考虑安全标准的互补企业信息安全决策研究

Research on Information Security Decision of Complementary Firms Considering Security Standard

随着全球合作化的深入,企业间信息不再彼此独立而是呈现出一种互补的信息资产结构。为了应对越来越频繁的信息安全事件,很多企业选择将安全外包给专业的安全管理服务提供商(MSSP)。此外,政府也逐渐开始重视企业的信息安全管理,会通过安全标准和安全补贴等措施来试图提高企业的安全水平。本文基于企业的互补信息特征,研究了在考虑安全标准时,互补企业在不同安全条件下的最优信息安全决策,也为实际的安全决策提供一定的管理启示。本文发现无论是内部管理还是安全外包,随着安全补贴的增加,企业和MSSP都会提高安全质量。但是过于严格的强制安全标准会让企业选择将安全外包给MSSP来规避责任,即使企业知道MSSP不会实际提供和强制安全标准一样的安全质量。此外,本文发现当企业选择自我管理时,严格的强制安全标准会扭曲企业的均衡行为,造成不必要的社会福利损害。

With the deepening of global cooperation, information among firms is no longer independent, but presents complementation each other. To solve more and more frequent information security incidents, many firms choose to outsource security to managed security service providers (MSSP). In addition, the government gradually begins to pay attention to the information security management, and try to improve the firm’s security level through security standard and security subsidy. Based on the complementary information characteristics of firms, this paper studies the firm’s optimal information security decisions under different security conditions when considering security standard, and also provides some management implications for practical security decisions. This study finds that both firms and MSSPs improve the security quality as security subsidy increases, whether managed in-house or outsourced. But overly strict mandatory security standard may induce firms to choose to outsource security to MSSP to avoid security liability, even when firms know that MSSPs do not actually provide the same security quality as the mandatory security standard. In addition, we find that when firms choose to manage in-house, strict mandatory security standard can distort firms' equilibrium behavior and cause unnecessary social welfare damage.