Outsourcing Internet Security: Economic ...
Outsourcing Internet Security: Economic Analysis of Incentives for Managed Security Service Providers Wen Ding
William Yurcik
Xiaoxin Yin
National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign {wending,byurcik,xiaoxin}@ncsa.uiuc.edu
Abstract. Firms hesitate to outsource their network security to outside security providers (called Managed Security Service Providers or MSSPs) because an MSSP may shirk secretly to increase profits. In economics this secret shirking behavior is commonly referred to as the Moral Hazard problem. There is a counter argument that this moral hazard problem is not as significant for the Internet security outsourcing market because MSSPs work hard to build and maintain their reputations which are crucial to surviving competition. Both arguments make sense and should be considered to write a successful contract. This paper studies the characteristics of optimal contracts (payment to MSSPs) for security outsourcing market by setting up an economic framework that combines both effects. It is shown that an optimal contract should be performance-based. The degree of performance dependence decreases if the reputation effect becomes more significant. We also show that if serving a large group of customers helps the provider to improve service quality significantly (which is observed in the internet security outsourcing market), an optimal contract should always be performance-based even if a strong reputation effect exists.
1
Introduction
It is predicted that the security outsourcing market, where firms contract with outside information security vendors to meet their organizational demands, will grow at a compound rate of double digits from $4.1 billion in 2001 to $9.0 billion in 2006. Experts predict that this growth rate will continue through 2008[10]. Two major reasons explain the quick expansion of security outsourcing. First, it offers production cost advantages. For example, for security device (firewalls, IDSs) management, a security engineer may cost $8,000 to $16,000 per month. In order to provide 24*7 support, this figure needs to at least be tripled. For the same functions, MSSPs charge between $600 and $4,000 per month. Counterpane, one of the most successful MSSPs, charges only 4% and 10% of cost a firm incurs to monitor network security. [19]. Second, security service providers have richer experiences, updated technology and better trained expertise by specializing in this area and serving diverse
2
clients. A large client base also contributes to the improvement of the service quality because a service provider that monitors more networks is more likely to correlate attacks, identify new attacking patterns, and warn customers of events beyond their perimeters. In this sense, the security service provider also serves as an efficient information-sharing mechanism on security issues if he has a big customer base, and customers enjoy positive information spilled over from other customers. Despite these benefits, a big doubt about the quality of security services still remains because of the well known ‘moral hazard’ problem. That is, the service providers can shirk secretly to increase their profits. A survey by Jeffrey Kaplan published in Business Communication Review (2003) [15] reports that 40.6% of the firms surveyed have such concerns. A counter argument is that the moral hazard problem is not as significant for security outsourcing market because MSSPs have to work hard to build and keep a good reputation which is crucial to survive the competition. Buyers will not contract network security to outside providers that cannot offer high quality service consistently. Both arguments are reasonable and should be considered to write a successful contract. The moral hazard problem has been studied extensively in economics. Holmstrom(1979) [14] studies this problem in a one-period formulation and proposed that optimal contract under moral hazard is performance-based. Lambert(1983) [18] studies a moral hazard problem in a finitely-repeated model and shows that optimal payment depends on performance history. Spear and Srivastava(1987) [22] present similar results in analyzing an infinitely repeated model. One main result in research on reputation is that reputation effect can mitigate the moral hazard problem. More complicated effects have been observed for different businesses. Banerjee and Duflo(2000) [7] study Indian software development and propose that reputation may explain why a larger proportion of software firms which have been established more years get payback from cost overruns, where the cost overrun may have been caused by software firms’ moral hazard behavior. Gomes(2000) [11] shows that in the stock market, reputation effect is significant whenever the moral hazard problem is significant. It also shows that if a firm can finance through ways other than the stock market, its ability to build reputation is unrelated with growth opportunities. Dejong et al.(1985) [9] discover that in a laboratory market, reputation helps alleviate the moral hazard problem, but at the same time, there is evidence that reputable agents use opportunities to falsely advertise attempting to deceive the principals. In the IT outsourcing literature, moral hazard has long been recognized as a major risk of an outsourcing project and incentive-compatible contracts are proposed to solve this problem [8], [6]. Aubert et al. [1] identify contractual difficulties [16] and diminished quality of services [2] as a major undesirable consequences of IT outsourcing. Aubert also suggests that diminished quality of services may be correlated with size of the provider. This paper studies characteristics of optimal contracts (in form of payments to MSSPs) for security outsourcing market by setting up an economic framework that combines moral hazard and reputation effects, where reputation of a
3
provider is reflected by how many customers it has. It is shown that an optimal contract should be performance-based. The degree of performance dependence decreases if the reputation effect becomes more significant. We also show that if serving a large group of customers helps the provider to improve service quality significantly (which is observed in the Internet security outsourcing market), an optimal contract should be performance-based even if a strong reputation effect exists. The rest of this paper is organized as follows: In Sections 2, we survey and define managed security services. Section 3 contains a baseline moral hazard model. In Section 4 we present our model by adding reputation effect to moral hazard model for security outsourcing. We end with conclusions in Section 5. The Appendix contains summary tables for managed security services and service providers.
2
A Survey of managed security services
With the increasing frequency and impact of cyber attacks as well as new government regulations (HIPAA[13], Sarbanes-Oxley[21], Gram-Leach-Bliley[12], California Disclosure Laws[3]), more firms are seeking to outsource the function of Internet security protection to expert providers. Thus MSSPs have emerged, characterized by technical capabilities and responsiveness to meet buyers diversified needs. Managed security services can be categorized into 5 groups: (1) assessment, (2) monitoring, (3) threat and incidence control, (4) identity management and (5) consulting. The assessment sub-category includes services that evaluate a firm’s security processes by penetration test on a regular basis. Security monitoring contains services such as managed firewall services, managed intrusion detection systems (IDS), managed intrusion prevention systems (IPS) and data analysis. Threat intelligence addresses how to measure and manage threats before they cause harm. Threats are detected by finding correlation among the network behavior across the Internet that the provider monitors. Early warning can be given even before attacks have reached firms’ security perimeter. Once an incidence is discovered, incidence control service will be in action following pre-specified procedures to minimize impacts on firms. Figure 2 in the Appendix provides a list of security services. The list of managed security services is expanding as demand for new security technology emerges. MSSPs may concentrate on just one or any combination of these services based on their technology strength and background. Different packages of services have been developed to meet diversified needs from global enterprizes to small businesses. Based on our survey, managed security services possess the following attributes: tailored security solution design, expert security consulting support, 24 × 7 security monitoring, real-time security analysis, and real-time security incident response.
4
Figure 3 in the Appendix is a summary of major managed security services providers with the corresponding services they offer.
