Abstract
Day by day the provision of information technology goods and services becomes noticeably expensive. This is mainly due to the high labor cost for the service providers, resulting from the need to cover a vast variety of application domains and at the same time to improve or/and enhance the services offered in accordance to the requirements set by the competition. A business model that could ease the problem is the development or/and provision of the service by an external contractor on behalf of the service provider; known as Information Technology Outsourcing. However, outsourcing a service may have the side effect of transferring personal or/and sensitive data from the outsourcing company to the external contractor. Therefore the outsourcing company faces the risk of a contractor who does not adequately protect the data, resulting to their non-deliberate disclosure or modification, or of a contractor that acts maliciously in the sense that she causes a security incident for making profit out of it. Whatever the case, the outsourcing company is legally responsible for the misuse of personal data or/and the violation of an individual’s privacy. In this paper we demonstrate how companies adopting the outsourcing model can protect the personal data and privacy of their customers through an insurance contract. Moreover a probabilistic model for optimising, in terms of the premium and compensation amounts, the insurance contract is presented.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Acquisti A. (2004). Privacy and security of personal information: economic incentives and technological solutions. In: Camp, L. and Lewis, S. (eds) Economics of Information Security, pp. Springer, Berlin Heidelberg New York
Anderson, R.: Why information security is hard—an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference (2001)
Aubert, B., Rivard, S., Patry, M.: Managing IT outsourcing risk: lessons learned. In: CIRANO Centre Interuniversitaire de Recherche en ANalyse des Organisations Scientific Series, 2001s-39 (2001)
Aubert, B. Patry, M., Rivard, S.: Assessing the Risk of IT Outsourcing. In: CIRANO Centre Interuniversitaire de Recherche en ANalyse des Organisations Scientific Series, 1998s-16 (1998)
Barry E., Mukhopadhyay T. and Slaughter S. (2002). Software project duration and effort: an empirical study. Inform. Technol. Manage. 3(1): 113–136
Barthelemy J. (2001). The hidden costs of IT outsourcing. Sloan Manage. Rev. 42(3): 60–70
Basu, V., Lederer, A.: An agency theory model of ERP implementation. In: Proceedings of the ACM SIGMIS’04, Tucson, USA (2004)
Bodin L., Gordon L.A. and Loeb M.P. (2005). Evaluating information security investments using the analytic hierarchy process. Commun. ACM 48(2): 78–83
Cavusoglu H., Mishra B. and Raghunathan S. (2004). A model for evaluating IT security investments. Commun. ACM 47(7): 87–92
DiRomualdo A.V. and Gurbaani V. (1998). Strategic intent for IT outsourcing. Sloan Manage. Rev. 39(4): 67–80
Haberman S. and Pitacco S. (1999). Actuarial Models for Disability Insurance. Chapman and Hall, London
Gordon L.A. and Loeb M.P. (2002). The Economics of Information Security Investment. ACM Trans. Inform. Syst. Secur. 5(4): 438–457
Gordon L.A., Loeb M.P. and Sohail T. (2003). A framework for using insurance for cyber risk management. Commun. ACM 46(3): 81–85
Gordon L.A. and Loeb M.P. (2005). Managing Cyber-Security Resources: A Cost-Benefit Analysis. Mc Graw Hill, New York
Keil, P.: Principal agent theory and its application to analyze outsourcing of software development. In: Proceedings of the ACM EDSER’05, St Louis, USA (2005)
Lacity M. and Willcocks L. (1998). Practices in information technology outsourcing: lessons from experience. MIS Q. 22(3): 363–408
Laffont J.L., Martimort D. (2002) The Theory of Incentives: The Principa-Agent Model. Princeton
Lambrinoudakis C., Gritzalis S., Hatzopoulos P., Yannacopoulos A.N. and Katsikas S.K. (2005). A formal model for pricing information systems insurance contracts. Comput. Stand. Interf. 27(5): 521–532
Odlyzko, A.: Privacy, economics, and price discrimination on the internet. In: Proceedings of the 5th ACM International Conference on Electronic Commerce (2003)
Richmond W.B. and Seidmann A. (1993). Software development outsourcing: contract structure and business value. J. Manage. Inform. Syst. 10(1): 57–72
Schechter, S., Smith, M.: How much security is enough to stop a thief: the economics of outsider theft via computer systems and networks. In: Proceedings of the Financial Cryptography Conference (2003)
Wang E.T.G., Barron T. and Seidmann A. (1997). Contracting structures for custom software development: the impact of informational rents and uncertainty on internal development and outsourcing. Manage. Sci. 43(12): 1726–1744
Wu D., Ding M., Hitt L.: Learning in ERP contracting: a principal-agent analysis. In: Sprague, R.H. Jr. (ed.) Proceedings of the Thirty-seventh Annual Hawaii International Conference on System Sciences, IEEE Computer Society Press, Los Alamitos, 2004 (2003)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Gritzalis, S., Yannacopoulos, A.N., Lambrinoudakis, C. et al. A probabilistic model for optimal insurance contracts against security risks and privacy violation in IT outsourcing environments. Int. J. Inf. Secur. 6, 197–211 (2007). https://doi.org/10.1007/s10207-006-0010-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-006-0010-x