双边道德风险下软件供应链信息安全责任协调契约设计

Design of Information Security Responsibility Coordination Contract in Software Supply Chain under Bilateral Moral Hazard

信息安全是软件供应链高质量发展的基础,面向由软件供应商和软件用户构成的两级供应链体系,通过构建集中决策(无道德风险)下的理想控制模型和分散决策(双边道德风险)下的信息安全损失分担模型,设计出合理的信息安全责任协调契约并对模型进行数值仿真。研究结果表明:软件供应商和软件用户信息安全损失分担比例的大小跟对方的成本系数有关,而非自身的成本系数;由协同效应系数和成本系数刻画的合作水平未发生变化且软件供应链双方都具有一定谈判能力时,双边道德风险条件下存在着最优的信息安全损失分担合约且双方的最优收益比等于各自谈判因子之比;当软件供应链双方共同分担信息安全风险时,可以根据双方成本结构改变线性分配比例来寻求双方最优的信息安全损失成本分担。

Information security is the foundation for the high-quality development of the software supply chain.In the software supply chain,information security risks are inherited,and the input of upstream and downstream information security jointly determines the degree of software operation security.Information security risks in any link will directly or indirectly affect the security of end software users.Due to the complexity of information security,neither software vendors nor users can observe each other's efforts in information security.When a safety accident occurs,the responsibility for the accident cannot be clearly defined,thus generating bilateral moral hazard.The supply chain studied in this paper consists of software suppliers and users.By constructing an ideal control model under centralized decision-making(without moral hazard)and an information security vulnerability loss sharing model under decentralized decision-making(bilateral moral hazard),a reasonable software supply chain information security responsibility coordination contract is designed and the numerical simulation of the model is carried out.The research results show that the ratio of vulnerability loss sharing between software suppliers and users is related to the cost coefficient of the other party,not its own cost coefficient.The level of cooperative R&D determined by the synergy coefficient and cost coefficient has not changed,and when both parties in the software supply chain have certain negotiating power,under the condition of bilateral moral hazard,there is an optimal loophole loss sharing contract and the optimal benefit ratio of both parties is equal to the ratio of their respective negotiating factors.When both parties in the software supply chain share information security risks,they can change the linear distribution ratio according to their respective cost structures to seek the optimal sharing of vulnerability loss costs for both parties.At last,based on the perspective of information security management,relevant management implications are given for software suppliers and its users.