A Framework for Managing Security Risks of Outsourced IT Projects: An Empirical Study

Several firms outsource their IT services partially or totally due to different constraints such as business, financial or legal. Although IT outsourcing has tremendous benefits such as cost reduction, it might expose firms to different security risks including confidentiality, integrity, and availability issues. In this paper, we present the evaluation results for a proposed framework that we developed previously for managing the security and compliance risks of outsourced IT projects. The evaluation is designed to assess several features of the proposed framework. Usefulness, flexibility, simplicity and ease of use as well as achieving a systematic and comprehensive methodology for managing the security and compliance risks of outsourced IT projects are evaluated in this paper. Additionally, we evaluate the usefulness of utilizing project phases and the proposed threat classification approach for identifying and managing security threats in the outsourcing context. Finally, we evaluate the ability of the proposed framework to be applied to any project regardless of project size, cost, or any other constraints.