摘要
研究了供应链中的企业在信息存在互补时,如何与管理安全服务提供商(MSSP)进行信息安全合作管理以解决安全外包中的双边道德风险问题.研究结果表明,供应链企业之间的信息互补度会一定程度上减小企业的预期损失,从而抑制企业与MSSP的投资动机以及MSSP对企业的赔偿额,但增大了企业的被攻击概率.证明了信息安全外包产业中常用的双边赔偿契约存在双边道德风险问题,并且受到供应链企业间互补度的影响,进而提出责任契约来解决该问题.与双边赔偿契约不同,责任契约主要根据企业不同的安全状态来进行赔偿,当两个互补企业都被攻击时,MSSP对双方进行赔偿;当只有一个企业被攻击时,MSSP对被攻击的企业进行惩罚而对未被攻击的企业进行奖励,研究表明该机制可以有效解决供应链互补企业在双边赔偿契约中的双边道德风险问题,且在实施成本小于一定阈值时,MSSP倾向于选择责任契约.研究结果可以为供应链互补企业的信息安全外包管理提供启示.
In this paper,we study how firms in the supply chain can cooperate with managed security service providers(MSSP),to solve the double moral hazard(DMH)problem in security outsourcing when the firms'information assets are complementary.The results show that the complementation degree between the firms will reduce their expected loss to some extent,thus not only suppressing the investment incentive of both the firms and the MSSP but also reducing the compensation amount of the MSSP to the firms,whereas increasing the probability of firms being breached.Furthermore,our study shows that both firms and the MSSP would suffer from the DMH problem in a bilateral refund contract,which is commonly used in the information security outsourcing industry,and the DMH problem becomes complicated due to the information complementation of firms.Therefore,we propose the liability contract to solve the DMH problem.Unlike the bilateral refund contract,the implementation of the liability contract is according to the security states of firms.Specifically,when both complementary firms are breached,the MSSP compensates for the two firms,while the MSSP penalizes the breached firm and rewards the un-breached firm if only one firm is breached.Our results show that the liability contract can solve the DMH problem effectively,and the MSSP would like the liability contract when the implementation cost is less than a threshold.These findings give some insights that can guide complementary firms in the supply chain to make an information security outsourcing strategy.
作者
吴勇
王林萍
冯耕中
WU Yong;WANG Linping;FENG Gengzhong(Glorious Sun School of Business&Management,Donghua University,Shanghai 200051,China;School of Management,Xi'an Jiaotong University,Xi'an 710049,China)
出处
《系统工程理论与实践》
EI
CSSCI
CSCD
北大核心
2022年第11期2916-2926,共11页
Systems Engineering-Theory & Practice
基金
国家自然科学基金(71801035,71832001)
国家社科基金重大项目(20&ZD053)
中央高校基本科研业务费专项资金(2232018H-07)。
关键词
供应链安全
信息互补
信息安全外包
双边道德风险
责任契约
supply chain security
complementary information
information security outsourcing
double moral hazard
liability contract