3
Baseline Model
It has been well documented that for the principal-agent problem, where a principal hires an agent but cannot observe agent’s effort level, principal’s payment to the agent should depend on realized performance. In other words, a performancebased contract is recommended. This contingent plan is expected to give agent hard working incentives by dumping some risks on him. Following Spear and Srivastava(1987) [22], the standard model dealing with agent’s moral hazard problem over infinite horizon, can be written in a recursive form as the following,
K(v) = st
Z max {y − p(y) + ρK(w(y))}f (y|a)dy p(y),w(y),a Z {u(p(y)) + ρw(y)}f (y|a)dy − φ(a) ≥ v (P K) Z a ∈ arg max {u(p(y)) + ρw(y)}f (y|a)dy − φ(a)
(1) (IC)
where the variables are defined as: – – – – – – – –
y, output of current period p(y), payment to the agent v, the agent’s revenue stream discounted to current period w(y), the agent’s revenue from next period on u(·), the agent’s utility function a, the agent’s effort level φ(a), cost that the agent incurs by working at effort level a f (y|a), probability distribution of output given the agent’s effort level is a
By using the recursive formulation, this model utilizes the idea of dynamic programming: optimize one period at a time assuming optimal behavior in following periods. Thus, the objective function consists of two parts: y − p(y) is the principal’s payoff in the current period and K(w(y)) represents the principal’s best payoff from next period on. With the discounting factor ρ, y − p(y) + ρK(w(y)) represents principal’s discounted profit. Since output y is random, expected payoff is calculated by taking the integration w.r.t y. The first constraint is usually called the promise keeping(PK) constraint. It restricts principal’s choice set of p(y) and w(y) to those that provide decent payoff to the agent. The second constraint is called the incentive compatibility(IC) constraint. This constraint incorporates moral hazard behavior of the agent into this model. That is, for any given a contract p(y) and w(y), the agent always chooses an effort level a that works best for its own good. Altogether, this model
5
shows how a principal maximizes his profit by choosing a current period payment p(y) and a future payoff w(y) to the agent in presence of agents’ moral hazard behavior. An optimal contract derived from this model is expected to provide suppliers incentives to work hard. The following assumption (MLRP: Monotone Likelihood Ratio Property) is made in [22]. Assume that the distribution function of output y satisfies ∀y2 > 2 |a) y1 , the likelihood ratio ff (y (y1 |a) is monotone increasing in effort level a. This assumption is equivalent to
d fa (y,a) dy [ f (y,a) ]
≥ 0.
(y2 |a2 ) 2 |a1 ) The MLRP assumption means ∀a2 > a1 , y2 > y1 , we have ff (y ≥ ff (y (y1 |a1 ) . 1 |a2 ) In other words, at a higher effort level a2 , a higher output y2 is more likely to be realized than a lower output y1 . Spear and Srivastava(1987) [22] shows that when the MLRP condition holds, optimal solutions p(y) and w(y) are performancebased. Good performance is rewarded from both high payment this period and increased higher payoff in the following periods.
4
Moral Hazard Model For Internet Security Outsourcing
In the context of security outsourcing, the security buyer is the principal and the security service provider is the agent. The baseline model can be applied to study the moral hazard problem in security outsourcing scenario with one modification: a larger customer base helps improve service quality. From the survey of managed security services in section 2, we see that most managed services have this feature. In our model, this effect is introduced through f (y|a, N ). That is, besides depending on the effort level a, the distribution function of service performance y also depends on number of customers of the service provider, N . The effect of reputation is added to the baseline model through N 0 = G(y), which means the provider’s number of customers next period is dependent on current performance y. Then the model for internet security outsourcing is written as:
K(v, N ) = st
Z max {y − p(y) + ρK(w(y), N 0 )}f (y|a, N )dy p(y),w(y),a Z N · {(u(p(y)) + ρw(y))}f (y|a, N )dy − φ(a, N ) Z 0 +(N − N ) · ρw(y)f (y|a, N )dy ≥ v (P K) Z a ∈ arg max{N · {u(p(y)) + ρw(y)}f (y|a, N )dy − φ(a, N ) Z 0 +(N − N ) · ρw(y)f (y|a, N )}dy (IC) N 0 = G(y)
(2)
In the baseline model, it is assumed that the number of customers does not change from period to period. So it suffices to calculate provider’s benefit from
6
just one buyer. When number of customers is different for each period, we have to calculate total benefit the provider gets from all its customers. Therefore, the first term in (PK) and that in (IC) are multiplied by customer size N . The second terms in conditions (PK) and (IC) represent service provider’s change in revenue due to change in number of customers. If N 0 > N , the provider gets additional benefit due to increase in demand. The effect of N on service quality is added through f (y|a, N ). We assume a larger customer base help the provider to increase expected service quality, i.e, Assumption R1 At same effort R level a, expected output is monotone in N , i.e, for N1 < N2 , yf (y|a, N1 ) < yf (y|a, N2 ). φ(a, N ) denotes the cost of serving one out of N customers by working at effort a. It captures the provider’s economy of scale, i.e., φ(a, N2 ) < φ(a, N1 ) for N1 < N2 . Change in number of customers due to performance is introduced through function G(·) which is assumed to be continuous and differentiable w.r.t y. We can simplify the optimization problem (2) by cancelling terms out and dividing all terms in the (PK) and (IC) equation by N : Z K(v, N ) =
max
p(y),w(y),a
{y − p(y) + ρK(w(y), N 0 )}f (y|a, N )dy
Z st
N0 {u(p(y)) + ρw(y)}f (y|a, N )dy − φ(a, N ) ≥ v (P K) N Z N0 ρw(y)}f (y|a, N )dy − φ(a, N ) a ∈ arg max {u(p(y)) + N N 0 = G(y)
(IC) (3)
Rogerson(1985) [20] proved that under regularity conditions, it suffices to use first order condition of (IC) instead of (IC) itself. Therefore, we substitute (IC) by its first order condition . Also, we substitute N 0 in the objective function by G(y). Then the maximization problem is written as: Z K(v, N ) =
max
p(y),w(y),a
{y − p(y) + ρK(w(y), G(y))}f (y|a, N )dy
Z
st
G(y) ρw(y)}f (y|a, N )dy − φ(a, N ) ≥ v N Z G(y) ρw(y)]fa (y|a, N )dy − φa (a, N ) = 0 [u(p(y)) + N {u(p(y)) +
(P K) (4) (F OC)
We put λ as the Lagrangian multiplier on the (PK) constraint and µ as the Lagrangian multiplier on the first order condition of (IC) constraint. Then conditions for the optimal solution are derived by taking first order derivative w.r.t the choice variables p(y) and w(y):
7
{p(y)} {w(y)}
fa (y|a, N ) =0 f (y|a, N ) G(y) G(y) fa (y|a, N ) ρK 0 (w(y), G(y)) + ρλ + ρµ =0 N N f (y|a, N )
−1 + λu0 (p(y)) + µu0 (p(y))
(5) (6)
First order conditions (5) and (6) implies: 1 fa (y|a, N ) =λ+µ u0 (p(y)) f (y|a, N ) G(y) fa (y|a, N ) (λ + µ ) −Kw (w(y), G(y)) = N f (y|a, N ) f (y2 |a,N ) f (y1 |a,N ) d fa (y|a,N ) [ dy f (y|a,N ) ]
(7) (8)
Assumption 2 MLRP-N . For y2 > y1 the likelihood ratio
is mono-
tone increasing in effort level a for all firm sizes N , i.e.,
≥ 0.
