Publication Type
Conference Proceeding Article
Version
acceptedVersion
Publication Date
4-2013
Abstract
With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may exploit their professional advantage and provide fraudulent diagnosis of clients’ vulnerabilities. Such an incentive to mis-represent clients’ risks is often called the credence goods problem in the economics literature[3]. Although different mechanisms have been introduced to tackle the credence goods problem, in the information security outsourcing context, such mechanisms may not work well with the presence of system interdependency risks[6], which are introduced by inter-connecting multiple clients’ systems by the MSSP. In particular, we find that allowing clients to seek alternative diagnosis of their vulnerabilities may not remove the MSSP’s fraudulent behaviors. We shall explore alternative ways to solve the credence goods problem in the information security outsourcing context.
Keywords
Information security outsourcing, credence good, interdependency risks
Discipline
Information Security
Research Areas
Information Systems and Management
Publication
FC 2013 Workshops, USEC and WAHC 2013 Okinawa, Japan,
First Page
83
Last Page
93
Identifier
10.1007/978-3-642-41320-9_6
Publisher
Springer Link
City or Country
Okinawa, Japan
Citation
KE, Ping Fan; HUI, Kai-Lung; and YUE, Wei Thoo.
Information security as a credence good. (2013). FC 2013 Workshops, USEC and WAHC 2013 Okinawa, Japan,. 83-93.
Available at: https://ink.library.smu.edu.sg/sis_research/4761
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1007/978-3-642-41320-9_6