Outsourcing Information Security: The Role of Information Leakage in Outsourcing Decisions

Emerging research regarding the economics of outsourcing information security recommends that firms utilize full outsourcing due to its cost advantages but ignore the risk of information leakage. In our model, we take the information leakage into account, and show that it is necessary for firm to assess the risk before outsourcing. Next, we divide a firm’s business operations into core business and non-core business operations and introduce a partial outsourcing strategy. We find that the security quality of partial outsourcing is always lower. Subsequently, we demonstrate the conditions for selecting from among three security strategies, i.e., in-house development, partial outsourcing and full outsourcing. Based on our results, in high-risk information leakage environments, we do not recommend outsourcing. We further demonstrate that outsourcing security of non-core business is an alternative strategy when the risk of information leakage is not high. A firm should shift from outsourcing to developing security protection in-house as the percentage of information assets utilized for core business increases. In addition, our results show that outsourcing information security of only core business is a strictly dominated strategy

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small

Factors influencing the organizational decision to outsource IT security

IT security outsourcing is the process of contracting a third-party security service provider to perform, the full or partial IT security functions of an organization. Little is known about the factors influencing organizational decisions in outsourcing such a critical function. Our review of the research and practice literature identified several managerial factors (e.g., cost-benefit, inability to cope with the threat environment) and legal factors (e.g., regulatory/legal compliance). We found research in IT security outsourcing to be immature and the focus areas not addressing the critical issues facing industry practice. We, therefore, present a research agenda consisting of fifteen questions to address five key gaps relating to knowledge of IT security outsourcing – i.e., the effectiveness of the outcome, lived experience of the practice, the temporal dimension, multi-stakeholder perspectives, and the impact on IT security practices, particularly agility in incident response

EGovernance implementation model: Case study of the federal government agencies of Pakistan

Copyright @ 2013 EMCIS.This study examines the eGovernance potential to bring about structural changes in the way in which government agencies operate, interact and communicate internally and externally with its citizens. Public sector needs to adopt eGovernance that is focused on the citizen satisfaction. In many developed countries, the types and quality of public services provided by a Government to its citizens have evolved over time, due to their change in thinking regarding the role of Government, from being a traditional government to that of being a modern service provider. Thus, this study will focus on the complaint management information systems of the selected federal government agencies in Pakistan. Authors were able to derive the implementation model of eGovernance only after doing analysis of all of the data obtained from questionnaires, interviews and observations at the federal government level in Pakistan. Authors found that the overall outcome of the validation process indicated that the model is highly satisfactory to improve the overall eGovernance system to provide modern services to its citizens

A data quarantine model to secure data in edge computing

Edge computing provides an agile data processing platform for latency-sensitive and communication-intensive applications through a decentralized cloud and geographically distributed edge nodes. Gaining centralized control over the edge nodes can be challenging due to security issues and threats. Among several security issues, data integrity attacks can lead to inconsistent data and intrude edge data analytics. Further intensification of the attack makes it challenging to mitigate and identify the root cause. Therefore, this paper proposes a new concept of data quarantine model to mitigate data integrity attacks by quarantining intruders. The efficient security solutions in cloud, ad-hoc networks, and computer systems using quarantine have motivated adopting it in edge computing. The data acquisition edge nodes identify the intruders and quarantine all the suspected devices through dimensionality reduction. During quarantine, the proposed concept builds the reputation scores to determine the falsely identified legitimate devices and sanitize their affected data to regain data integrity. As a preliminary investigation, this work identifies an appropriate machine learning method, linear discriminant analysis (LDA), for dimensionality reduction. The LDA results in 72.83% quarantine accuracy and 0.9 seconds training time, which is efficient than other state-of-the-art methods. In future, this would be implemented and validated with ground truth data

Seizing new possibilities for expanding the scope of Cybersecurity Research in Information Systems

As Cybersecurity continues to have a significant impact on modern society, there is a pressing need for a more comprehensive research agenda in Information Systems (IS). In this study, we conducted a thorough literature review of prominent IS journals to identify gaps in Cybersecurity research practices. Our findings indicate that there is a significant gap between research and practice, particularly in terms of focus on Cybersecurity behavioural factors in the past decade. To address this gap, we recommend that future Cybersecurity research in IS should adopt a broader perspective that incorporates relevant sociotechnical knowledge areas and theories. We provide an example of Cybersecurity research topics that go beyond behavioural aspects and suggest mapping of Cybersecurity sociotechnical research knowledge areas in Information Systems to guide future research efforts. This study highlights the importance of broadening the scope of Cybersecurity research in IS to address the complex Cybersecurity challenges in contemporary practice

APPLICATION OUTSOURCING IN THE BANKING INDUSTRY – ITO MODEL

Information Technology Outsourcing (ITO) in terms of the replacement of the in-house production of IT activities by the use of third party suppliers had already started in the 1960s and has increased considerably. For 2013, the Gartner Group expected that the global ITO market would reach a volume of 288 bn US dollars. Until 2017, the market should grow on average about 5.4% yearly. Despite the rich set of experiences companies have already had with ITO, the chances of success are seen as at best 50:50. Currently, the dramatic growth of ITO is accompanied by backsourcing of formerly outsourced IT functions or reports about dissatisfaction and problems with ITO. Scientists put ITO failures or problems down to a lack of modelling of all the possible factors affecting ITO success and demand a specific ITO theory as a basis for better explaining and predicting successes and failures in an IT sourcing context. This thesis takes up this research gap. The aim of this thesis is to develop a novel ITO Model which aids organisations in planning and implementing ITO solutions by guiding them through the ITO process steps of preparation, selection, contract, transition, execution, and post-deal comprising a comprehensive picture of the weighted aspects relevant to ITO success and their interdependencies. In order to achieve this aim, the following objectives were established for this thesis: raising the topical level of scientific knowledge of the last decades about successinfluencing factors in the ITO field based on an extensive literature survey of 48 scientific articles deriving ITO success factors from empirical research work; structuring of this success factor knowledge by the development of two ITO taxonomies (taxonomy of success factors and taxonomy of success factor interdependencies); testing its practical applicability on the basis of 8 real long-running application outsourcing cases in the banking industry; further development of the success factor knowledge by identification of weightings and the temporal relevance of relevant success factors / success factor interdependencies within the ITO process. Design of the novel ITO Model based on the empirical knowledge gained by development of rules for relevant success factors and success factor interdependencies, by arrangement of these rules in temporal order within the ITO process and by assignment of these rules to four levels of environment

Developing and verifying a set of principles for the cyber security of the critical infrastructures of Turkey

Critical infrastructures are vital assets for countries as a harm given to critical infrastructures may affect public order, economic welfare and/or national security. Today, cyber systems are extensively used to control and monitor critical infrastructures. Therefore, cyber threats have the potential to adversely affect the order of societies and countries. In this PhD study, the root causes of the susceptibility of the critical infrastructures of Turkey to the cyber threats are identified by analyzing the qualitative data with the grounded theory method. The extracted root causes are verified by two experts. The set of principles for the cyber security of the critical infrastructures are determined by introducing the root causes to six experts in a five-phased Delphi survey. A state-level cyber security maturity model to measure the readiness level of the critical infrastructure protection efforts is developed by using the set of principles. Because maturity criteria are grounded on the root causes of the susceptibility to cyber threats, the maturity model is named Vulnerability Driven National Cyber Security Maturity Model. The readiness level of the critical infrastructure protection efforts of Turkey is measured by the participation of ten former/current government officials in the maturity survey. The root causes, the set of principles, and the results of the maturity survey are compared with the relevant studies of the academia, non-profit organizations and governments