This assumption is a natural extension of Spear and Srivasava(1987) [22] to the scenario where customer size is included in the model explicitly. Lemma 1. Under MLRP-N , p(y) is monotonically increasing in performance, i.e, p0 (y) > 0 Proof. Because the provider’s utility function u(·) is concave in p(y), Lemma 1 follows directly from first order derivative of equation (7) w.r.t y. This result shows that format of optimal current payment p(y) under the security outsourcing scenario conforms with standard results in moral hazard literature Holmstrom(1997) [14], Lambert(1983) [18] and Spear and Srivastava(1987) [22]. In the next step we show that format of optimal continuation payment w(y) is a lot more complicated. We need to define two opposite conditions. First of all, we assume that the functional form of the provider’s benefit function K(·) does not change over time. In particular, partial derivatives of K(·) w.r.t its arguments do not change, i.e., KvN (v, N ) = KwG (w(y), G(y)). Also, let subscripts denotes partial derivatives. Definition 1. Non-decreasing Marginal Impact Condition(NDMIC). Reduction in buyer’s benefit due to increasing in w(y) is smaller if the provider has more customers. That is, KvN (v, N ) = KwG (w(y), G(y)) ≥ 0. Since v is the total payment to the provider, it can be decomposed into current payment p(y) and future payment w(y). In the maximization problem (4), if v increases, it implies p(y) and w(y) also increase so that the R (PK) condition is not violated. Therefore buyer’s benefit K(v, N ) = max {y − p(y) + ρK(w(y), N )}f (y|a, N ) will decrease. Otherwise, the buyer can increase p(y) and w(y) and both the buyer and the provider get better off. NDMIC says that
8
the impact on buyer’s benefit K(w(y), G(y)) by increasing w(y) is smaller if the provider’s number of customers increases. Similarly, we have a definition for Decreasing Marginal Impact Condition, which exactly opposite of NDMIC. Definition 2. Decreasing Marginal Impact Condition(DMIC). Reduction in buyer’s benefit due to increasing in w(y) is bigger if the provider has more customers. That is, KvN (v, N ) = KwG (w(y), G(y)) ≤ 0 In this paragraph, we give some intuition how the distribution function f (y|a, N ) determines which of these two conditions holds. It suffices to analyze how Kv (v, N ) changes with N . How much K(·) decreases w.r.t v depends on two factors. Factor (1) is the N1 coefficient in the (PK) condition of the maximization problem. Factor (2) is the distribution function f (y|a, N ) in the maximization problem. For effect of (1), if N11 < N12 , to satisfy the (PK) condition, larger increase in either p(y) or w(y) or both is required if the provider has N1 customers. Then decrement in buyer’s payoff K(·) due to increment in v is bigger, i.e., Kv (v, N1 ) < Kv (v, N2 ) < 0. In other words, being a small fraction of a big service provider, it is harder(more costly) to exert influence on the provider. For effect of (2), by Assumption 1, a provider with more customers R N1 will get larger expected output( (u(p(y)) − ρw(y))f (y|a, N1 )dy). Therefore, for same increase in total payment v, less increase p(y) and w(y) is required to keep the (PK) condition because of effect of f (y|a, N ). Therefore, K(·) deceases less if the provider has more customers. In other words, the buyer benefits from technology of scale of a provider with many customers. Combining effects from factor (1) and factor (2), how Kv (·) changes with N is ambiguous, i.e., the second derivative KvN (·) can be either positive or negative. If factor (1) is dominant, DMIC holds. If factor (2) is dominant, NDMIC holds. Graphically, NDMIC and DMIC are shown in Figure 1.
K(v,N)
K(v,N)
K(v,N2)
K(v,N2)
K(v,N1) NDMIC
K(v,N1) v
DMIC
v
Fig. 1. NDMIC and DMIC for N2 > N1
Lemma 2. When NDMIC is satisfied, w(y) is strictly monotone increasing in y, i.e. w0 (y) > 0. Proof. Take derivative of equation (8) w.r.t y,
9
LHS : −Kww (w(y), G(y))w0 (y) − KwG (w(y), G(y)) · G0 (y) d G(y) fa (y|a, N ) RHS : { (λ + µ )} > 0 dy N f (y|a, N )
(9)
Assumption 2 together with G0 (y) > 0 implies RHS > 0. K(·) function is strictly concave in w(y), which means Kww < 0 [22]. Rearranging terms and applying NDMIC yields the result. Lemma 2 shows that when NDMIC is satisfied, even there is significant reputation effect, continuation payment to the provider w(y) should be performancebased. This is because if NDMIC is satisfied, the K(·) function is less concave in v. Therefore, cost to add more variation in v (thus p(y) and w(y)) is lower. This more performance-based payment urges the service provider to work harder, which will in turn increase next period’s number of customers G(y). This result shows that reputation effect does not eliminate necessity of performance-based contracts. Lemma 3. When DMIC is satisfied, the larger the reputation effect is, the smaller the variance of w(y) will be. Proof. Since K(w(y), G(y)) is strictly concave in w(y), by Jensen’s inequality, a payment schedule with same mean as w(y) but smaller variance would increase K(·) strictly. In addition, DMIC means K(w(y), G(y)) is more concave in w(y) when G(·) increases. Therefore, the buyer have additional incentive to smooth w(y) when G(·) increases. On the other hand, a bigger variation in w(y) gives the provider larger incentive to work hard. Then the buyer’s problem is to find a payment schedule w(y) with smallest variance yet has enough variation so that the service provider has to work hard. This job is easier in markets with reputation effect where additional variation in provider’s payoff is added through the G(y) function. Let yˆ denote the borderline performance so that G(ˆ y) = N . Then if y1 > (ˆ y ) and y2 < (ˆ y ), we have G(y1 ) > N and G(y2 ) < N . From the maximization problem (4), since the provider’s next period’s payoff G(y2 ) G(y1 ) equals to G(y) N w(y), we have N w(y2 ) < w(y2 ) < w(y1 ) < N w(y1 ), which means more variation is added to payment to the provider. Also, the bigger the reputation effect is, the more the variation added. Let wo (y) denotes payment to the provider if there is no reputation effect. Then the buyer can propose w(y) = N G(y) wo (y), which has smaller variance compared with wo (y). Under the payment w(y), the buyer gets higher K(·) since w(y) has smaller variance compared with wo (y). Also, provider’s benefit G(y) N w(y) does not change therefore the provider will work as hard and get same expected payment as if there is no reputation effect. Therefore, when the provider faces reputation effect, optimal solution w(y) should have smaller variance compared with wo (y). Intuitively, this Lemma means that reputation helps to make the contract incentive compatible so that less variation in the payment is needed.
5
Conclusions
By modelling reputation effect under the moral hazard context, we show that the optimal contract should be performance-based. When effect of provider’s customer base is not significant, the optimal contract changes less with performance when the reputation effect is more important for the provider. This conclusion conforms with previous research that reputation effect mitigates moral hazard problem. We also show that if serving a large group of customers improves service quality significantly, the optimal contract should be performance-based even when a strong reputation effect exists.
References 1. Aubert, B. Patry, M. and Rivard, S. Assessing the Risk of IT Outsourcing Proc. 31st Annual Hawaii International Conference on System Sciences, 1998. 2. Aubert, B. Patry, M. and Rivard, S. A Tale of Two Outsourcing Contracts: An agency-theoretical perspective. Wirtschaftsinformatik Vol.45, No.2, pp.181-190, 2003. 3. California Database Breach Act (SB 1386). California Senate, http://info.sen.ca.gov/pub/01-02/bill/sen/sb 1351-1400/sb 1386 bill 20020926 chaptered.html, 2002 4. Counterpane Internet Security Wins Prestigious Red Herring 100 Award. Counterpane Media Releases, 2004. 5. Counterpane Internet Security Announces Suite of Managed Security Services Designed for Small and Mid-Sized Enterprises. Counterpane Media Releases, 2004. 6. Bakos, Y. and Brynjolfsson, E. Information Technology, Incentives and the Optimal Number of Suppliers Journal of Management Information Systems, Vol.10, No. 2, 1993. 7. Banerjee, A. and Duflo, E. Reputation Effects and the Limits of Contracting: A Study of the Indian Software Industry World Congress of the Econometric Society, 2000. 8. Bryson1, K.M. and Sullivan, W.E. Designing Effective Incentive-Oriented Outsourcing Contracts for ERP Systems Proc. of 35th Hawaii International Conference on System Sciences, 2002. 9. Dejong, D. Forsythe, R. and Lundholm, R. Ripoffs, Lemons, and Reputation Formation in Agency Relationships: A Laboratory Market Study The Journal of Finance, Jul. 1985. 10. DeSouza, R. IT Outsourcing Market Forecast. Gartner, Mar. 2004. 11. Gomes, A. Going Public without Governance: Managerial Reputation Effects The Journal of Finance, Apr. 2000. 12. Gramm-Leach-Bliley Act of 1999, Federal Trade Commission, Http://www.ftc.gov/privatcy/glbact/. 13. The Health Insurance Portability and Accountability Medicaid Services, http://www.cms.hhs.gov/hipaa/, 1996. 14. Holmstrom B. Moral Hazard and Observability The Bell journal of Economics, Vol.10, No.1, pp. 74-91, 1979. 15. Kaplan, J. Outsourcing Trends-A Matter of Perspective? Business Communications Review, pp. 46-50, Aug. 2003.
