s equi-
librium security investment and X e –i = [x
1 e, ..., x e
i–1 , x e
i+1 , ..., x
n e].
table 2. Characteristics of Network Externalities
Derivatives of breach probability m
i ′(x
i , X
–i ) m
ii ″(x
i , X
–i ) z
i ′(x
j , X
–j )
No externalities < 0 > 0 = 0 Positive externalities < 0 > 0 < 0 Negative externalities < 0 > 0 > 0
π µ µ
µ
i I x
i i i i i i i
i i
i i
x X U A L I x X I x
x X
= ( ) − + − ( ) − )( + − ( )( )
−−
−
max , ,
,
,
1 UU A x X I xi i i i− ( ) −( )−µ , .
π µi x
i i i i
U A x X L x= − ( ) −( )−max , .
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 131
to evaluate the investment efficiency, we compare the firms’ investment levels in the cyberinsurance-only case with the optimal investment level. the optimal investment level is defined as the security investment level when all the firms jointly maximize their total payoffs. It is equivalent to the case in which a central decision maker maximizes the joint payoff and determines the investment levels for all firms. we next examine the central decision maker’s problem:
(5)
Again, according to the first-order condition w.r.t. I i , we get I
i o = L, i = 1...n, where the
superscript o denotes the centralized case. Equation (5) can be simplified as
Πs
I x i i i
i
n
i i
U A x X L x= − ( ) −( )− = ∑max , .
, µ
1 (6)
the first-order condition of Equation (6) w.r.t. x i is
′ − ( ) −( ) − ′ ( ) −( ) + ′ − ( ) −( ) − ′
− −
−
U A x X L x x X L
U A x X L x
i i i i i i
j j j
µ µ
µ
, ,
,
1
ζζi j j j j i
n
x X L, . ,
− = ≠
( )( ) =∑ 0 1
In the symmetric case, we have m i ′ (x
i o, X o
–i ) + (n – 1)z′
i (x
j o, X o
–j ) = –1/L, where x
i o rep-
resents the optimal level of security investment for firm i in the centralized case and X o
–i = [x
1 o, ..., x o
i–1 , x o
i+1 , ..., x
n o].
In the case of negative externalities, because m ii ″(x
i , X
–i ) > 0 and z
i ′(x
j , X
–j ) > 0, we get
x i e > x
i o. In the case of positive externalities, because m
ii ″(x
i , X
–i ) > 0 and z
i ′(x
j , X
–j ) < 0,
we get x i e < x
i o. therefore, the firms overinvest when the security investments generate
negative externalities and underinvest when the security investments generate positive externalities.
In the cyberinsurance-only case, we find that when security investments generate negative (positive) externalities, firms purchase full insurance (i.e., I
i e = L) and invest
more (less) than the optimal level. these results are in line with the findings in the existing literature [19, 31]. Even though commercial cyberinsurance can hedge firms’ risks, it cannot internalize the externalities of security investments and therefore is incapable of resolving either the overinvestment or underinvestment issues. A fine for liability has been proposed to address the investment inefficiency issues caused by the interdependent security risks [19, 31]. this mechanism requires the liable firm to compensate the loss that it causes to other firms. As a result, a self-interested firm will consider the impact of its investment on other firms’ security [19, 31]. however, a fine for liability between firms is difficult to enforce. Because the Internet has no clear delineation of jurisdiction, the imposition of liability across countries by enforcement powers (e.g., governments, regulatory agencies, or trade associations) is extremely costly, if not impossible. we next examine other risk management approaches—rPAs or MSSs—that can be used to address the investment inefficiency caused by risk interdependency.
Πs I x
i i i i i i i i
n
i
i i
x X U A L I x X I x
x X
= ( ) − + − ( ) − )(( + −
−− = ∑max , ,
,
, µ µ
µ 1
1 −− −( )( ) − ( ) −( ))i i i i iU A x X I xµ , .
132 ZhAO, XuE, AND whINStON
risk Pooling Arrangements
in this section, we eXamine the use of rpas in addressing interdependent risks. we use q ∈ [0, 1] to denote the ratio of loss covered by the risk pool. when a firm suffers a security loss of L, the mutual insurer compensates the firm qL. Because the firms are the equity holders of the mutual insurer, the total security losses collected by the mutual insurer are then shared equally among all the firms. If q < 1, the firms transfer only partial losses to the mutual insurer. If q = 1, the rPA provides full coverage to the firms, but each firm still retains part of the risk because of its equity position.
the timing of events is as follows: (1) n firms cooperatively choose q; (2) given q, each firm chooses its security investment x
i , i = 1, ..., n; (3) each firm purchases cyber-
insurance with coverage I i , i = 1, ..., n, from third-party insurers; and (4) the security
losses are realized, and the compensation stemming from both cyberinsurance and the rPA is received.
the compensation from an rPA is modeled as follows [21]. Assume that k firms out of n – 1 firms (excluding firm i ) suffer a security loss L. If firm i also suffers a loss L, each of the other n – 1 – k firms shares qL /n for firm i. Consequently, firm i bears only a loss of L – ((n – 1 – k)qL)/n in total. If firm i does not suffer any loss, it shares qL /n for each of the k firms that suffer a loss. As a result, firm i has to compensate kqL /n in total to the k firms.
when the rPA does not cover all the risks, firms can purchase third-party cyber- insurance in addition to using an rPA. the principle of indemnity1 requires that the cyberinsurance coverage satisfies the constraint that I
i + qL ≤ L; that is, the total insur-
ance compensation from both the rPA and the cyberinsurance cannot exceed the total loss. In the symmetric case, firm i’s expected payoff can be represented by
π µ ζ µi q x I
i i i i i i i
x X b k n U A L n k qL
n I x X= ( ) −( ) − + − −( ) + −− −max , , , ,
, , 1
1 (( ) −
+ − ( )( ) −( ) − − =
−
−
∑ I x
x X b k n U A kqL
n x X
i i k
n
i i i
0
1
1 1µ ζ µ, , , , −− =
− ( ) −
≤ −( )
∑ i i i k
n
i
I x
I q L
,
. . , 0
1
1s t
where z = z k = m(x
k , X
–k ) represents the breach probability for firm k (k ≠ i). we drop
the subscript k in the symmetric case. the function
b k n n
k n k k n k, ,
!
! ! −( ) =
−( ) − −( )
−( ) − −1 1
1 1
1ζ ζ ζ
denotes the binomial probability that k out of n – 1 firms have security breaches. Proposition 1 characterizes the complementary relationship between the rPA and the cyberinsurance:
Proposition 1: When firms use both an RPA and third-party cyberinsurance, we have I
i = (1 – q)L. That is, if the risk pool does not provide full coverage, firms
will buy third-party insurance to cover the residual risks.2
Proposition 1 shows that risk-averse firms always choose to hedge against all risks. If the risk pool covers only part of a firm’s risks (i.e., q < 1), the firm will use
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 133
the cyberinsurance to cover the residual risks. thus, firm i’s expected payoff can be represented by
π µ ζ µi q x
i i i i i
x X b k n U A L k qL
n x X q L= ( ) −( ) − + +( ) − ( ) −( )− −max , , , ,
, 1
1 1 −−
+ − ( )( ) −( ) − − ( ) =
−
− −
∑ x
x X b k n U A kqL
n x X
i k
n
i i i i
0
1
1 1µ ζ µ, , , , 11 0
1 −( ) −
=
− ∑ q L xi k
n
.
