查看文章

Nowadays, firms tend to outsource security operations to professional managed security service providers (MSSPs) as a result of the sophistication of strategic hackers. Thus, how an MSSP makes security decisions according to a strategic hacker’s action is worth researching. Constructing a contract theory model, this paper examines the interaction between an MSSP and a strategic hacker based on both parties’ characteristics. We find that the hacker will give up less valuable information assets, and thus not all information assets are worth protecting for the MSSP. For both parties, their optimal efforts do not necessarily increase with their respective efficiency, and the firm’s reputation loss has an opposite effect on its respective efforts. Moreover, we distinguish two types of security externalities including MSSP-side externality and hacker-side externality, and we find that the two types of security externalities have …