11 16. Lacity, M.C. and Hirschheim, R. Information Systems Outsourcing John Wiley & Sons, 1993 17. Lacity, M.C. and Willcocks, L.P. An Empirical Investigation of Information Technology Sourcing Practices: Lessons from Experience MIS Quarterly, Sep. 1998. 18. Lambert, R.A. Long-term Contracts and Moral Hazard Bell Journal of Economics, 14, Vol. 14, No.2, pp. 441-452, 1983. 19. Miller, S. Leaders of the MSSP Pack: Counterpane & Ubizen keep Processor, Vol. 26, No.20, May. 2004. 20. Rogerson, W. The First-Order Approach to Principal-Agent Problems Econometrica, Vol. 53, No.6, pp. 853-877, Nov. 1985. 21. Sarbanes-Oxley Act of 2002. U.S. Securities and Exchange Commission, http://www.sarbanes-oxley-forum.com/,2002. 22. Spear, S. and Srivastava, S. On Repeated Moral Hazard with Discounting. The Review of Economic Studies Vol.54,No.4, pp. 599-617, Oct. 1987.
6
Appendix
12
Services
Description
Application security/code review Security policy compliance
Scan web application code for vulnerabilities and insecure coding techniques Perform regularly scheduled audits to ensure continued compliance and identify nonconformance with a company’s established information security policy and government or industry-specific regulations(e.g. Sarbanes-Oxley and HIPAA)
Vuln. assessment and management Certificates
Perform penetration test on systems for known vulnerabilities Assessing firms' compliance with government, industry, partner and customer requirements, and issue proof of compliance
Risk management
Help customers to make decisions to accept exposure or to reduce vulnerabilities by either mitigating the risks or applying cost effective controls.
Managed firewall services Managed VPN services Email anti-spam/antivirus
24*7 monitoring of all traffic through firewall, for service outage Similar as managed firewall services, usually is a firewall add-on Scan content(email messages and attachments, SMTP, HTTP, FTP, file transfers for potential malicious code or junk mails
Managed IDS Managed IPS Security monitoring
24*7 monitoring of all network traffic, detect and analyze anomalies for true attacks 24*7monitoring, proactively blocks threats rather than detect them after the fact Similar as IDS, can draw data from a wider variety of sources, and provide more in-depth analysis
Threat intelligence
Based on provider’s research on real world events, offers a series of features including early warning of emerging threats, threat severity measurement, immediate notification and consultation
Incidence response and forensics
Provide responses to security bleaches base on five cornerstones of effective incidence management and response: detection, assessment, forensics, containment, and recovery
Authentication
Verifies and confirms identity of individuals who are accessing sensitive information, or conducting high value B2B transactions on an extranet Administer user authentication, access rights, access restrictions, account profiles, passwords and other similar attributes
Identity management
Consulting
The practice of helping firms to improve security level through professional analysis
Fig. 2. List of security services
Company name/URL(Country)
Ap p
. se c ur Vu ity ln . /c o ass de e rev Ce ssm ie w rtif e n ica t & te s Se m gm cur t i ty po Ris l i cy km com ana p li gem Ma anc nag ent e ed fire Ma nag wa ll ed VP Em N ail ant iv i ID rus S /an tisp IPS am Se cur i ty mo Inc n it id e ori ng nce Th r e sp. rea & t in for tel ens Au lig enc th e ic s nti e cat Ide i on n ti ty ma Co nag nsu em ltin ent g
13
AT&T/www.att.com(USA)
v
v
Aspect/www.aspectsecurity.com/home.html(USA)
v
v
Avaya/www.avaya.com(USA)
v
Aventail/www.aventail.com(USA)
v
Cisco Systems/www.cisco.com(USA)
v
Computer Associates/www.ca.com(USA)
v
Computer Science Corporation/www.csc.com(USA)
v
v
v
v
v
v v
v
v
v
Cybertrust/www.cybertrust.com(USA)
v
v
v
Dreaming Tree Tech. Inc//www.firewalls.com(USA)
v
v
v
v
v
v
v
v
v
v
v
v
FiberLink/www.fiberlink.com(USA)
v
v
v
v
v
v
v
v v
v
v
v
v
v
v v
v
FrontBridge/www.frontbridge.com(USA)
v
GeoTrust/www.geotrust.com(USA)
v
v
v
v
v
Guardian Digital/www.guardiandigital.com(USA)
v
IBM/www.ibm.com(USA)
v
v
Internet Security Services/www.iss.net(USA)
v
v
v
v
v
v
v
v
v
v
LURHQ/www.lurhq.com(USA)
v
v
v
v
v
McAfee/http://www.mcafee.com/us(USA)
v
v
v
MCI/www.mci.com(USA)
v
v
v
v
v
v
v
v
v
v
MessageLabs/www.massagelabs.com(USA) Netsec/www.netsec.net(USA)
v
Netifice/www.netifice.com/default.html(USA)
v
v
v
v v
v v
v
v
v
v
v
v
v
v
v
NUVO/www.nuvo.com(Canada)
v
Positive Networks/www.positivenetworks.com(USA)
v
Postini/www.postini.com(USA)
v
v
Qualys/www.qualys.com(USA)
v
RedSiren/www.redsiren.com(USA)
v
RSA security/www.rsasecurity.com(USA)
v
Solutionary/www.solutionary.com(USA)
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
SurfControl/www.surfcontrol.com(USA)
v
Tata Group/www.tata.com(Inida)
v
v
v
v
v v
v
v
Sonicwall/www.sonicwall.com(USA) Symantec/www.symantec.com(USA)
v v
v v
NT objectives/www.ntobjectives.com(USA)
v v
v v
Farm9/farm9.com(USA)
v
v v
v
Entrust/www.entrust.com(USA)
v
v v
v
v v
v
v
Counterpane/www.counterpane.com(USA)
EDS/www.eds.com(USA)
v
v
v
v
v
v v
v
v
v
v
v
TriGeo/www.trigeo.com(USA)
v
v
TruSecure/www.trusecure.com(USA) Tenable network security/www.tenablesecurity.com(USA)
v
v
v
v
v
Ubizen/www.ubizen.com(USA)
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
Vericept/www.vericept.com(USA)
v
Verisign/www.verisign.com(USA)
v
VigilantMinds/www.vigilantminds.com(USA)
v
v
v
1. MCI offers management only services, good for firms with existing devices 2. Internet Security Services offers money back satisfaction guarrantee 3. Dreaming Tree Technology Inc offers 30 days satisfaction or money back guarantee 4. symantec bought Riptech in 2002 and Brightmail in 2004 5. verisign acquired Guardent 6. Aventail sold its managed SSL to Netifice 7. Cybertrust is the result of a merger of Betrusted and TruSecure, , and is the majority owner of Ubizen
Fig. 3. Managed security services providers summary
v
v
William Yurcik
Xiaoxin Yin
National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign {wending,byurcik,xiaoxin}@ncsa.uiuc.edu
Abstract. Firms hesitate to outsource their network security to outside security providers (called Managed Security Service Providers or MSSPs) because an MSSP may shirk secretly to increase profits. In economics this secret shirking behavior is commonly referred to as the Moral Hazard problem. There is a counter argument that this moral hazard problem is not as significant for the Internet security outsourcing market because MSSPs work hard to build and maintain their reputations which are crucial to surviving competition. Both arguments make sense and should be considered to write a successful contract. This paper studies the characteristics of optimal contracts (payment to MSSPs) for security outsourcing market by setting up an economic framework that combines both effects. It is shown that an optimal contract should be performance-based. The degree of performance dependence decreases if the reputation effect becomes more significant. We also show that if serving a large group of customers helps the provider to improve service quality significantly (which is observed in the internet security outsourcing market), an optimal contract should always be performance-based even if a strong reputation effect exists.
