电子商务英文文献

Outsourcing Internet Security: The Effect of Transaction Costs on Managed Service ProvidersWen Ding William Yurcik

National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign{wending1,byurcik}@ncsa.uiuc.edu

AbstractTransaction costs are a signi cant factor in outsourcing decisions. In the case of Internet security, outsourcing has higher transaction costs for two major reasons: (1) the outsourcing process is not yet standardized and (2) there is uncertainty about the frequency and impact of cyber attacks creating large variations in coordination costs. In this paper we study the effects of transaction costs on provider pricing strategies aiming toward guidelines that are bene cial for both buyers and providers. We structure a game-theoretic model that incorporates the two special features of transaction costs for security outsourcing. When transaction costs are high, Managed Security Service Providers (MSSPs) have to charge a lower overall price for their services to balance these costs. The same result holds when the uncertainty associated with transaction cost increases. Our conclusion is that while performance-based contracts have to be employed to create an ef cient risk-sharing mechanism, market competition provides incentives for MSSPs to share transaction costs with buyers. Keywords: economics of information security, transaction cost, outsourcing, information security, managed security service providers (MSSPs)

cope with Internet security. The last several years has seen a new market form into has come to be known as Managed Security Service Providers (MSSPs). For a survey of MSSPs see[7]. There is an evolution in thinking abut Internet security. First, there is an increasing realization that Internet security risks will always exist– while these risks can be mitigated they cannot be completely eliminated with a product or processes. Secondly, humans-in-the-loop are critical for effective Internet security– humans recognize and respond to new risks. Humans attacking need humans to defend. MSSPs are the most ef cient way to provide Internet security by leveraging the economies-of-scale in providing a critical mass of human Internet security expertise. In this paper we seek to analytically model the effects of transaction costs on provider pricing strategies (providing human Internet expertise). Transactions costs are key since they largely determine the outsource versus insource decision. Firms shrink by outsourcing if transaction costs fall relative to organization costs. We seek to understand if the effects of transactions costs are different for the case of Internet security as opposed to other domains and what can be learned about speci cs within the MSSP market. It is ironic that while the Internet itself has had a large impact in decreasing transaction costs it has also simultaneously introduced new risks which create a critical need for protection. The remainder of this pa

per is organized as follows: We de ne terminology and concepts in Section 2. In Section 3 we introduce our analytical analysis model seeking to understand the effect of transaction costs on both rms and MSSPs. Section 4 is a survey of related work. We end with a summary and conclusions in Section 5.

2 Transaction Cost Theory2.1 De nitionTransaction costs refer to costs incurred when making any economic exchange. In the case of security outsourcing, transaction costs include the following: Searching Cost refers to the money, time, and effort invested in searching for a suitable Managed Security Service Provider (MSSP). To choose the best- t MSSP is essential for a successful security outsourcing project. Unfortunately, this selection is not easy because there are no consensus met-

1 IntroductionOutsourcing is an important factor in the functional structure of any rm, however, it has only recently become a consideration for IT rms trying to

rics to compare vendors. At present, there are many MSSPs with diversi ed backgrounds and services serving this market. Contracting Cost refers to the money, time, and effort required to develop a service contract that speci es the responsibilities of both a buyer and a provider. It has been argued that for information security outsourcing a performance-based contract is more effective than a xed-price contract[7]. In a performance-based contract, a metric for performance quality must be speci ed as well as the speci c penalty if this metric is not satis ed. The contract timeframe is also important– the decision whether to sign a long-term or short-term contract effects transaction costs. A long-term contract saves on the overhead cost of developing multiple contracts while a short-term contract is more exible. As we will argue in Section 2.2, a short-term contract is appropriate for functions with large uncertainty. 1 An empirical study of information technology outsourcing by U.S. banks shows that a short-term contract is more likely to be successful than a long-term contract[13]. Since information security is also subject to large uncertainty, a short-term contract is expected to be superior. Setup Cost: refers to the cost of procuring and tuning relevant computer network devices in order to support security services. Most MSSP services are based on a speci c platforms. For example, some MSSPs manage only devices from a speci c manufacturer. Counterpane has a proprietary device (socrates) that accepts input from most computer network devices. So, if a rm’s existing devices do not meet MSSP requirements, a rm may need to buy new equipment. Monitoring Cost refers to the money, time, and effort needed to monitor MSSP performance. Monitoring MSSP performance is important to make sure an MSSP does its best to protect a rm. To do this, a buyer needs to collect and analyze MSSP performance data periodically as well determining if this performance data present

ed by the MSSP is rel …… 此处隐藏：35540字，全部文档内容请下载后查看。喜欢就下载吧 ……