(7)
when a firm uses only cyberinsurance, it purchases full coverage (I i = L) and
completely transfers its risks to the cyberinsurance market. however, if firms adopt an rPA, they still retain part of the risks because they are equity holders of the risk pool (i.e., the mutual insurance entity). Presumably, a risk-averse firm always wants to minimize its risk exposure and prefers the third-party cyberinsurance to the rPA. however, in the context of interdependent security risks, cyberinsurance may not be superior because it cannot address network externalities of security investments. the question is whether, given interdependent security risks, firms have an incentive to use rPAs as a complement to cyberinsurance. we show next that the rPA solution is incentive-compatible for firms in the case of negative externalities but not in the case of positive externalities.
Negative Externalities
we first examine how the use of an rPA in addition to cyberinsurance influences firms’ security investments and payoffs when negative externalities exist:
Proposition 2: When security investments generate negative externalities, firms invest less in security in the case with both an RPA and cyberinsurance than in the case with cyberinsurance only.
the underlying insights of Proposition 2 are as follows. when q = 0, a firm uses cyberinsurance only and purchases full insurance. Considering the marginal effect of q on a firm’s investment at q = 0, we have (∂x
i /∂q)
|
q=0 < 0. In other words, an individual
firm invests less in security protections if all the firms collectively set up a risk pool and allocate a very small proportion of risk to the pool. the use of an rPA influences a firm’s investment incentives through two effects. the first is the internalization effect. Firms essentially share their security losses with one another via the rPA. Because an individual firm bears other firms’ losses, it takes into consideration the negative effect of its security investments on others and thus invests less. the second is the moral hazard effect. the rPA allows a firm to transfer its security loss to others, which also dampens the firm’s investment incentives (i.e., a firm would like to free ride on other firms because of moral hazard in teams [15]). In the case of negative externalities, firms have excess incentives to invest in security. the moral hazard effect helps mitigate the overinvestment incentive and hence strengthens the internalization effect. therefore, firms invest less in security protections when they participate in an rPA.
Proposition 3: When security investments generate negative externalities, partici- pating in an RPA (i.e., q > 0) is incentive-compatible for individual firms.
134 ZhAO, XuE, AND whINStON
Proposition 3 generates an important implication: when firms overinvest because of the negative externalities of their security investments, they have the incentives to adopt an rPA as a complement to the third-party cyberinsurance. In other words, individual firms are willing to pool their security risks using an rPA in addition to purchasing cyberinsurance. to better explain this incentive compatibility, we derive the marginal effect of q on firm i’s expected payoff when q = 0:
∂ ∂
= ′ − ( ) −( ) ( )
− ′ − ( ) −( )
= − −
−
π µ µ
µ
i q i i i i i
i i i
q U A x X L x x X L
U A x X L x
0 , ,
, 11 1
n x X L
n
n L
U A x X L x x X
x
i i
i i i i i
µ ζ
µ µ
,
, ,
−
− −
( ) + −
− ′ − ( ) −( ) ∂ ( ) ∂ jj
j
j j i
n x
q L
∂ ∂
= ≠ ∑ 1,
.
(8)
the first term of Equation (8) represents the marginal benefit that a firm receives from the reduced cyberinsurance premium. when the coverage of the risk pool, q, increases, a firm can purchase less cyberinsurance coverage I
i and thus pay a lower
premium m i I
i to the commercial insurer. the second term of Equation (8) represents
the marginal loss that a firm incurs from being exposed to the risks within the risk pool. In particular, (1/n)m(x
i , X
–i )L represents the marginal loss that a firm incurs
from retaining its own security damage and ((n – 1)/n)zL represents the marginal loss that a firm incurs from compensating others in the risk pool. the third term of Equation (8) represents the marginal effect of other firms’ security investments on the firm’s payoff. the first two terms cancel out in a symmetric equilibrium. Because U′(A – m(x
i , X
–i )L – x
i ) > 0, ∂m(x
i , X
–i )/∂x
j = z
i ′(x
i , X
–i ) > 0, and ∂x
j /∂q < 0, the third term
(including the negative sign) is positive, which means that the firm benefits from the reduced investments of others. the overall marginal effect of q on the firm’s expected payoff is positive (i.e., (∂p
i /∂q)
|
q=0 > 0); thus, firms always have an incentive to set up
a risk pool when the security investments generate negative externalities. Note that the findings in Propositions 1 to 3 do not depend on the functional forms of the utility function U(.) and breach probability function m(.), as long as U(.) and m(.) satisfy the conditions specified in the section of model setup.
Because the analytical solutions of the n-firm game with an rPA are intrac- table, we use numerical examples to illustrate the equilibrium pool coverage, the equilibrium investment, and the firms’ payoffs given n. In the numerical examples, we assume that the security investments are additive [24]. In particular, m(x
i , X
–i ) = exp(–2(x
i + bS
k=1...n,k≠i xk )). this breach probability function ensures that m
i ′(x
i , X
–i ) < 0 and m″
ii (x
i , X
–i ) > 0. the degree of network externalities is captured by
b, with b < 0 for the case of negative externalities, b > 0 for the case of positive exter- nalities, and b = 0 for no externalities. this function form of breach probability nicely captures the interdependent nature of security investments. For the case of negative externalities, we let b = –(1/15). this value ensures that z
i ′(x
j , X
–j ) > 0, m″
ij (x
j , X
–j ) < 0,
| m i ′(x
i , X
–i ) | > | z
i ′(x
j , X
–j ) |, (j ≠ i), and S
j=1...n m
ij (x
j , X
–j ) > 0 when the total number of firms
is less than 15. In the numerical example, we let A = 8, L = 6, and U(w) = –w(w – 20) for illustration.3
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 135
Figure 1a compares an individual firm’s security investments in the cyberinsurance- only case, the rPA case, and the optimal case when security investments generate negative externalities. when the number of firms increases, the security investment of an individual firm becomes less effective because of the higher negative aggregate effect of other firms’ security investments. A higher level of security investment is desirable to cancel out this aggregate effect. therefore, the security investments in the optimal case and the cyberinsurance case are increasing in n. the higher negative effect with larger n also leads to a wider gap between the optimal investment and the investment in the cyberinsurance-only case. Specifically, as the number of firms increases, each individual firm’s security investment in the cyberinsurance-only case further deviates from the optimal level. rPAs can effectively mitigate firms’ overinvestment incentives. An individual firm’s security investment is significantly lower in the rPA case than in the cyberinsurance-only case. relative to the investment in the cyberinsurance-only case, the investment in the rPA case comes closer to the optimal level. Figure 1b compares the firm’s expected payoffs in the cyberinsurance-only case, the rPA case, and the optimal case. the curves show that relative to the cyberinsurance-only case, the firm’s expected payoff in the rPA case is much closer to the optimal payoff.
