Decisions making in information security outsourcing : Impact of complementary and substitutable firms

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

12 Scopus Citations
View graph of relations



Original languageEnglish
Pages (from-to)1-12
Journal / PublicationComputers and Industrial Engineering
Publication statusPublished - 1 Aug 2017


This paper constructs a contract-theory model to investigate how an MSSP's (Managed Security Service Provider) operating characteristics of cost efficiency, multiple clients, security externality and firms’ information nature affect the MSSP's strategic decisions, including the contract structure and the optimum investment level for firms. The analysis shows that firms’ information nature, either complementary or substitutable, plays a crucial role in influencing an MSSP's decisions. First, the MSSP tends to provider a contract with a lower refund and exert a lower security investment level when the degree of complementation is higher while tending to provider a contract with a higher refund and exert a higher security investment level when the degree of substitution is higher. Second, there is a lot of differences that how the security externality affects the decisions of the MSSP who serves complementary firms and that who serves substitutable firms. Third, the MSSP's optimum refund (service fee) to complementary firms is greater than firms’ expected loss (expected cost), while the MSSP's optimum refund (service fee) to substitutable firms is smaller than firms’ expected loss (expected cost). Fourth, serving a smaller number of substitutable firms is more economic for an MSSP while serving complementary firms the more the better. In addition, the optimum contract structures between an MSSP and complementary (and substitutable) firms are discussed in this paper. These findings give some insights that can guide an MSSP to determine an optimum contract structure and investment level for firms. Future research directions are discussed based on the limitations and possible extensions of this study.

Research Area(s)

  • Complementary, Information security investment, Information security outsourcing, Managed security service providers, Substitutable