1
Introduction
It is predicted that the security outsourcing market, where firms contract with outside information security vendors to meet their organizational demands, will grow at a compound rate of double digits from $4.1 billion in 2001 to $9.0 billion in 2006. Experts predict that this growth rate will continue through 2008[10]. Two major reasons explain the quick expansion of security outsourcing. First, it offers production cost advantages. For example, for security device (firewalls, IDSs) management, a security engineer may cost $8,000 to $16,000 per month. In order to provide 24*7 support, this figure needs to at least be tripled. For the same functions, MSSPs charge between $600 and $4,000 per month. Counterpane, one of the most successful MSSPs, charges only 4% and 10% of cost a firm incurs to monitor network security. [19]. Second, security service providers have richer experiences, updated technology and better trained expertise by specializing in this area and serving diverse
2
clients. A large client base also contributes to the improvement of the service quality because a service provider that monitors more networks is more likely to correlate attacks, identify new attacking patterns, and warn customers of events beyond their perimeters. In this sense, the security service provider also serves as an efficient information-sharing mechanism on security issues if he has a big customer base, and customers enjoy positive information spilled over from other customers. Despite these benefits, a big doubt about the quality of security services still remains because of the well known ‘moral hazard’ problem. That is, the service providers can shirk secretly to increase their profits. A survey by Jeffrey Kaplan published in Business Communication Review (2003) [15] reports that 40.6% of the firms surveyed have such concerns. A counter argument is that the moral hazard problem is not as significant for security outsourcing market because MSSPs have to work hard to build and keep a good reputation which is crucial to survive the competition. Buyers will not contract network security to outside providers that cannot offer high quality service consistently. Both arguments are reasonable and should be considered to write a successful contract. The moral hazard problem has been studied extensively in economics. Holmstrom(1979) [14] studies this problem in a one-period formulation and proposed that optimal contract under moral hazard is performance-based. Lambert(1983) [18] studies a moral hazard problem in a finitely-repeated model and shows that optimal payment depends on performance history. Spear and Srivastava(1987) [22] present similar results in analyzing an infinitely repeated model. One main result in research on reputation is that reputation effect can mitigate the moral hazard problem. More complicated effects have been observed for different businesses. Banerjee and Duflo(2000) [7] study Indian software development and propose that reputation may explain why a larger proportion of software firms which have been established more years get payback from cost overruns, where the cost overrun may have been caused by software firms’ moral hazard behavior. Gomes(2000) [11] shows that in the stock market, reputation effect is significant whenever the moral hazard problem is significant. It also shows that if a firm can finance through ways other than the stock market, its ability to build reputation is unrelated with growth opportunities. Dejong et al.(1985) [9] discover that in a laboratory market, reputation helps alleviate the moral hazard problem, but at the same time, there is evidence that reputable agents use opportunities to falsely advertise attempting to deceive the principals. In the IT outsourcing literature, moral hazard has long been recognized as a major risk of an outsourcing project and incentive-compatible contracts are proposed to solve this problem [8], [6]. Aubert et al. [1] identify contractual difficulties [16] and diminished quality of services [2] as a major undesirable consequences of IT outsourcing. Aubert also suggests that diminished quality of services may be correlated with size of the provider. This paper studies characteristics of optimal contracts (in form of payments to MSSPs) for security outsourcing market by setting up an economic framework that combines moral hazard and reputation effects, where reputation of a
3
provider is reflected by how many customers it has. It is shown that an optimal contract should be performance-based. The degree of performance dependence decreases if the reputation effect becomes more significant. We also show that if serving a large group of customers helps the provider to improve service quality significantly (which is observed in the Internet security outsourcing market), an optimal contract should be performance-based even if a strong reputation effect exists. The rest of this paper is organized as follows: In Sections 2, we survey and define managed security services. Section 3 contains a baseline moral hazard model. In Section 4 we present our model by adding reputation effect to moral hazard model for security outsourcing. We end with conclusions in Section 5. The Appendix contains summary tables for managed security services and service providers.
2
A Survey of managed security services
With the increasing frequency and impact of cyber attacks as well as new government regulations (HIPAA[13], Sarbanes-Oxley[21], Gram-Leach-Bliley[12], California Disclosure Laws[3]), more firms are seeking to outsource the function of Internet security protection to expert providers. Thus MSSPs have emerged, characterized by technical capabilities and responsiveness to meet buyers diversified needs. Managed security services can be categorized into 5 groups: (1) assessment, (2) monitoring, (3) threat and incidence control, (4) identity management and (5) consulting. The assessment sub-category includes services that evaluate a firm’s security processes by penetration test on a regular basis. Security monitoring contains services such as managed firewall services, managed intrusion detection systems (IDS), managed intrusion prevention systems (IPS) and data analysis. Threat intelligence addresses how to measure and manage threats before they cause harm. Threats are detected by finding correlation among the network behavior across the Internet that the provider monitors. Early warning can be given even before attacks have reached firms’ security perimeter. Once an incidence is discovered, incidence control service will be in action following pre-specified procedures to minimize impacts on firms. Figure 2 in the Appendix provides a list of security services. The list of managed security services is expanding as demand for new security technology emerges. MSSPs may concentrate on just one or any combination of these services based on their technology strength and background. Different packages of services have been developed to meet diversified needs from global enterprizes to small businesses. Based on our survey, managed security services possess the following attributes: tailored security solution design, expert security consulting support, 24 × 7 security monitoring, real-time security analysis, and real-time security incident response.
4
Figure 3 in the Appendix is a summary of major managed security services providers with the corresponding services they offer.