Figure 1c illustrates the optimal ratio of loss that firms allocate to the risk pool. the proportion of the loss allocated to the risk pool increases as the number of firms in the pool increases. when the number of firms increases, firms have more incentives to overinvest because of the higher negative aggregate effect of security investments by other firms. Firms allocate more risks to the risk pool to better leverage the inter- nalization and moral hazard effects and to mitigate overinvestment. Figure 1 thus illustrates that an rPA is an effective solution to the investment inefficiency caused by the negative externalities of security investments.
Positive Externality
the preceding subsection demonstrates that when security investments generate nega- tive externalities, firms will set up a risk pool and use it to cover a positive proportion of risks. rPAs help address firms’ overinvestment incentives through the internalization and moral hazard effects. when security investments generate positive externalities, do firms still have an incentive to set up an rPA? Proposition 4 provides some insights on the firms’ investment incentive with an rPA:
Proposition 4: When security investments generate positive externalities, firms invest less in security in the RPA case (as compared with the cyberinsurance-only case) if the risks covered in the RPA are sufficiently small (i.e., ∂x
i /∂q |
q=0 < 0).
In the case of positive externalities, we have ∂x i /∂q |
q=0 < 0. Again, a firm invests
less in security protections if firms set up a risk pool and allocate a very small pro- portion of risk to the pool. the positive externalities of security investments lead to insufficient investment incentives for firms. Even though the internalization effect helps mitigate the underinvestment incentive, the moral hazard effect dampens firms’ investment incentives and undermines the capability of rPAs to internalize the posi- tive externalities. the moral hazard effect always dominates over the internalization
136 ZhAO, XuE, AND whINStON
(c) ratio of loss covered by an rPA
Figure 1. Firms’ Security Investments, Firms’ Payoffs, and the ratio of Loss Covered by an rPA when Security Investments generate Negative Externalities
(a) Firms’ security investments
(b) Firms’ payoffs
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 137
effect. therefore, when an rPA is used in addition to cyberinsurance, firms have even fewer incentives to invest. Proposition 5 sheds light on firms’ incentives to set up a risk pool for positively interdependent security risks:
Proposition 5: When security investments generate positive externalities, an RPA is not an incentive-compatible solution for individual firms if it is used to cover only a small proportion of the risk (i.e., ∂x
i /∂q |
q=0 < 0).
to understand Proposition 5, we examine Equation (8) in the context of positive externalities. As in the case with negative externalities, the first two terms of Equa- tion (8) cancel out. Because U ′(A – m(x
i , X
–i )L – x
i ) > 0, ∂m(x
i , X
–i )/x
j < 0, and ∂x
j /q < 0,
the third term (including the negative sign) is negative. therefore, Equation (8) is negative overall. thus, using a risk pool to cover a small proportion of risks decreases an individual firm’s expected payoff. therefore, firms have no incentive to set up a risk pool for a small proportion of risks. the question, then, is whether firms have an incentive to set up an rPA with a large coverage. Because the closed-form solution of q in this multiplayer game is intractable, we used a numerical approach to search for the possibility that firms are willing to adopt an rPA. In our search, we used a series of exponential breach probability functions, m(x
i , X
–i ) = exp(–t (x
i + bS
k=1...n,k≠i xk )). the exponential function ensures that the value of breach probability is always between 0 and 1 for a positive amount of security investments. we let t ∈ {1, 2, ..., 10}, which represents different degrees of convexity of the breach probability func- tion. the total number of firms, n, ranges from 2 to 30. we let b ∈ {1/10(n – 1), 9/10(n – 1), ..., 1/(n – 1)}, which ensures that the externality is positive. In addition, the aggregate effect of others’ security investments is lower than that of the firm’s own secu- rity investment. three increasing and concave payoff functions are examined. they are U(w) = –exp(–w) + 1, U(w) = –w(w – 20), and U(w) = log(w + 1), which represent different degrees of concavity of the firms’ payoffs. we did not find any parameter space in which firms have an incentive to set up a risk pool. therefore, the incentive- compatibility of the rPA solution is difficult to achieve in the case with positive externalities of security investments.
Managed Security Services
in the previous section, we showed that the effectiveness of rpas depends on the nature of security risks. the rPA solution is effective in addressing overinvestment issues associated with negatively interdependent risks. however, it cannot address the underinvestment issues associated with positively interdependent risks. In this section, we examine a different security management solution: MSSs (or security management outsourcing). we first assume that the MSSP has the same level of security expertise as the firms. this assumption enables us to highlight the insight that the use of MSSs can be justified from the perspective of risk interdependency—not on the basis that the MSSP is more cost-efficient than the client firms. we later extend the analysis and study the case that the MSSP has a cost advantage.
If a firm uses MSSs, it pays a fixed fee, denoted by t, to the MSSP. we refer to the firms using MSSs as the member firms and the firms not using MSSs as nonmember
138 ZhAO, XuE, AND whINStON
firms. In practice, an SLA is often used to ensure that the MSSP assumes account- ability for the security loss and manages the security for the member firms’ benefits. In this paper, we assume that the SLA specifies the compensation level that the MSSP pays to a member firm if the latter suffers a security loss. we denote the compensa- tion level as d.
the timing of events is as follows: (1) the MSSP announces the service fee, t ; (2) firms decide whether or not to use the MSSs; (3) the MSSP invests in security protections for the member firms, and the nonmember firms obtain the expected reservation payoff, U
s ; and (4) the security losses are realized and the compensations
are made according to the SLAs. Because firms are homogeneous, we focus on the symmetric case in which all firms
choose the same strategies. the MSSP’s problem can be formulated as
Πm d t x
i i i i
n
i i
i
t x X d x
x X U A L d t
= − ( ) −
( ) − + −( ) + −
=
−
∑max ,
. . ,
, , µ
µ 1
1s t −− ( )( ) −( ) ≥−µ x X U A t Ui i s, . (9)
Constraint (9) ensures that a firm has a higher payoff when outsourcing security management to the MSSP than when it manages security in-house and achieves the reservation payoff. Lemma 1 characterizes the optimal compensation level that the MSSP will establish.
Lemma 1: The loss compensation d satisfies that d = L .
when a member firm has a security breach and losses L , the MSSP compensates the firm to the level of d. Because the member firms are risk averse but the MSSP is risk neutral, the MSSP is willing to provide full insurance to the member firms. As a result, the member firms transfer all security risks to the MSSP. In this regard, the MSSP serves as a third-party insurer in addition to a professional service provider [1]. this is in contrast to the rPA, with which each member firm has to share 1/n of the total loss.
using the result in Lemma 1, the MSSP’s problem can be simplified as
Πm t x
i i i i
n
s
i
t x X L x
U A t U
= − ( ) − −( ) ≥
− = ∑max ,
. . .
, µ
1
s t
(10)
Proposition 6 gives the MSSP’s investment decisions for the member firms:
Proposition 6: When all individual firms collectively outsource their security management to the MSSP, the MSSP makes the security investment at the optimal level.
Collective outsourcing occurs when all firms outsource their security management to the MSSP. Proposition 6 shows that in collective outsourcing, investment inefficiency caused by risk interdependency is addressed: the MSSP makes the security investment at the optimal level for all member firms. the optimal level is achieved because the
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 139
investment decision making is shifted to one entity, so that network externalities are completely internalized. As a result, the investment inefficiency is eliminated.
