Please use this identifier to cite or link to this item: https://hdl.handle.net/20.500.11851/7482
Title: Sourcing Information Security Operations: the Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions
Authors: Cezar, Asunur
Çavuşoğlu, Hüseyin
Raghunathan, Şrinivaşan
Keywords: managed security services
outsourcing
information security
risk management
interdependent risks
Publisher: Wiley
Abstract: Firms are increasingly outsourcing information security operations to managed security service providers (MSSPs). Cost reduction and quality (security) improvement are often mentioned as motives for outsourcing information security, and these are also the frequently cited reasons for outsourcing traditional information technology (IT) functions, such as software development and maintenance. In this study, we present a different explanation-one based on interdependent risks and competitive externalities associated with IT security-for firms' decisions to outsource security. We show that in the absence of competitive externalities and interdependent risks, a firm will outsource security if and only if the MSSP offers a quality advantage over in-house operations, which is consistent with the conventional explanation for security outsourcing. However, when security risks are interdependent and breaches impose competitive externalities, although firms still have stronger incentive to outsource security if the MSSP offers a higher quality in terms of preventing breaches than in-house management, a quality advantage of MSSP over in-house management is neither a prerequisite for a firm to outsource security nor a guarantee that a firm will. In addition to MSSP quality, the type of externality (positive or negative), the degree of externality, whether outsourcing increases or decreases risk interdependency, and the breach characteristics determine firms' sourcing decisions. When security breaches impose a positive externality, the incentive to outsource is enhanced if the MSSP decreases the risk interdependency and diminished if the MSSP increases this interdependency. A negative externality has the opposite effect on firms' incentives to outsource. A high demand spill-over to a competitor, together with a high loss in industry demand because of a security breach, enhances these incentives to outsource security operations when the externality is negative. Finally, we extend our base model in several dimensions and show that our main results regarding the impact of interdependent risks and competitive externalities on sourcing decisions are robust and generalizable to different specifications.
URI: https://doi.org/10.1111/poms.12681
https://hdl.handle.net/20.500.11851/7482
ISSN: 1059-1478
1937-5956
Appears in Collections:İşletme Bölümü / Department of Management
Scopus İndeksli Yayınlar Koleksiyonu / Scopus Indexed Publications Collection
WoS İndeksli Yayınlar Koleksiyonu / WoS Indexed Publications Collection

Show full item record



CORE Recommender

SCOPUSTM   
Citations

17
checked on Dec 21, 2024

WEB OF SCIENCETM
Citations

38
checked on Dec 21, 2024

Page view(s)

114
checked on Dec 23, 2024

Google ScholarTM

Check




Altmetric


Items in GCRIS Repository are protected by copyright, with all rights reserved, unless otherwise indicated.