The growth of information technology creates business value to the society as well as introduces security concerns. Firms start to outsource security protection to managed security service providers (MSSPs) to meet business needs. However, the incentive issue between firms and the MSSP leads to social inefficiency. Moreover, the interconnection under the same service provider imposes additional interdependent risk to firms. This paper addresses the above issues by examining different compensation contracts under various information structure. We first show that a simple loss-based compensation could not solve the inefficiency problem with unobservable service level and interdependent risk. We then propose two new viable contract mechanisms, threshold compensation and effort-base...[ Read more ]

The growth of information technology creates business value to the society as well as introduces security concerns. Firms start to outsource security protection to managed security service providers (MSSPs) to meet business needs. However, the incentive issue between firms and the MSSP leads to social inefficiency. Moreover, the interconnection under the same service provider imposes additional interdependent risk to firms. This paper addresses the above issues by examining different compensation contracts under various information structure. We first show that a simple loss-based compensation could not solve the inefficiency problem with unobservable service level and interdependent risk. We then propose two new viable contract mechanisms, threshold compensation and effort-based compensation, which utilize ex-post information on client's protection to achieve socially optimal outcome. Our result also shows that welfare and profit are higher under observable service level, which encourage MSSPs to better communicate their service quality to clients.