Sustainability of Collective Outsourcing
Although collective outsourcing can lead to optimal security investments (made by the MSSP), whether this solution is incentive-compatible to individual firms is still unclear. the question is this: when all other firms use MSSs, does an individual firm have the incentive to defect from using the MSSs? when a firm defects, it has to man- age security in-house, but it can still use cyberinsurance to hedge against its security risks. the payoff of the defecting firm can be considered as a firm’s reservation payoff (outside option) when deciding on whether to use MSSs (i.e., U
s ). we next examine
whether collective outsourcing is sustainable as an equilibrium for individual firms. For analysis tractability, we again assume that the security investments are additive [24]. In particular, m(x
i ,X
–i ) = p(x
i + bS
k=1...n,k≠i xk ), where p is a decreasing and convex func- tion, p′(.) < 0, and p″(.) > 0. this breach probability function ensures that m
i ′(.) < 0
and m ii ″(.) > 0. In the case of negative externality, let b < 0. this ensures z
i ′(.) > 0. In
the case of positive externality, let b > 0. this ensures z i ′(.) < 0.
Suppose that a firm defects but that the other n – 1 firms still outsource their security man- agement to the MSSP. the defecting firm’s payoff is pd = U(A – p(xd + b(n – 1)xmd)L – xd ) where xd represents the defecting firm’s security investment level and xmd represents the MSSP’s investment level for a member firm when a firm defects.
Let U s = pd. the MSSP’s problem can be represented as
Πm
d
t x i k
k k i
n
i i
n
i
t p x b x L x= − +
− = ≠= ∑∑max
, ,11 (11)
s t. . . U A t U A p x b n x L xd md d−( ) ≥ − + −( )( ) −( )1 (12)
Constraint (12) is an individual rationality constraint ensuring that a firm has a higher payoff when using MSSs than when managing security in-house and purchasing cyberinsurance. this constraint requires that the MSSP establishes a fee that would not result in member firm defection. Lemma 2 characterizes the optimal service fee that the MSSP charges:
Lemma 2: The optimal service fee charged by the MSSP satisfies t = p(xd + b(n – 1)xmd)L + xd.
the MSSP profits from the service fee. A for-profit MSSP charges a service fee that is as high as possible to maximize its profit, while still ensuring that firms are willing to use the MSS. Suppose a firm defects. the total expected cost for It security for the defecting firm is p(xd + b(n – 1)xmd )L + xd (i.e., the cyberinsurance premium plus the security investment). the maximum service fee for the MSSs is therefore equal to the expected total security cost of the defecting firm, so that any firm is indifferent between defecting or not.
140 ZhAO, XuE, AND whINStON
According to Equation (11) and Lemma 2, the MSSP’s profit is
Πm d d md d o on p x b n x L x p b n x L x= + −( )( ) + − + −( )( )( ) +( ) 1 1 1 .
For collective outsourcing to be viable, the MSSP must charge a fee that can cover its service cost. to derive additional insight, we use a general exponential breach probability (i.e., p(y) = exp(–ly)) to compare between the service fee (i.e., p(xd + b(n – 1)xmd )L + xd )) and the service cost (i.e., p((1 + b(n – 1))xo)L + xo). Propo- sition 7 characterizes the condition under which collective outsourcing is sustainable as an equilibrium:
Proposition 7: All firms are willing to outsource their security management if
1 1 1 2 1 1 0 1 1
−( ) −( ) − + −( )( ) + −( )( )( ) >−( ) −( )b b n b n b nb n bln . when the condition in Proposition 7 holds, the expected security cost incurred by a
defecting firm (i.e., p(xd + b(n – 1)xmd )L + xd ) is higher than the service cost incurred by the MSSP for each member firm in collective outsourcing (i.e., p((1 + b(n – 1))xo)L + xo). According to Lemma 2, the MSSP charges a fee equal to a defecting firm’s security cost. this service fee not only ensures that all firms have incentives to use MSSs but also yields a positive profit for the MSSP. therefore, the equilibrium of collective outsourcing using MSSs is sustainable when the condition in Proposition 7 holds.
the sustainability of collective outsourcing, although achievable with a small number of firms, becomes increasingly difficult to achieve as the number of firms increases. when the number of firms is larger, an individual defecting firm gains more from the MSSP’s collective operations. In the case of negative externalities, a larger number of firms provides the MSSP with more incentives to reduce the security investment to address the overinvestment issue for each member firm, making it easier for a defect- ing firm to beat the MSSP in security investment and drive hackers away. In the case of positive externalities, a larger number of firms induces the MSSP to increase the security investment to address the underinvestment issue for each member firm, making it easier for a defecting firm to free-ride. therefore, an individual firm is more likely to defect, and the retention of all member firms is then more difficult for the MSSP. As a result, there is a maximum number of firms with which the MSSP can induce all firms to use the MSSs and address the investment inefficiency. Figure 2 demonstrates the maximum number of firms for which a sustainable equilibrium exists, given the degree of network externalities, b.
the increase in the degree of network externalities generates two countervailing effects on firms’ incentives to defect. In the case of negative externalities (b < 0), when the degree of network externalities is higher (b is smaller), the advantage of the MSS solution in internalizing externalities of the security investments is more evident, and a firm is more willing to use the MSSs. whereas a firm also benefits more if it deviates from using the MSSs. this is because higher negative externalities induce the MSSP to invest less aggressively, and, as a result, it is easier for a defecting firm to beat the MSSP in security investment and drive hackers away. An individual firm is thus less
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 141
willing to pay for MSSs, forcing the MSSP to lower the service fee. the fee that the MSSP can charge depends on the trade-off between these two effects. As a result, the maximum number of firms that ensures a sustainable equilibrium is first increasing in b and then decreasing in b.
when the security investments generate positive externalities (i.e., b > 0), the defect- ing firm can free-ride on the MSSP’s collective security operations for member firms. As a result, the MSSP has to keep the service fee low to retain the member firms. when the number of firms is larger, the benefit of free-riding is higher, and the service fee that the MSSP charges cannot cover the expected cost of serving a firm. As a result, collective outsourcing to the MSSP is a sustainable equilibrium only when n = 2. It is worth noting that when security investments generate positive externalities and the MSSP is more cost-efficient, the maximum number of firms in a sustainable equilib- rium may be higher than two, as is illustrated in the next section.
when b = 0, the firms’ security risks are independent, and security investments have no externalities. the service fee that the MSSP charges is equal to the security cost that the MSSP incurs to serve a member firm. As a result, the MSSP always makes zero profit (i.e., P7’s condition never holds). this case is a trivial one.
MSSP’s Cost Efficiency
the previous analysis presents a counterintuitive result: Even though the MSSP serving all firms invests at the optimal level and firms all benefit from security outsourcing, collective outsourcing to the MSSP might not arise as an equilibrium. this phenomenon occurs because a firm, even after defecting, might indirectly benefit from the MSSP’s
Figure 2. Maximum Number of Firms in Collective Outsourcing Equilibrium as a Function of b
142 ZhAO, XuE, AND whINStON
security operations, resulting in a higher payoff for the firm than actually using the MSSs. As a result, the MSSP cannot charge a fee that sustains collective outsourcing and results in a profit.
