Contracting Information Security in the Presence of Double Moral Hazard

Abstract

In information security outsourcing, it is the norm that the outsourcing firms and the outsourcers (commonly called managed security service providers, MSSPs) need to coordinate their efforts for better security. Nevertheless, efforts are often private and thus both firms and MSSPs can suffer from double moral hazard. Furthermore, the double moral hazard problem in security outsourcing is complicated by the existence of strong externality and the multiclient nature of MSSP services. In this prescriptive research, we first show that the prevailing contract structure in security outsourcing, bilateral refund contract, cannot solve double moral hazard. Adding breach-contingent sunk cost or external payment cannot solve double moral hazard either. Furthermore, positive externality can worsen double moral hazard. We then propose a new contract structure termed multilateral contract and show that it can solve double moral hazard and induce first-best efforts from all contractual parties when an MSSP serves two or more client firms, regardless of the externality. Firm-side externality significantly affects how payments flow under a multilateral contract when a security breach happens. When the number of client firms for an MSSP increases, we show that the contingent payments under multilateral contracts for any security breach scenario can be easily calculated using an additive method, and thus are computationally simple to implement.