Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small

Medicare Shared Savings Performance: Three-Year Pandemic Analysis

The Centers for Medicare and Medicaid\u27s (CMS) Office of Actuary predicts that U.S. national health expenditures will surpass U.S. gross domestic product per capita by 1.1% annually until 2028, totaling $6.2 trillion in healthcare spending. A significant portion of this spending, 36%, is attributed to Medicare and Medicaid. To address this issue, CMS has implemented the Medicare Shared Savings Program (MSSP) to assist Accountable Care Organizations (ACOs) in reducing healthcare costs and improving the quality of care for beneficiaries. The main objectives of this dissertation are twofold. Firstly, it aims to investigate the relationship between various factors, such as quality score, savings rate, outpatient and inpatient emergency department visits, total primary care visits, total number of beneficiaries, and risk model selected, with the total savings or loss generated by MSSP ACOs during the 2019 and 2021 performance years. Secondly, this dissertation seeks to assess the impact of the 2020 COVID-19 Federal health response on these parameters, both before and after the pandemic, including the generated total savings, quality score, savings rate, outpatient and inpatient emergency department visits, total primary care visits, number of beneficiaries, and risk model selected. The analysis reveals sustained direct relationships over the three-year period between generated total savings or loss, savings rates, and the number of beneficiaries. Additionally, quality scores, outpatient and inpatient emergency department visits show a decline during the same period

Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling

The interdependency of information security risks poses a significant challenge for firms to manage security. Firms may over- or under-invest in security because security investments generate network externalities. In this paper, we explore how firms can use three risk management approaches, third-party cyberinsurance, managed security service (MSS) and risk pooling arrangement (RPA), to address the issue of investment inefficiency. We show that compared with cyberinsurance, MSS is more effective in mitigating the security investment inefficiency because the MSS provider (MSSP) serving multiple firms can endogenize the externalities of security investments. However, the investment externalities may discourage a for-profit MSSP from serving all firms even on a monopoly market. We then show that firms can use RPA as a complement to cyberinsurance to address risk interdependency for all firms. However, the adoption of RPA is incentive-compatible for firms only when the security investments generate negative externalities

Outsourcing Information Security: The Role of Information Leakage in Outsourcing Decisions

Emerging research regarding the economics of outsourcing information security recommends that firms utilize full outsourcing due to its cost advantages but ignore the risk of information leakage. In our model, we take the information leakage into account, and show that it is necessary for firm to assess the risk before outsourcing. Next, we divide a firm’s business operations into core business and non-core business operations and introduce a partial outsourcing strategy. We find that the security quality of partial outsourcing is always lower. Subsequently, we demonstrate the conditions for selecting from among three security strategies, i.e., in-house development, partial outsourcing and full outsourcing. Based on our results, in high-risk information leakage environments, we do not recommend outsourcing. We further demonstrate that outsourcing security of non-core business is an alternative strategy when the risk of information leakage is not high. A firm should shift from outsourcing to developing security protection in-house as the percentage of information assets utilized for core business increases. In addition, our results show that outsourcing information security of only core business is a strictly dominated strategy

Medicare Payment Reform: Aligning Incentives for Better Care

The Affordable Care Act (ACA) has provided the Medicare program with an array of tools to improve the quality of care that beneficiaries receive and to increase the efficiency with which that care is provided. Notably, the ACA has created the Center for Medicare and Medicaid Innovation, which is developing and testing promising new models to improve the quality of care provided to Medicare beneficiaries while reducing spending. These new models are part of an effort by the U.S. Department of Health and Human Services to increase the proportion of traditional Medicare payments tied to quality or value to 85 percent by 2016 and 90 percent by 2018. This issue brief, one in a series on Medicare's past, present, and future, explores the evolution of Medicare payment policy, the potential of value-based payment to improve care for beneficiaries and achieve savings, and strategies for accelerating its adoption