In practice, the MSSP is often more capable of managing security because of its better technology, more experienced staff, and higher operational efficiency. A major reason for which individual firms outsource security management is to leverage the MSSP’s cost efficiency [1, 3]. In this subsection, we examine how the MSSP’s cost advantage is weakened by network externalities of security investments. we assume that the MSSP incurs an investment cost, yx
i , where y ∈ [0, 1] captures the level of
cost efficiency. when y = 1, the MSSP has the same level of cost efficiency as indi- vidual firms; as y decreases, the MSSP becomes more cost-efficient than individual firms. the MSSP’s problem can be represented as
Π = − +
−
−( ) ≥ − = ≠= ∑∑max
. .
, ,t x i k
k k i
n
i i
n
i
t p x b x L x
U A t U A
11 ψ
s t pp x b n x L xd md d+ −( )( ) −( )2 . Proposition 8 presents the condition under which collective outsourcing arises as an
equilibrium when the MSSP is more cost-efficient than individual firms:
Proposition 8: When the MSSP is more cost-efficient than the individual firms (0 < y < 1), all firms decide to outsource their security services if
1 1 1 1 1
1 2 1 1
−( ) − + −( )( ) + −( ) + −( )( ) − + −( )( ) +−( )
b b n b n b
b n b b n
ψ ψ ψln
ln nn b L b
−( )( )( ) + −( ) −( ) ( ) >−( )1 1 1 01ψ ψ λln . when the MSSP is more cost-efficient than individual firms (0 < y < 1), the maximum
number of firms yielding a collective outsourcing equilibrium depends on the level of cost efficiency (y), in addition to the degree of network externalities (b). Figure 3 illustrates the maximum number of firms with which collective outsourcing arises as a sustainable equilibrium, given the level of cost efficiency. Similar to the degree of network externalities, cost efficiency affects the firms’ defection incentives through two countervailing effects. On the one hand, a more efficient MSSP (y is smaller) is more capable of managing the security risks than are individual firms. therefore, an individual firm is more willing to use the MSSs. this is the cost-efficiency effect. On the other hand, a defecting firm benefits more by taking advantage of the MSSP’s collective security management when the MSSP is more cost-efficient. this effect decreases a firm’s willingness to pay for the MSS. this is the defection effect. Fig- ure 3 illustrates the maximum number of firms in a sustainable equilibrium when the MSSP is more cost-efficient. It shows that when the security investments generate positive externalities (b = 0.1), the maximum number of firms in a collective out- sourcing equilibrium is first increasing and then decreasing in y. when the security investments generate negative externalities (b = –0.1), the cost-efficiency effect dominates the defection effect when the MSSP’s cost efficiency is high (y is small). therefore, collective outsourcing is more likely to arise (i.e., all firms are willing to use the MSS) when y is small.4 however, when y is large enough (i.e., the MSSP is
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 143
less cost-efficient), the cost-efficiency effect is weakened and the maximum number of firms decreases to two.
heterogeneous Firms
in this paper, we foLLow the cLassic Literature on risK pooLing and focus on ex ante homogeneous firms. In this section, we extend the model and discuss the case that firms have heterogeneous security losses. In particular, we assume that there are two types of firms: type-1 firms and type-2 firms. In a security breach, a type-1 firm loses L
1 , and a type-2 firm loses L
2 , where L
1 > L
2 . Let the total numbers of type-1 firms and
type-2 firms be n 1 and n
2 , respectively. we have n = n
1 + n
2 .
when firms use cyberinsurance only, we can verify that a firm still overinvests when the security investments generate negative externalities and underinvests when the security investments generate positive externalities. we next examine firms’ security investments and expected payoffs in the rPA case. the expected payoff of a type-1 firm can be represented by
π µ ζ ζi i i j n
k n
x X b k n b j n
U A L
1 1 1 1 200
1
1
121= ( ) −( ) ( )( ⋅ − +
− == − ∑∑, , , , ,
nn k j q L
n I x X I x
x X
i i i i i
i i
− − −( ) + − ( ) −
+ −
−
−
1
1
1 1 1 1 1 1 1
1
µ
µ
,
, 11 1 200 1
1 1 2 2
121( )( ) −( ) ( )( ⋅ −
+
== − ∑∑ b k n b j n
U A kq L jq L
n
j n
k n
, , , ,ζ ζ
−− ( ) −
≤ −( )
−µ x X I x
I q L
i i i i
i
1 1 1 1
1 1 11
, ,
. . .s t
Figure 3. Maximum Number of Firms in a Collective Outsourcing Equilibrium as a Function of y
144 ZhAO, XuE, AND whINStON
And, the expected payoff of a type-2 firm can be represented by
π µ ζ ζi i i j n
k n
x X b k n b j n
U A L
2 2 2 1 20
1 0
2
121= ( ) ( ) −( )( ⋅ − +
− = −
= ∑∑, , , , ,
nn k j q L
n I x X I x
x X
i i i i i
i i
− − −( ) + − ( ) −
+ −
−
−
1
1
2 2 2 2 2 2 2
2
µ
µ
,
, 22 1 20 1
0
1 1 2 2
121( )( ) ( ) −( )( ⋅ −
+
= −
= ∑∑ b k n b j n
U A kq L jq L
n
j n
k n
, , , ,ζ ζ
−− ( ) −
≤ −( )
−µ x X I x
I q L
i i i i
i
2 2 2 2
2 2 21
, ,
. . ,s t
where q 1 (q
2 ) is the ratio of loss covered by the risk pool for type-1 firms (type-2 firms).
Since the rPA is a mutual insurance organization and the participating firms equally share the loss as equity holders, the rPA covers the same amount of loss for all the firms. we therefore focus on the case that q
1 L
1 = q
2 L
2 . Differentiating p
i j w.r.t. I
i j, we
get I i j = (1 – q
j )L
j , where j = 1, 2.
the expected payoffs for type-1 and type-2 firms are, respectively,
π µ ζ ζi i i j n
k n
x X b k n b j n
U A k j
1 1 1 1 200
1 121= ( ) −( ) ( )(
⋅ − +
− == − ∑∑, , , , ,
++( ) − ( ) −( ) −
+ − ( )( −
−
1 1
1
1 1 1 1
1 1 1
1 1
n q L x X q L x
x X
i i i
i i
µ
µ
,
, )) −( ) ( )( ⋅ −
+ −
== −
−
∑∑ b k n b j n
U A k j
n q L x X
j n
k n
i
, , , ,
,
1 200 1
1 1 1
121 ζ ζ
µ ii iq L x 1
1 1 11( ) −( ) −
and
π µ ζ ζi i i j n
k n
x X b k n b j n
U A k j
2 2 2 1 20
1 0 1
21= ( ) ( ) −( )( ⋅ −
+
− = −
= ∑∑, , , , ,
++( ) − ( ) −( ) −
+ − ( )( −
−
1 1
1
1 1 2 2
2 2 2
2 2
n q L x X q L x
x X
i i i
i i
µ
µ
,
, )) ( ) −( )( ⋅ −
+ −
= −
=
−
∑∑ b k n b j n
U A k j
n q L x X
j n
k n
i
, , , ,
,
1 20 1
0
1 1 2
121 ζ ζ
µ ii iq L x 2
2 2 21( ) −( ) −
.
