Establishing the Trust-Control Balance in Client-Vendor Outsourcing Relationships: Empirical Evidence from Two IS Outsourcing Projects

Nowadays, intense global competition requires companies to reposition themselves in value networks and build more sustainable and long-term relationships with their outsourcing partners. Trust and formal controls are critical issues in contemporary outsourcing arrangements today. This paper contributes to the understanding of the trust-control nexus in dynamic outsourcing relationships and argues that the achieved level of balance leads to a different course of the development of an outsourcing arrangement. These issues are explored in two case studies, where the knowledge on trust and controls is constructed in the form of organisational narratives. The analysis of the cases reveals how the client and vendor’s actions oscillate between different balancing levels of trust and controls in the relationship dynamics and how this leads to contrasting outsourcing outcomes

Towards a Conceptualisation of Trust in IS Outsourcing

Despite the implicit recognition of trust in IS outsourcing, comparatively few research could be found in this area. While addressing the nature of trust in IS outsourcing, we found surprisingly many aspects on the concept of trust which have not been captured in the mainstream research on IS outsourcing. This paper presents an interdisciplinary view on trust and attempts to call for a greater understanding and focus on the role and impact of trust in an outsourcing context. It is argued that trust does play a significant role in many aspects of IS outsourcing and potentially could be one of the key elements that contributes to the success of an outsourcing activity. The paper suggests a multidimensional approach to the exploration of trust in outsourcing relationships with a greater focus on multi-faceted aspects of trust as well as the mediating factors that influence the success and/or failure of IS outsourcing activities

Towards Better Understanding of the Relationship between Formal Controls and Trust in IS Outsourcing

It is interesting to discover that there is a reasonably small but growing literature on the issue and role of trust in IS outsourcing in the past few years. Built on the premise that over-reliance on outsourcing contract and/or other form of formal controls do not necessarily deliver a successful outsourcing partnership and/or outcomes, we have explored another dimension of outsourcing relationship – ‘trust’. This paper is written to further explore the role of trust and its relationship with formal controls within the context of IS outsourcing. The paper advocates that ‘trust’ is a powerful factor that is intricately linked to the success of outsourcing activities and that those engaged in an outsourcing relationship needs to find a balance between trust and formal controls

An architectural approach to achieving higher-level security for component (service) based software systems

Software systems, in particular component (or service) based software systems, are becoming highly distributed and complex involving independent collaborating components working together towards achieving the systems’ goals. In current practice, a system’s security features are often added after the functional requirements have been addressed. As such, these security features are not systematically designed into the system, and consequently the system often has inherent design flaws and vulnerabilities that can be exploited by intruders, and companies spend much time and resources to fix them up. Meanwhile, the number of security attacks against these systems is also growing. These attacks are more sophisticated and difficult to identify, analyse, correlate (i.e., find out the root attack that triggers other attacks), anti-correlate (i.e., select and enforce proper countermeasures), and mitigate. Therefore, there is a strong need for a systematic software engineering approach, which we call software security engineering (SSE), for developing secure and robust component (or service) based software systems by considering security and functional requirements at the same time. To address the above issue, we draw on some analogies from the human society and biological systems in which the “strong” can protect the “weak”, the resulting relationship and the whole system that are stronger than the individual “links”. We argue that through collaboration of a system’s constituent components (i.e., distributed detection and defenses) there is a better chance to detect and withstand the new generation of security attacks including multi-phased distributed attacks and various flooding distributed denial of service (DDoS) attacks. Besides, in order to achieve collaborative intrusion detection and defenses in distributed environments, the system and its constituent components should have a mechanism to share with each other a general understanding of information about security attacks and countermeasures. Furthermore, this system should be adaptive and reconfigurable as a measure to withstand security attacks in addition to the traditional approaches such as blocking the IP addresses of the sources of the attack. Following the above considerations, in this thesis, we introduce a new architectural approach to achieving higher-level security for component (service) based software systems. It includes a reference architecture with defensive components used as a foundation of our approach, a number of security ontologies utilised by different distributed components as a common vocabulary, and a language for describing and manipulating the system design and configurations. First, the reference architecture for managing security called SECROBAT supports defensive components (DCs) including intrusion detection components (IDCs), honey pot components (HCs) and key distribution components (KDCs), and adopts the pure peer-topeer (P2P) and the super-peer (S-P) structures to allow components to operate as a coalition and be adaptive and reconfigurable in order to resist different types of security attacks. Based on SECROBAT different software applications can be developed including collaborative and distributed systems, Web service-based systems, social network systems, and online gaming systems. Second, we develop and apply security ontologies as a common vocabulary for sharing and analysing information among distributed system components such as DCs which collaboratively identify security attacks and realise defensive measures. We adopt an ontological approach because of its flexibility, scalability, reusability, and possibility to evolve over time and solve interoperability problems. Several security ontologies are developed including the security attack ontology (SAO), the security defence ontology (SDO), the security asset-vulnerability ontology (SAVO), the security algorithm-standard ontology (SASO), and the security function ontology (SFO). Third, we design a GIZKA language that is based on SECROBAT and the security ontologies for specifying dynamic software architectures, their security properties, and security attacks and defenses. It also helps the administrator to manage the system at runtime. GIZKA makes the process of designing, developing, and managing software systems simple and flexible. Finally, our approach is demonstrated through a case study of an example social network system and a prototype implementation