3
Baseline Model
It has been well documented that for the principal-agent problem, where a principal hires an agent but cannot observe agent’s effort level, principal’s payment to the agent should depend on realized performance. In other words, a performancebased contract is recommended. This contingent plan is expected to give agent hard working incentives by dumping some risks on him. Following Spear and Srivastava(1987) [22], the standard model dealing with agent’s moral hazard problem over infinite horizon, can be written in a recursive form as the following,
K(v) = st
Z max {y − p(y) + ρK(w(y))}f (y|a)dy p(y),w(y),a Z {u(p(y)) + ρw(y)}f (y|a)dy − φ(a) ≥ v (P K) Z a ∈ arg max {u(p(y)) + ρw(y)}f (y|a)dy − φ(a)
(1) (IC)
where the variables are defined as: – – – – – – – –
y, output of current period p(y), payment to the agent v, the agent’s revenue stream discounted to current period w(y), the agent’s revenue from next period on u(·), the agent’s utility function a, the agent’s effort level φ(a), cost that the agent incurs by working at effort level a f (y|a), probability distribution of output given the agent’s effort level is a
By using the recursive formulation, this model utilizes the idea of dynamic programming: optimize one period at a time assuming optimal behavior in following periods. Thus, the objective function consists of two parts: y − p(y) is the principal’s payoff in the current period and K(w(y)) represents the principal’s best payoff from next period on. With the discounting factor ρ, y − p(y) + ρK(w(y)) represents principal’s discounted profit. Since output y is random, expected payoff is calculated by taking the integration w.r.t y. The first constraint is usually called the promise keeping(PK) constraint. It restricts principal’s choice set of p(y) and w(y) to those that provide decent payoff to the agent. The second constraint is called the incentive compatibility(IC) constraint. This constraint incorporates moral hazard behavior of the agent into this model. That is, for any given a contract p(y) and w(y), the agent always chooses an effort level a that works best for its own good. Altogether, this model
5
shows how a principal maximizes his profit by choosing a current period payment p(y) and a future payoff w(y) to the agent in presence of agents’ moral hazard behavior. An optimal contract derived from this model is expected to provide suppliers incentives to work hard. The following assumption (MLRP: Monotone Likelihood Ratio Property) is made in [22]. Assume that the distribution function of output y satisfies ∀y2 > 2 |a) y1 , the likelihood ratio ff (y (y1 |a) is monotone increasing in effort level a. This assumption is equivalent to
d fa (y,a) dy [ f (y,a) ]
≥ 0.
(y2 |a2 ) 2 |a1 ) The MLRP assumption means ∀a2 > a1 , y2 > y1 , we have ff (y ≥ ff (y (y1 |a1 ) . 1 |a2 ) In other words, at a higher effort level a2 , a higher output y2 is more likely to be realized than a lower output y1 . Spear and Srivastava(1987) [22] shows that when the MLRP condition holds, optimal solutions p(y) and w(y) are performancebased. Good performance is rewarded from both high payment this period and increased higher payoff in the following periods.
4
Moral Hazard Model For Internet Security Outsourcing
In the context of security outsourcing, the security buyer is the principal and the security service provider is the agent. The baseline model can be applied to study the moral hazard problem in security outsourcing scenario with one modification: a larger customer base helps improve service quality. From the survey of managed security services in section 2, we see that most managed services have this feature. In our model, this effect is introduced through f (y|a, N ). That is, besides depending on the effort level a, the distribution function of service performance y also depends on number of customers of the service provider, N . The effect of reputation is added to the baseline model through N 0 = G(y), which means the provider’s number of customers next period is dependent on current performance y. Then the model for internet security outsourcing is written as:
K(v, N ) = st
Z max {y − p(y) + ρK(w(y), N 0 )}f (y|a, N )dy p(y),w(y),a Z N · {(u(p(y)) + ρw(y))}f (y|a, N )dy − φ(a, N ) Z 0 +(N − N ) · ρw(y)f (y|a, N )dy ≥ v (P K) Z a ∈ arg max{N · {u(p(y)) + ρw(y)}f (y|a, N )dy − φ(a, N ) Z 0 +(N − N ) · ρw(y)f (y|a, N )}dy (IC) N 0 = G(y)
(2)
In the baseline model, it is assumed that the number of customers does not change from period to period. So it suffices to calculate provider’s benefit from
6
just one buyer. When number of customers is different for each period, we have to calculate total benefit the provider gets from all its customers. Therefore, the first term in (PK) and that in (IC) are multiplied by customer size N . The second terms in conditions (PK) and (IC) represent service provider’s change in revenue due to change in number of customers. If N 0 > N , the provider gets additional benefit due to increase in demand. The effect of N on service quality is added through f (y|a, N ). We assume a larger customer base help the provider to increase expected service quality, i.e, Assumption R1 At same effort R level a, expected output is monotone in N , i.e, for N1 < N2 , yf (y|a, N1 ) < yf (y|a, N2 ). φ(a, N ) denotes the cost of serving one out of N customers by working at effort a. It captures the provider’s economy of scale, i.e., φ(a, N2 ) < φ(a, N1 ) for N1 < N2 . Change in number of customers due to performance is introduced through function G(·) which is assumed to be continuous and differentiable w.r.t y. We can simplify the optimization problem (2) by cancelling terms out and dividing all terms in the (PK) and (IC) equation by N : Z K(v, N ) =
max
p(y),w(y),a
{y − p(y) + ρK(w(y), N 0 )}f (y|a, N )dy
Z st
N0 {u(p(y)) + ρw(y)}f (y|a, N )dy − φ(a, N ) ≥ v (P K) N Z N0 ρw(y)}f (y|a, N )dy − φ(a, N ) a ∈ arg max {u(p(y)) + N N 0 = G(y)
(IC) (3)
Rogerson(1985) [20] proved that under regularity conditions, it suffices to use first order condition of (IC) instead of (IC) itself. Therefore, we substitute (IC) by its first order condition . Also, we substitute N 0 in the objective function by G(y). Then the maximization problem is written as: Z K(v, N ) =
max
p(y),w(y),a
{y − p(y) + ρK(w(y), G(y))}f (y|a, N )dy
Z
st
G(y) ρw(y)}f (y|a, N )dy − φ(a, N ) ≥ v N Z G(y) ρw(y)]fa (y|a, N )dy − φa (a, N ) = 0 [u(p(y)) + N {u(p(y)) +
(P K) (4) (F OC)
We put λ as the Lagrangian multiplier on the (PK) constraint and µ as the Lagrangian multiplier on the first order condition of (IC) constraint. Then conditions for the optimal solution are derived by taking first order derivative w.r.t the choice variables p(y) and w(y):
7
{p(y)} {w(y)}
fa (y|a, N ) =0 f (y|a, N ) G(y) G(y) fa (y|a, N ) ρK 0 (w(y), G(y)) + ρλ + ρµ =0 N N f (y|a, N )
−1 + λu0 (p(y)) + µu0 (p(y))
(5) (6)
First order conditions (5) and (6) implies: 1 fa (y|a, N ) =λ+µ u0 (p(y)) f (y|a, N ) G(y) fa (y|a, N ) (λ + µ ) −Kw (w(y), G(y)) = N f (y|a, N ) f (y2 |a,N ) f (y1 |a,N ) d fa (y|a,N ) [ dy f (y|a,N ) ]
(7) (8)
Assumption 2 MLRP-N . For y2 > y1 the likelihood ratio
is mono-
tone increasing in effort level a for all firm sizes N , i.e.,
≥ 0.