Since the analytical solutions to the case with heterogeneous firm are intractable, we use numerical examples to illustrate the equilibrium security investments, the firms’ payoffs, and the equilibrium pool coverages. Similar to the numerical examples in the risk Pooling Arrangements section, we assume m(x
i , X
–i ) = exp(–2(x
i + bS
k=1...n,k≠i xk )), where b = –(1/15) and U(w) = –w(w – 20). In addition, we let A = 8, L
1 = 6, and L
2 = 4.
we assume that type-1 firms account for about half the firms. In particular, n 1 = n
2 = n/ 2
when n is an even number and n 1 = n
2 – 1 when n is an odd number. Figures 4 show
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 145
the security investments, the firms’ payoffs, and the ratios of loss coverage for type-1 and type-2 firms.
Figure 4a shows the firms’ security investments in the cyberinsurance-only case, the rPA case, and the optimal case when security investments generate negative externalities. the solid curves represent a type-1 firm’s security investments, and the dash curves represent a type-2 firm’s security investments. with heterogeneous firms, rPAs can still mitigate firms’ overinvestment incentives. Both the type-1 firm’s and type-2 firm’s security investments in the rPA case are significantly lower than their investments in the cyberinsurance-only case. Figure 4b compares the firm’s expected payoffs. the curves show that the firm’s expected payoffs in the rPA case are higher than their payoffs in the cyberinsurance-only case. Figure 4c illustrates the optimal ratios of loss covered by the risk pool for type-1 firms and type-2 firms. Similar to Figure 1c, the pool coverages increase as the number of firms in the pool increases. we also examined the case in which security investments generate positive network externalities and found that the rPA cannot address the underinvestment issues. All the findings in the risk Pooling Arrangements section hold qualitatively.
we then examine firms’ security investments and expected payoffs in the MSS case. the MSSP’s profit can be represented as
Πm i i i i i i
n
i i i i i i
t x X d x
x X U A L d t x
= − ( ) −
( ) − + −( ) + − −
=
−
∑ µ
µ µ
,
. . ,
1
1s t ,, .X U A t Ui i si−( )( ) −( ) ≥ As we described in the Managed Security Services section, the MSSP has extensive
security expertise and is therefore capable of evaluating the clients’ security. In practice, the MSSP often needs to conduct an on-site inspection before serving a client. It is reasonable to assume that the MSSP can accurately diagnose and separate type-1 firms and type-2 firms. this assumption ensures that the MSSP does not need to practice price differentiation. Differentiating P
m w.r.t. d
i , we have d
i = L
i . the MSSP’s profit
can be simplified as
Πm d t x
i i i i i i
n
i si
i i i
t x X d x
U A t U
= − ( ) −
−( ) ≥ −
= ∑max ,
. . .
, , µ
1
s t
Again, we use numerical examples to illustrate the maximum number of firms for which a sustainable equilibrium exists, given the degree of network exter- nalities, b. we use the same parameter specifications as in Figure 4. In particular, m(x
i , X
–i ) = exp(–2(x
i + bS
k=1...n,k≠i xk )), U(w) = –w(w – 20), A = 8, L1 = 6, and L2 = 4. In addition, n
1 = n
2 = n/ 2 when n is an even number, and n
1 = n
2 – 1 when n is an odd
number. Figure 5 shows that when the security investments generate negative externalities
(i.e., b < 0), the maximum number of firms that ensures a sustainable equilibrium is first increasing in b and then decreasing in b. when firms are heterogeneous, the countervailing effects of network externalities on the MSSP’s service fee identified in the section of managed security services still exist. As a result, the maximum
146 ZhAO, XuE, AND whINStON
Figure 4. Firms’ Security Investments, Firms’ Payoffs, and the ratios of Loss Covered by an rPA when Security Investments generate Negative Externalities in the heterogeneous Case with two types of Firms
(a) Firms’ security investment in the heterogeneous case
(b) Firms’ payoffs in the heterogeneous case
(c) ratio of loss covered by an rPA in the heterogeneous case
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 147
number of firms for a sustainable equilibrium changes in the same pattern as that in the homogeneous case. when the security investments generate positive externalities (i.e., b > 0), collective outsourcing to the MSSP is a sustainable equilibrium only when n = 2. the analysis and numerical illustrations show that all the findings in the previous sections hold qualitatively.
It is worth noting that the use of a common increasing and concave utility function in this paper, although rooted in the risk management literature, could be potentially restrictive. In reality, the payoffs of heterogeneous firms may be better modeled using different functions. the present study is the first step to gaining insights in using alternative solutions to manage interdependent security risks. A thorough study of the alternative risk management solutions for heterogeneous firms deserves further research.
Discussion and Conclusion
the oBjective of security risK management is to appropriately use security resources to reduce firms’ risk exposure. the risk management approaches considered in this paper—third-party cyberinsurance, MSSs, and rPAs—differ in their effectiveness in reducing risk exposure and inducing efficient security investments. Both cyberinsur- ance and MSSs provide complete risk transfer. As compared with cyberinsurance, MSSs induce more efficient allocation of security resources because the MSSP, when serving all firms, internalizes the externalities of security investments between the member firms. rPAs, in contrast, do not provide complete risk transfer. however, they still help to induce more efficient security investments than cyberinsurance when security investments generate negative externalities. Both the internalization
Figure 5. Maximum Number of Firms in Collective Outsourcing Equilibrium as a Function of b in the heterogeneous Case with two types of Firms
148 ZhAO, XuE, AND whINStON
effect and the moral hazard effect associated with rPAs mitigate firms’ overinvest- ment incentives.
In this paper, we focused on risk-averse firms. Note, however, that the analysis on the rPA and MSS solutions can also be applied to the case with risk-neutral firms, and all the findings still hold. Even though the risk-neutral firms are indifferent to the choices of adopting cyberinsurance to hedge risks and bearing random losses, they might still be willing to adopt the solutions that address interdependent security risks. In particular, risk-neutral firms have incentives to use rPAs when the security invest- ments generate negative externalities. In addition, MSSs can be used to address the investment inefficiency caused by interdependent risks; however, collective outsourcing to an MSSP is not sustainable when the number of firms is large. risk-loving firms are likely to actively pursue risks to maximize their payoffs, and they are beyond the scope of this research.
In this paper, we assumed that the amount of loss is fixed in a security breach. If a firm’s loss is a random amount in a security breach and the insurance company can specify a complete contingent insurance contract, a risk-neutral insurance company still provides full insurance to the risk-averse firm. In that case, the insurance com- pany must be able to expect all loss contingencies and write the complete contingent contract, which details the compensation level for each loss level. Similarly, the MSSP will offer full compensation for each loss level.
rPAs have traditionally been implemented in the forms of self-insurance, captives, risk retention groups, and pools to insure a wide variety of risks, such as medical practices, municipal liability, employee pension, and employee health care insurance. however, they have not been widely employed in the area of information security. Information security risks have the feature of risk interdependency, which challenges traditional risk management solutions and calls for alternative solutions. rPAs make firms share risks with one another within the pool and hence motivate firms to consider others’ risks when making investment decisions. they thus have the potential to be an effective solution for interdependent risks in the area of information security. rPAs’ ability to address interdependent information security risks also makes their use desir- able, even when firms are risk-neutral. thus, we see another advantage of using rPAs in information security: they empower firms to actively control interdependent risks, in addition to hedging risks for risk-averse firms.
