Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions

Abstract

Firms are increasingly outsourcing information security operations to managed security service providers (MSSPs). Cost reduction and quality (security) improvement are often mentioned as motives for outsourcing information security, and these are also the frequently cited reasons for outsourcing traditional information technology (IT) functions, such as software development and maintenance. In this study, we present a different explanation-one based on interdependent risks and competitive externalities associated with IT security-for firms' decisions to outsource security. We show that in the absence of competitive externalities and interdependent risks, a firm will outsource security if and only if the MSSP offers a quality advantage over in-house operations, which is consistent with the conventional explanation for security outsourcing. However, when security risks are interdependent and breaches impose competitive externalities, although firms still have stronger incentive to outsource security if the MSSP offers a higher quality in terms of preventing breaches than in-house management, a quality advantage of MSSP over in-house management is neither a prerequisite for a firm to outsource security nor a guarantee that a firm will. In addition to MSSP quality, the type of externality (positive or negative), the degree of externality, whether outsourcing increases or decreases risk interdependency, and the breach characteristics determine firms' sourcing decisions. When security breaches impose a positive externality, the incentive to outsource is enhanced if the MSSP decreases the risk interdependency and diminished if the MSSP increases this interdependency. A negative externality has the opposite effect on firms' incentives to outsource. A high demand spill-over to a competitor, together with a high loss in industry demand because of a security breach, enhances these incentives to outsource security operations when the externality is negative. Finally, we extend our base model in several dimensions and show that our main results regarding the impact of interdependent risks and competitive externalities on sourcing decisions are robust and generalizable to different specifications.