考虑成本信息不对称的信息安全外包契约设计  被引量：1

作　　者：吴勇 徐梦瑶 冯耕中[2] WU Yong;XU Mengyao;FENG Gengzhong(Glorious Sun School of Business&Management,Donghua University,Shanghai 200051,China;School of Management,Xi′an Jiaotong University,Xi′an 710049,China)

机构地区：[1]东华大学旭日工商管理学院,上海200051 [2]西安交通大学管理学院,陕西西安710049

出　　处：《管理工程学报》2024年第4期196-208,共13页Journal of Industrial Engineering and Engineering Management

基　　金：国家自然科学基金项目(71801035);国家社会科学基金重大项目(20&ZD053);中央高校基本科研业务费专项资金(2232018H-07)。

摘　　要：本文考虑客户企业和管理安全服务提供商(MSSP)合作保护客户企业信息安全的问题。双方的安全努力不可验证性会导致努力程度低下,MSSP成本信息不对称会导致服务低效性。首先,以社会福利最优作为基准,本文分析了努力不可验证对双边退款契约设计的影响。然后,本文分析了MSSP私有成本信息导致服务低效的问题,提出了甄别MSSP私有成本信息的契约,最后通过算例分析验证了本文的重要结论。研究表明:信息安全合作外包中的双边退款契约会因安全服务的特性产生双重道德风险问题。客户企业采取措施来验证MSSP的努力水平以缓解双重道德风险问题有成本上界。当MSSP拥有私有成本信息时,甄别契约具有“高端不扭曲”和“低端向下扭曲”的特点。在私有成本信息下,无论MSSP是高成本类型还是低成本类型,由于信息缺乏,客户企业都会遭受损失。MSSP成本的市场分布相近或者服务合作重要程度越高,客户企业越需要采取措施来甄别MSSP的成本。本研究对信息安全管理领域客户企业外包的决策具有重要的参考意义。The increasing complexity,regulatory requirements,and cost associated with managing information security have motivated many firms to outsource information security functions to managed security service providers(MSSPs).MSSP services are popular for security infrastructure functions where specialized and experienced MSSPs may provide expertise at a lower cost.In information security outsourcing,it is popular that the outsourcing firms and MSSPs coordinate their efforts for better security.For example,firms often outsource prevention and detection functions to an MSSP and operate basic security fundamentals such as updating and employee education in-house.In practice,a bilateral refund contract is widely adopted in the information security outsourcing industry.Nevertheless,efforts are often private and thus both firms and MSSP can suffer from the double moral hazard in contract enforcement.It is essential to coordinate the efforts of both parties to ensure the firm and MSSP invest the necessary efforts to protect the firm′s system.In addition,another problem that hinders the effective execution of the contract is cost information asymmetry.MSSP owns the private cost information,which is difficult to be evaluated by the firm in advance.Private cost information may lead to opportunistic behavior of MSSP to obtain extra profits by misstating the security efforts.These challenges raise some questions.Whether a bilateral refund contract can induce double moral hazard?How does the firm ensure that the MSSP will invest the necessary efforts and disclose cost information?To answer the above research questions,we construct a game-theoretical model.In this paper,we explore the validity of bilateral refund contracts in information security service outsourcing.We consider the firm offering a service contract to the MSSP.The MSSP will protect the system jointly with the firm if it accepts the contract.Otherwise,the firm must undertake the protection himself.A bilateral refund contract between the MSSP and firm consists of tw

关 键 词：信息安全外包 双重道德风险 私有成本信息 契约设计 

分 类 号：F272[经济管理—企业管理]