Additional advantages of using rPAs in information security include flexible policy development and larger capacity. Insurability of information security risks is often limited in the cyberinsurance market because of the lack of experience in deal- ing with new security risks. rPAs allow the policy terms to be tailored to member firms and therefore to help cover new security risks. the cyberinsurance market is also limited in its capacity. rPAs could substantially increase the capacity of the risk management market, helping to insure against vast and ever-increasing information security risks.
Firms also face many operational challenges in implementing rPAs. In general, the process of implementation involves identifying the insurance coverages, determin- ing premiums for the coverages, determining captive ownership and capitalization,
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 149
identifying where the captive is formed and regulated, issuing insurance policies, and managing claims [32]. Firms outside the insurance industry often lack experience in risk underwriting and claims management. Entering such a new business area would likely be very costly for them. In practice, insurance companies offer rent-a-captive services that provide firms with access to captive facilities. thus, firms can use a rent- a-captive approach to establish and run their rPAs for information security risks. At the initial stage of implementation, a firm might start with a single-parent captive (i.e., an rPA within one firm) to manage security risks within its business units. Later, the firm might expand the rPA operation to the multifirm context.
regulatory restrictions pose additional challenges to the implementation of rPAs. the insurance market is highly regulated, and the development of rPAs is subject to regulatory attitudes. For example, in many jurisdictions, certain lines of insurance can be underwritten only by an admitted commercial insurer, not by a mutual insurer. Other factors affecting the adoption of rPAs include restrictions on the risk pool’s underwriting terms, the deductibility of insurance premiums for corporate taxation purposes, and the risk pool’s access to the reinsurance market. Considering the poten- tial that rPAs offer in coordinating firms’ security investments, firms should actively promote rPAs to their regulatory agencies.
Security outsourcing enables firms to tap into the MSSP’s security resources, skills, and capabilities. In practice, SLAs are often used in service outsourcing to specify per- formance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met [1]. In security outsourcing, SLAs enable firms to transfer the security risks to external service providers. In this regard, the MSSP serves not only as a service provider but also as an insurer. the MSSP takes into account the interaction between member firms when making security decisions for them. the MSS approach, therefore, internalizes the externalities of security investments and provides a solution for interdependent security risks.
the MSS approach also provides a collective solution to create security protections that are difficult for individual firms to implement. For example, serving clients over different jurisdictions enables the MSSP to trace and collapse botnets, which are geo- graphically distributed [33]. From individual firms’ perspectives, devoting sufficient efforts to combat such distributed networks is often unwarranted. In this regard, MSSs can offer a potential approach for managing distributed and interdependent risks.
the MSS solution yields the optimal investment level when all interdependent firms adopt this solution. however, executives and security managers should recognize that collective outsourcing might not be incentive-compatible when the number of firms is large. Because of risk interdependency, an individual firm might be better off if it manages security in-house instead of using MSSs. Such an incentive of defection exists even when the MSSP has a cost advantage over individual firms in security management. these findings help explain why firms might not use the MSS solution, even when the MSSPs are often more capable of managing security risks. Executives and security managers should recognize the advantages and limitations of the MSS approach and choose their risk management solutions according to the interdependent nature of security risks.
150 ZhAO, XuE, AND whINStON
the present study may be extended in many directions. First, we focused on the incentive-compatible solutions, and the proposed solutions help firms address the investment inefficiency issues and improve their security toward the optimal outcome. the findings in the present study provide useful managerial implications and insights. In the future, it would be desirable to investigate the incentive-compatible approaches that always yield the optimal solution in the domain of information security. Second, we compared rPA and MSS solutions with cyberinsurance in addressing interde- pendent security risks. Future research might consider the interactions among the cyberinsurance, rPA, and MSS solutions. For example, the MSSP has better security skills than do the firms, in addition to cost advantages, and it may differentiate its services to better compete against the other two security management mechanisms. this is particularly important when firms are heterogeneous. the MSSP’s service dif- ferentiation and competitive strategies in the presence of heterogeneous firms merit in-depth study. Finally, future research might also study various implementation issues of the risk-management solutions. For example, the use of SLAs in security outsourc- ing requires firms to deploy various measures to monitor the MSSP’s performance and enforce the contract terms. reputation systems for MSSPs can be an effective mechanism to motivate the MSSP to behave properly in the long term. the design of diverse mutual insurance policies for different types of It security risks deserves more research attention.
Acknowledgment: Andrew B. whinston greatly appreciates support from National Science Foundation grant number 0831338 for the completion of this paper. the authors thank three anonymous reviewers and the seminar participants at the university of utah, the university of North Carolina at Charlotte, the university of North Carolina at greensboro, and International Conference on Information Systems (ICIS2009) for their feedback on the early draft of this paper.
notes 1. the principle of indemnity is an insurance principle stating that an insured may not be
compensated by the insurance companies in an amount exceeding the insured’s economic loss. therefore, a firm is not allowed to purchase insurance coverage from multiple insurers resulting in an amount of compensation or payout that is higher than the total economic loss [43].
2. the proofs of the lemmas and propositions are available upon request of the authors. 3. we also examined other parameter values (A and L) for the payoff function and other payoff
function forms and found that the insights hold qualitatively. 4. when b = –0.1, the total number of firms must be no more than 10 to ensure that
x i + bS
k=1...n,k≠i xk > 0.
references 1. Allen, J.; gabbard, D.; and May, C. Outsourcing managed security services. Carnegie
Mellon Software Engineering Institute, Pittsburgh, 2003 (available at www.cert.org/archive/ pdf/omss.pdf).
2. Anderson, r. and Moore, t. the economics of information security. Science, 314 (Oc- tober 27, 2006), 610–613.
3. Axelrod, C.w. Outsourcing Information Security. Boston: Artech house, 2004.
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 151
4. Cavusoglu, h.; raghunathan, S.; and yue, w.t. Decision-theoretic and game-theoretic approaches to It security investment. Journal of Management Information Systems, 25, 2 (Fall 2008), 281–304.
5. Cremonini, M., and Nizovtsev. D. risks and benefits of signaling information system characteristics to strategic attackers. Journal of Management Information Systems, 26, 3 (winter 2009–10), 241–274.
6. CSI computer crime and security survey 2010/2011. Computer Security Institute, New york, 2011 (available at http://gocsi.com/survey/).
7. Cummins, J.D., and weiss, M.A. Organizational form and efficiency: the coexistence of stock and mutual property-liability insurers. Management Science, 45, 9 (1999), 1254–1270.
