Please use this identifier to cite or link to this item:
Title: Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions
Authors: Cezar, Asunur
Çavuşoğlu, Hüseyin
Raghunathan, Şrinivaşan
Keywords: managed security services
information security
risk management
interdependent risks
Issue Date: 2017
Publisher: Wiley
Abstract: Firms are increasingly outsourcing information security operations to managed security service providers (MSSPs). Cost reduction and quality (security) improvement are often mentioned as motives for outsourcing information security, and these are also the frequently cited reasons for outsourcing traditional information technology (IT) functions, such as software development and maintenance. In this study, we present a different explanation-one based on interdependent risks and competitive externalities associated with IT security-for firms' decisions to outsource security. We show that in the absence of competitive externalities and interdependent risks, a firm will outsource security if and only if the MSSP offers a quality advantage over in-house operations, which is consistent with the conventional explanation for security outsourcing. However, when security risks are interdependent and breaches impose competitive externalities, although firms still have stronger incentive to outsource security if the MSSP offers a higher quality in terms of preventing breaches than in-house management, a quality advantage of MSSP over in-house management is neither a prerequisite for a firm to outsource security nor a guarantee that a firm will. In addition to MSSP quality, the type of externality (positive or negative), the degree of externality, whether outsourcing increases or decreases risk interdependency, and the breach characteristics determine firms' sourcing decisions. When security breaches impose a positive externality, the incentive to outsource is enhanced if the MSSP decreases the risk interdependency and diminished if the MSSP increases this interdependency. A negative externality has the opposite effect on firms' incentives to outsource. A high demand spill-over to a competitor, together with a high loss in industry demand because of a security breach, enhances these incentives to outsource security operations when the externality is negative. Finally, we extend our base model in several dimensions and show that our main results regarding the impact of interdependent risks and competitive externalities on sourcing decisions are robust and generalizable to different specifications.
ISSN: 1059-1478
Appears in Collections:İşletme Bölümü / Department of Management
Scopus İndeksli Yayınlar Koleksiyonu / Scopus Indexed Publications Collection
WoS İndeksli Yayınlar Koleksiyonu / WoS Indexed Publications Collection

Show full item record

CORE Recommender


checked on Sep 23, 2022


checked on Sep 24, 2022

Page view(s)

checked on Dec 26, 2022

Google ScholarTM



Items in GCRIS Repository are protected by copyright, with all rights reserved, unless otherwise indicated.