This assumption is a natural extension of Spear and Srivasava(1987) [22] to the scenario where customer size is included in the model explicitly. Lemma 1. Under MLRP-N , p(y) is monotonically increasing in performance, i.e, p0 (y) > 0 Proof. Because the provider’s utility function u(·) is concave in p(y), Lemma 1 follows directly from first order derivative of equation (7) w.r.t y. This result shows that format of optimal current payment p(y) under the security outsourcing scenario conforms with standard results in moral hazard literature Holmstrom(1997) [14], Lambert(1983) [18] and Spear and Srivastava(1987) [22]. In the next step we show that format of optimal continuation payment w(y) is a lot more complicated. We need to define two opposite conditions. First of all, we assume that the functional form of the provider’s benefit function K(·) does not change over time. In particular, partial derivatives of K(·) w.r.t its arguments do not change, i.e., KvN (v, N ) = KwG (w(y), G(y)). Also, let subscripts denotes partial derivatives. Definition 1. Non-decreasing Marginal Impact Condition(NDMIC). Reduction in buyer’s benefit due to increasing in w(y) is smaller if the provider has more customers. That is, KvN (v, N ) = KwG (w(y), G(y)) ≥ 0. Since v is the total payment to the provider, it can be decomposed into current payment p(y) and future payment w(y). In the maximization problem (4), if v increases, it implies p(y) and w(y) also increase so that the R (PK) condition is not violated. Therefore buyer’s benefit K(v, N ) = max {y − p(y) + ρK(w(y), N )}f (y|a, N ) will decrease. Otherwise, the buyer can increase p(y) and w(y) and both the buyer and the provider get better off. NDMIC says that
8
the impact on buyer’s benefit K(w(y), G(y)) by increasing w(y) is smaller if the provider’s number of customers increases. Similarly, we have a definition for Decreasing Marginal Impact Condition, which exactly opposite of NDMIC. Definition 2. Decreasing Marginal Impact Condition(DMIC). Reduction in buyer’s benefit due to increasing in w(y) is bigger if the provider has more customers. That is, KvN (v, N ) = KwG (w(y), G(y)) ≤ 0 In this paragraph, we give some intuition how the distribution function f (y|a, N ) determines which of these two conditions holds. It suffices to analyze how Kv (v, N ) changes with N . How much K(·) decreases w.r.t v depends on two factors. Factor (1) is the N1 coefficient in the (PK) condition of the maximization problem. Factor (2) is the distribution function f (y|a, N ) in the maximization problem. For effect of (1), if N11 < N12 , to satisfy the (PK) condition, larger increase in either p(y) or w(y) or both is required if the provider has N1 customers. Then decrement in buyer’s payoff K(·) due to increment in v is bigger, i.e., Kv (v, N1 ) < Kv (v, N2 ) < 0. In other words, being a small fraction of a big service provider, it is harder(more costly) to exert influence on the provider. For effect of (2), by Assumption 1, a provider with more customers R N1 will get larger expected output( (u(p(y)) − ρw(y))f (y|a, N1 )dy). Therefore, for same increase in total payment v, less increase p(y) and w(y) is required to keep the (PK) condition because of effect of f (y|a, N ). Therefore, K(·) deceases less if the provider has more customers. In other words, the buyer benefits from technology of scale of a provider with many customers. Combining effects from factor (1) and factor (2), how Kv (·) changes with N is ambiguous, i.e., the second derivative KvN (·) can be either positive or negative. If factor (1) is dominant, DMIC holds. If factor (2) is dominant, NDMIC holds. Graphically, NDMIC and DMIC are shown in Figure 1.
K(v,N)
K(v,N)
K(v,N2)
K(v,N2)
K(v,N1) NDMIC
K(v,N1) v
DMIC
v
Fig. 1. NDMIC and DMIC for N2 > N1
Lemma 2. When NDMIC is satisfied, w(y) is strictly monotone increasing in y, i.e. w0 (y) > 0. Proof. Take derivative of equation (8) w.r.t y,
9
LHS : −Kww (w(y), G(y))w0 (y) − KwG (w(y), G(y)) · G0 (y) d G(y) fa (y|a, N ) RHS : { (λ + µ )} > 0 dy N f (y|a, N )
(9)
Assumption 2 together with G0 (y) > 0 implies RHS > 0. K(·) function is strictly concave in w(y), which means Kww < 0 [22]. Rearranging terms and applying NDMIC yields the result. Lemma 2 shows that when NDMIC is satisfied, even there is significant reputation effect, continuation payment to the provider w(y) should be performancebased. This is because if NDMIC is satisfied, the K(·) function is less concave in v. Therefore, cost to add more variation in v (thus p(y) and w(y)) is lower. This more performance-based payment urges the service provider to work harder, which will in turn increase next period’s number of customers G(y). This result shows that reputation effect does not eliminate necessity of performance-based contracts. Lemma 3. When DMIC is satisfied, the larger the reputation effect is, the smaller the variance of w(y) will be. Proof. Since K(w(y), G(y)) is strictly concave in w(y), by Jensen’s inequality, a payment schedule with same mean as w(y) but smaller variance would increase K(·) strictly. In addition, DMIC means K(w(y), G(y)) is more concave in w(y) when G(·) increases. Therefore, the buyer have additional incentive to smooth w(y) when G(·) increases. On the other hand, a bigger variation in w(y) gives the provider larger incentive to work hard. Then the buyer’s problem is to find a payment schedule w(y) with smallest variance yet has enough variation so that the service provider has to work hard. This job is easier in markets with reputation effect where additional variation in provider’s payoff is added through the G(y) function. Let yˆ denote the borderline performance so that G(ˆ y) = N . Then if y1 > (ˆ y ) and y2 < (ˆ y ), we have G(y1 ) > N and G(y2 ) < N . From the maximization problem (4), since the provider’s next period’s payoff G(y2 ) G(y1 ) equals to G(y) N w(y), we have N w(y2 ) < w(y2 ) < w(y1 ) < N w(y1 ), which means more variation is added to payment to the provider. Also, the bigger the reputation effect is, the more the variation added. Let wo (y) denotes payment to the provider if there is no reputation effect. Then the buyer can propose w(y) = N G(y) wo (y), which has smaller variance compared with wo (y). Under the payment w(y), the buyer gets higher K(·) since w(y) has smaller variance compared with wo (y). Also, provider’s benefit G(y) N w(y) does not change therefore the provider will work as hard and get same expected payment as if there is no reputation effect. Therefore, when the provider faces reputation effect, optimal solution w(y) should have smaller variance compared with wo (y). Intuitively, this Lemma means that reputation helps to make the contract incentive compatible so that less variation in the payment is needed.
5
Conclusions
By modelling reputation effect under the moral hazard context, we show that the optimal contract should be performance-based. When effect of provider’s customer base is not significant, the optimal contract changes less with performance when the reputation effect is more important for the provider. This conclusion conforms with previous research that reputation effect mitigates moral hazard problem. We also show that if serving a large group of customers improves service quality significantly, the optimal contract should be performance-based even when a strong reputation effect exists.
References 1. Aubert, B. Patry, M. and Rivard, S. Assessing the Risk of IT Outsourcing Proc. 31st Annual Hawaii International Conference on System Sciences, 1998. 2. Aubert, B. Patry, M. and Rivard, S. A Tale of Two Outsourcing Contracts: An agency-theoretical perspective. Wirtschaftsinformatik Vol.45, No.2, pp.181-190, 2003. 3. California Database Breach Act (SB 1386). California Senate, http://info.sen.ca.gov/pub/01-02/bill/sen/sb 1351-1400/sb 1386 bill 20020926 chaptered.html, 2002 4. Counterpane Internet Security Wins Prestigious Red Herring 100 Award. Counterpane Media Releases, 2004. 5. Counterpane Internet Security Announces Suite of Managed Security Services Designed for Small and Mid-Sized Enterprises. Counterpane Media Releases, 2004. 6. Bakos, Y. and Brynjolfsson, E. Information Technology, Incentives and the Optimal Number of Suppliers Journal of Management Information Systems, Vol.10, No. 2, 1993. 7. Banerjee, A. and Duflo, E. Reputation Effects and the Limits of Contracting: A Study of the Indian Software Industry World Congress of the Econometric Society, 2000. 8. Bryson1, K.M. and Sullivan, W.E. Designing Effective Incentive-Oriented Outsourcing Contracts for ERP Systems Proc. of 35th Hawaii International Conference on System Sciences, 2002. 9. Dejong, D. Forsythe, R. and Lundholm, R. Ripoffs, Lemons, and Reputation Formation in Agency Relationships: A Laboratory Market Study The Journal of Finance, Jul. 1985. 10. DeSouza, R. IT Outsourcing Market Forecast. Gartner, Mar. 2004. 11. Gomes, A. Going Public without Governance: Managerial Reputation Effects The Journal of Finance, Apr. 2000. 12. Gramm-Leach-Bliley Act of 1999, Federal Trade Commission, Http://www.ftc.gov/privatcy/glbact/. 13. The Health Insurance Portability and Accountability Medicaid Services, http://www.cms.hhs.gov/hipaa/, 1996. 14. Holmstrom B. Moral Hazard and Observability The Bell journal of Economics, Vol.10, No.1, pp. 74-91, 1979. 15. Kaplan, J. Outsourcing Trends-A Matter of Perspective? Business Communications Review, pp. 46-50, Aug. 2003.
