查看文章

To efficiently manage information security, firms typically outsource part of their security functions to a managed security service provider (MSSP) under a variety of contractual arrangements. Based on this practice, we study a business setting in which the management of security outsourcing depends on the security efforts of both the MSSP and its clients, taking into account that their allocation of efforts can change during the contract horizon. Since their efforts are private to each other, a double moral hazard (DMH) problem can arise with the use of bilateral refund contracts, which have been widely adopted in the MSSP industry. Moreover, both the high probability of undirected attacks and system interdependency can exacerbate the DMH problem. We propose two new types of contracts to solve this problem. One is a monitoring contract, in which a cyberinsurance firm monitors the security efforts of the MSSP and …