Information security outsourcing strategies in the supply chain considering security externality

Information assets that complement each other capture the information security characteristics of supply chain firms. Supply chain firms usually outsource security services to Managed Security Service Providers (MSSPs) to protect their information. Considering the security externality and information leakage risk in security outsourcing, this article investigates four security management scenarios faced by two supply chain firms. We try to answer whether both firms should outsource security to the same or different MSSPs. We find that no matter under which scenario, as the complementation degree increases, both firms and MSSPs decrease the security quality, and MSSPs offer a contract with lower compensation. We show that information leakage risk and security externality have different effects on the MSSP's optimal strategy selections. Besides, the MSSP tends to serve both firms when the security externality is positive but prefers serving only one firm when the security externality is negative. Moreover, we find that the strategy that one firm outsources to an MSSP and its partner manages it in-house can be the optimal selection for the social planner but not the MSSP's optimal strategy. We also extend the model and find that the results are robust to the situations of uncertain loss and asymmetric loss.