11 16. Lacity, M.C. and Hirschheim, R. Information Systems Outsourcing John Wiley & Sons, 1993 17. Lacity, M.C. and Willcocks, L.P. An Empirical Investigation of Information Technology Sourcing Practices: Lessons from Experience MIS Quarterly, Sep. 1998. 18. Lambert, R.A. Long-term Contracts and Moral Hazard Bell Journal of Economics, 14, Vol. 14, No.2, pp. 441-452, 1983. 19. Miller, S. Leaders of the MSSP Pack: Counterpane & Ubizen keep Processor, Vol. 26, No.20, May. 2004. 20. Rogerson, W. The First-Order Approach to Principal-Agent Problems Econometrica, Vol. 53, No.6, pp. 853-877, Nov. 1985. 21. Sarbanes-Oxley Act of 2002. U.S. Securities and Exchange Commission, http://www.sarbanes-oxley-forum.com/,2002. 22. Spear, S. and Srivastava, S. On Repeated Moral Hazard with Discounting. The Review of Economic Studies Vol.54,No.4, pp. 599-617, Oct. 1987.
6
Appendix
12
Services
Description
Application security/code review Security policy compliance
Scan web application code for vulnerabilities and insecure coding techniques Perform regularly scheduled audits to ensure continued compliance and identify nonconformance with a company’s established information security policy and government or industry-specific regulations(e.g. Sarbanes-Oxley and HIPAA)
Vuln. assessment and management Certificates
Perform penetration test on systems for known vulnerabilities Assessing firms' compliance with government, industry, partner and customer requirements, and issue proof of compliance
Risk management
Help customers to make decisions to accept exposure or to reduce vulnerabilities by either mitigating the risks or applying cost effective controls.
Managed firewall services Managed VPN services Email anti-spam/antivirus
24*7 monitoring of all traffic through firewall, for service outage Similar as managed firewall services, usually is a firewall add-on Scan content(email messages and attachments, SMTP, HTTP, FTP, file transfers for potential malicious code or junk mails
Managed IDS Managed IPS Security monitoring
24*7 monitoring of all network traffic, detect and analyze anomalies for true attacks 24*7monitoring, proactively blocks threats rather than detect them after the fact Similar as IDS, can draw data from a wider variety of sources, and provide more in-depth analysis
Threat intelligence
Based on provider’s research on real world events, offers a series of features including early warning of emerging threats, threat severity measurement, immediate notification and consultation
Incidence response and forensics
Provide responses to security bleaches base on five cornerstones of effective incidence management and response: detection, assessment, forensics, containment, and recovery
Authentication
Verifies and confirms identity of individuals who are accessing sensitive information, or conducting high value B2B transactions on an extranet Administer user authentication, access rights, access restrictions, account profiles, passwords and other similar attributes
Identity management
Consulting
The practice of helping firms to improve security level through professional analysis
Fig. 2. List of security services
Company name/URL(Country)
Ap p
. se c ur Vu ity ln . /c o ass de e rev Ce ssm ie w rtif e n ica t & te s Se m gm cur t i ty po Ris l i cy km com ana p li gem Ma anc nag ent e ed fire Ma nag wa ll ed VP Em N ail ant iv i ID rus S /an tisp IPS am Se cur i ty mo Inc n it id e ori ng nce Th r e sp. rea & t in for tel ens Au lig enc th e ic s nti e cat Ide i on n ti ty ma Co nag nsu em ltin ent g
13
AT&T/www.att.com(USA)
v
v
Aspect/www.aspectsecurity.com/home.html(USA)
v
v
Avaya/www.avaya.com(USA)
v
Aventail/www.aventail.com(USA)
v
Cisco Systems/www.cisco.com(USA)
v
Computer Associates/www.ca.com(USA)
v
Computer Science Corporation/www.csc.com(USA)
v
v
v
v
v
v v
v
v
v
Cybertrust/www.cybertrust.com(USA)
v
v
v
Dreaming Tree Tech. Inc//www.firewalls.com(USA)
v
v
v
v
v
v
v
v
v
v
v
v
FiberLink/www.fiberlink.com(USA)
v
v
v
v
v
v
v
v v
v
v
v
v
v
v v
v
FrontBridge/www.frontbridge.com(USA)
v
GeoTrust/www.geotrust.com(USA)
v
v
v
v
v
Guardian Digital/www.guardiandigital.com(USA)
v
IBM/www.ibm.com(USA)
v
v
Internet Security Services/www.iss.net(USA)
v
v
v
v
v
v
v
v
v
v
LURHQ/www.lurhq.com(USA)
v
v
v
v
v
McAfee/http://www.mcafee.com/us(USA)
v
v
v
MCI/www.mci.com(USA)
v
v
v
v
v
v
v
v
v
v
MessageLabs/www.massagelabs.com(USA) Netsec/www.netsec.net(USA)
v
Netifice/www.netifice.com/default.html(USA)
v
v
v
v v
v v
v
v
v
v
v
v
v
v
v
NUVO/www.nuvo.com(Canada)
v
Positive Networks/www.positivenetworks.com(USA)
v
Postini/www.postini.com(USA)
v
v
Qualys/www.qualys.com(USA)
v
RedSiren/www.redsiren.com(USA)
v
RSA security/www.rsasecurity.com(USA)
v
Solutionary/www.solutionary.com(USA)
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
SurfControl/www.surfcontrol.com(USA)
v
Tata Group/www.tata.com(Inida)
v
v
v
v
v v
v
v
Sonicwall/www.sonicwall.com(USA) Symantec/www.symantec.com(USA)
v v
v v
NT objectives/www.ntobjectives.com(USA)
v v
v v
Farm9/farm9.com(USA)
v
v v
v
Entrust/www.entrust.com(USA)
v
v v
v
v v
v
v
Counterpane/www.counterpane.com(USA)
EDS/www.eds.com(USA)
v
v
v
v
v
v v
v
v
v
v
v
TriGeo/www.trigeo.com(USA)
v
v
TruSecure/www.trusecure.com(USA) Tenable network security/www.tenablesecurity.com(USA)
v
v
v
v
v
Ubizen/www.ubizen.com(USA)
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
Vericept/www.vericept.com(USA)
v
Verisign/www.verisign.com(USA)
v
VigilantMinds/www.vigilantminds.com(USA)
v
v
v
1. MCI offers management only services, good for firms with existing devices 2. Internet Security Services offers money back satisfaction guarrantee 3. Dreaming Tree Technology Inc offers 30 days satisfaction or money back guarantee 4. symantec bought Riptech in 2002 and Brightmail in 2004 5. verisign acquired Guardent 6. Aventail sold its managed SSL to Netifice 7. Cybertrust is the result of a merger of Betrusted and TruSecure, , and is the majority owner of Ubizen
Fig. 3. Managed security services providers summary
v
v