An Ontological Approach Applied to Information Security and Trust Abstract

Software applications become highly distributed and complex, involving independent collaborating components working towards achieving system goals. At the same time, security attacks against these applications have also grown being more sophisticated and are quite difficult to detect and withstand, especially distributed attacks. In this paper, we argue that one way to identify and mitigate such attacks is through the trust-based collaboration of application components. However, to achieve collaborative defense in distributed environments, a common vocabulary is needed for the components to collaborate with each other in identifying security incidents. Thus, we employ an ontological approach to define security ontologies as a common vocabulary that is understandable for both humans and software agents. Further, we introduce basic security concepts and trust implications, explain our security ontologies (specified in OWL) that include the security asset-vulnerability ontology (SAVO), the security algorithm-standard ontology (SASO), the security function ontology (SFO), and the security attack and defence ontologies (SAO and SDO respectively). Trust is also examined while its dimensions are employed to create trust-based communications used to distribute security ontologies. We use a case study involving Mitnick attacks to demonstrate our approach

An ontology-driven approach applied to information security

Software systems have become highly distributed and complex involving independent components working together towards achieving systems' goals. Meanwhile, security attacks against such systems have increased to become more sophisticated and difficult to detect and withstand. In this paper, we argue that the collaboration of a system's constituent components is a better way to detect and withstand this new generation of security attacks including multi-phased distributed attacks and various flooding distributed denial of service attacks. In order to achieve the collaborative intrusion detection and defenses in distributed environments, the system and its constituent components should have a common mechanism to share the collected knowledge about security attacks and countermeasures. Thus, we develop and apply security ontologies that will serve as the common vocabulary that is understandable for both humans and software agents to share and analyse the received information. In particular, several security ontologies are introduced including the security attack ontology, the defence ontology, the asset-vulnerability ontology, the algorithm-standard ontology, and the security function ontology. In conclusion, we demonstrate the applicability of our approach with a case study illustrating the Mitnick attack

Secrobat: secure and robust component-based architectures

Software systems, component-based systems (CBS) in particular, have a lot of vulnerabilities that may be exploited by intruders. Companies spend much time and money to "patch" them up. It is partly due to the fact that a systemýýs security features are often added to the system after its functional requirements have been addressed. As such, system security features are not systematically designed into the system, and consequently the system has inherent security "holes". Therefore, there is a strong need for a systematic engineering approach to developing secure and robust systems, especially distributed systems, by considering functional and security requirements at the same time. In particular, these systems should be highly adaptive and reconfigurable in order to resist different types of attacks and failures. This paper introduces a reference architecture, called Secrobat, for creating secure and robust CBS. It has several key features including defensive components and the adaptive and reconfigurable architecture with the hybrid peer/super-peer structure. The reference architecture is illustrated with an example gaming system