Competition, Speculative Risks, and IT Security Outsourcing

Cezar, Asunur
Cavusoglu, Huseyin
Raghunathan, Srinivasan
Information security management is becoming a more critical and, simultaneously, a challenging function for many firms. Even though many security managers are skeptical about outsourcing of IT security, others have cited reasons that are used for outsourcing of traditional IT functions for why security outsourcing is likely to increase. Our research offers a novel explanation, based on competitive externalities associated with IT security, for firms' decisions to outsource IT security. We show that if competitive externalities are ignored, then a firm will outsource security if and only if the MSSP offers a quality (or a cost) advantage over in-house operations, which is consistent with the traditional explanation for security outsourcing. However, a higher quality is neither a prerequisite nor a guarantee for a firm to outsource security. The competitive risk environment and the nature of the security function outsourced, in addition to quality, determine firms' outsourcing decisions. If the reward from the competitor's breach is higher than the loss from own breach, then even if the likelihood of a breach is higher under the MSSP the expected benefit from the competitive demand externality may offset the loss from the higher likelihood of breaches, resulting in one or both firms outsourcing security. The incentive to outsource security monitoring is higher than that of infrastructure management because the MSSP can reduce the likelihood of breach on both firms and thus enhance the demand externality effect. The incentive to outsource security monitoring (infrastructure management) is higher (lower) if either the likelihood of breach on both firms is lower (higher) when security is outsourced or the benefit (relative to loss) from the externality is higher (lower). The benefit from the demand


Evaluation and selection of case tools: a methodology and a case study
Okşar, Koray; Okşar, Koray; Department of Information Systems (2010)
Today’s Computer Aided Software Engineering (CASE) technology covers nearly all activities in software development ranging from requirement analysis to deployment.Organizations are evaluating CASE tool solutions to automate or ease their processes. While reducing human errors, these tools also increase control, visibility and auditability of the processes. However, to achieve these benefits, the right tool or tools should be selected for usage in the intended processes. This is not an easy task when the vas...
Organizational factors required for IT and business strategies alignment
Altınışık, Said; Çetin, Yasemin; Department of Information Systems (2015)
Previous literature strongly supports that the alignment of a firm’s information systems with business strategies leads to superior business performance and provides the firm a competitive advantage in the market. This study examines the antecedent factors of IT and business strategies alignment particularly for the Turkish context. Our research method in this study is embedded correlational model under the umbrella of mixed method research design. We derived the factors that were shown to contribute to bus...
A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions
Sonmez, Ferda Ozdemir; Günel Kılıç, Banu (2021-09-01)
Types and complexity of information security related vulnerabilities are growing rapidly and present numerous challenges to the enterprises. One of the key challenges is to identify the optimal set of precautions with limited budget. Despite the fact that majority of enterprises have a budget constraint for installing and maintaining the protection systems, the majority of the previous work only focus on prioritization of security targets and do not consider the preventative actions and budget constraints. ...
Plural: A decentralized business process modeling method
Turetken, Oktay; Demirörs, Onur (Elsevier BV, 2011-08-01)
Top-down and centralized approaches prevail in the design and improvement of business processes. However, centralized structures pose difficulties for organizations in adapting to a rapidly changing business environment. Here we present the Plural method which can be used to guide organizations in performing process modeling in a decentralized way. Instead of a centralized group of people understanding, modeling and improving processes, our method allows individuals to model and improve their own processes ...
Aerospace-Academia: ERP-Communication Framework Strategy
Rashid, M. Asif; Qureshi, Hammad; Shami, Muiz-ud-Din; Khan, Nawar; Sayin, Erol; SEYREK, İBRAHİM HALİL (2010-07-02)
The advancement in management information systems and business intelligence has changed the dynamics of knowledge management. The integration of ERP module for strategic-collaboration among industry-R&D departments with university-wide "Smart-campus" has further reiterated the target focused team environment coupled with value-based corporate-culture. The integration of academia R&D units with industrial-production-units for knowledge-management as well as resource-management is becoming extremely multiface...
Citation Formats
A. Cezar, H. Cavusoglu, and S. Raghunathan, “Competition, Speculative Risks, and IT Security Outsourcing,” 2009, p. 301, Accessed: 00, 2020. [Online]. Available: