Bilateral liability-based contracts in information security outsourcing

Author

Kai-Lung HUI
Ping Fan KE, Singapore Management UniversityFollow
Yuxi YAO
Wei Thoo YUE

Publication Type

Journal Article

Version

acceptedVersion

Publication Date

5-2019

Abstract

We study the efficiency of bilateral liability-based contracts in managed security services (MSSs). We model MSS as a collaborative service with the protection quality shaped by the contribution of both the service provider and the client. We adopt the negligence concept from the legal profession to design two novel contracts: threshold-based liability contract and variable liability contract. We find that they can achieve the first best outcome when postbreach effort verification is feasible. More importantly, they are more efficient than a multilateral contract when the MSS provider assumes limited liability. Our results show that bilateral liability-based contracts can work in the real world. Hence, more research is needed to explore their properties. We discuss the related implications.

Keywords

managed security service, liability-based contracts, negligence, auditing error, limited liability

Discipline

Information Security

Research Areas

Cybersecurity; Information Systems and Management

Publication

Information Systems Research

Volume

30

Issue

2

First Page

411

Last Page

429

ISSN

1047-7047

Identifier

10.1287/isre.2018.0806

Publisher

INFORMS (Institute for Operations Research and Management Sciences)

Citation

HUI, Kai-Lung; KE, Ping Fan; YAO, Yuxi; and YUE, Wei Thoo. Bilateral liability-based contracts in information security outsourcing. (2019). Information Systems Research. 30, (2), 411-429.
Available at: https://ink.library.smu.edu.sg/sis_research/4885

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1287/isre.2018.0806