8. Doherty, N.A., and Dionne, g. Insurance with undiversifiable risk: Contract structure and organizational form of insurance firms. Journal of Risk and Uncertainty, 6, 2 (1993), 187–203.
9. gal-Or, E., and ghose, A. the economic incentives for sharing security information. Information Systems Research, 16, 2 (2005), 186–208.
10. gordon, L.A., and Loeb, M.P. the economics of information security investment. ACM Transactions on Information and Systems Security, 5, 4 (2002), 428–457.
11. gordon, L.A.; Loeb, M.P.; and Lucyshyn, w. Sharing information on computer sys- tems security: An economic analysis. Journal of Accounting and Public Policy, 22, 6 (2003), 461–485.
12. gordon, L.A.; Loeb, M.P.; and Sohail, t. A framework for using insurance for cyber-risk management. Communications of the ACM, 46, 3 (2003), 81–85.
13. gupta, A., and Zhdanov, D. growth and sustainability of managed security services networks: An economic perspective. MIS Quarterly, 36, 4 (2012), 1109–1130.
14. herath, h.S.B., and herath, t.C. Investments in information security: A real options per- spective with Bayesian postaudit. Journal of Management Information Systems, 25, 3 (winter 2008–9), 337–375.
15. holmstrom, B. Moral hazard in teams. Bell Journal of Economics, 13, 2 (1982), 324–340.
16. hui, k.-L.; hui, w.; and yue, w.t. Information security outsourcing with system interde- pendency and mandatory security requirement. Journal of Management Information Systems, 29, 3 (winter 2012–13), 117–154.
17. humphreys, P.k.; Lai, M.k.; and Sculli, D. An inter-organizational information system for supply chain management. International Journal of Production Economics, 70, 3 (2001), 245–255.
18. kumar, r.L.; Park, S.; and Subramaniam, C. understanding the value of countermeasure portfolios in information systems security. Journal of Management Information Systems, 25, 2 (Fall 2008), 241–280.
19. kunreuther, h., and heal, g. Interdependent security. Journal of Risk and Uncertainty, 26, 2–3 (2003), 231–249.
20. Lee, C.h.; geng, X.; and raghumathan, S. Contracting information security in the pres- ence of double moral hazard. Information Systems Research, 24, 2 (2013), 295–311.
21. Lee, w., and Ligon, J.A. Moral hazard in risk pooling arrangements. Journal of Risk and Insurance, 68, 1 (2001), 175–190.
22. Ligon, J.A., and thistle, P.D. the formation of mutual insurers in markets with adverse selection. Journal of Business, 78, 2 (2005), 529–555.
23. Malamud, S.; rui, h.; and whinston, A.B. Optimal risk sharing with limited liability. working Paper, National Center of Competence in research Financial Valuation and risk Management, Lausanne, 2012.
24. Managed security services hot despite cool economy due to growing threats, mobile devices, move to cloud. Infonetics research report, Campbell, CA, September 27, 2011.
25. Marshall, J.M. Insurance theory: reserves versus mutuality. Economic Inquiry, 12, 4 (1974), 476–492.
26. Mayers, D. Ownership structure across lines of property-casualty insurance. Journal of Law and Economics, 31, 2 (1988), 351–378.
27. Mayers, D., and Smith, C.w. Contractual provisions, organizational structure and conflict in insurance markets. Journal of Business, 54, 3 (1981), 407–434.
152 ZhAO, XuE, AND whINStON
28. McQuillan, L.h. how to work with a managed security service provider. In h.F. tipton and M. krause (eds.), Information Security Management Handbook. Boca raton, FL: CrC Press, 2007, pp. 631–642.
29. Mohan, r. 2010. how to defend against DDoS attacks? Security Week, April 27, 2010 (available at www.securityweek.com/content/how-defend-against-ddos-attacks/).
30. Moitra, S.D., and konda, S.L. the survivability of network systems: An empirical analy- sis. Software Engineering Institute/Computer Emergency response team (SEI/CErt) report no. CMu/SEI-2000-tr-021, Carnegie Mellon university, Pittsburgh, PA, December 2000.
31. Ogut, h.; Menon, N.; and raghunathan, S. Cyber insurance and It security investment: Impact of interdependent risk. working Paper, university of texas at Dallas, 2005 (available at http://infosecon.net/workshop/pdf/56.pdf).
32. the picture of Art. Swiss re study, Zurich, February 5, 2003 (available at www.swissre .com/media/news_releases/new_swiss_re_sigma_study__the_picture_of_art.html).
33. Pitsillidis, A.; Levchenko, k.; kreibich, C.; kanich, C.; Voelker, g.M.; Paxson, V.; weav- er, N.; and Savage, S. Botnet judo: Fighting spam with itself. Paper presented at the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 28–March 3, 2010 (available at www.isoc.org/isoc/conferences/ndss/10/pdf/12.pdf).
34. richmond, w.B.; Seidmann, A.; and whinston, A.B. Incomplete contracting issues in infor- mation systems development outsourcing. Decision Support Systems, 8, 5 (1992), 459–477.
35. rippon, A. Cyber hackers can mess with google—Are you afraid for your business? EzineArticles.com, 2010 (available at http://ezinearticles.com/?Cyber-hackers-Can-Mess- with-google--Are-you-Afraid-For-your-Business?&id=3882184/).
36. rothschild, M., and Stiglitz, J. Equilibrium in competitive insurance markets: An essay on the economics of imperfect information. Quarterly Journal of Economics, 90, 4 (1976), 629–649.
37. Scott, C. Nearly a fifth of u.S. PCs have no antivirus protection. IDg News Service, May 29, 2012 (available at www.pcworld.com/article/256493/nearly_a_fifth_of_us_pcs_have_ no_virus_protection_mcafee_finds.html).
38. Sen, S.; raghu, t.S.; and Vinze, A. Demand heterogeneity in It infrastructure services: Modeling and evaluation of a dynamic approach to defining service levels. Information Systems Research, 20, 2 (2009), 258–276.
39. Shavell, S. On moral hazard and insurance. Quarterly Journal of Economics, 93, 4 (1979), 541–562.
40. Subramaniam, C., and Shaw, M.J. A study of the value and impact of B2B e-commerce: the case of web-based procurement. International Journal of Electronic Commerce, 6, 4 (Summer 2002), 19–40.
41. tung, L. Five ways to defend against a DDos attack. It News for Australian Business, October 12, 2010 (available at www.itnews.com.au/News/234834,five-ways-to-defend-against- a-ddos-attack.aspx).
42. Varian, h.r. Managing online security risks. New York Times, June 1 (2000) (available at http://people.ischool.berkeley.edu/~hal/people/hal/Nytimes/2000-06-01.html).
43. Vaughan, E.J., and Vaughan, t.M. Fundamentals of Risk and Insurance, 10th ed. hoboken, NJ: John wiley & Sons, 2008.
44. wang, E.t.g.; Barron, t.; and Seidmann, A. Contracting structures for custom software development: the impacts of informational rents and uncertainty on internal development and outsourcing. Management Science, 43, 12 (1997), 1726–1744.
45. whang, S. Contracting for software development. Management Science, 38, 3 (1992), 307–324.
Copyright of Journal of Management Information Systems is the property of M.E. Sharpe Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.