Abstract
IT outsourcing (ITO) is a major contributor to cybersecurity risk exposure. When organizations outsource IT needs and/or cybersecurity functions, they explicitly or implicitly assume that ITO providers bear the responsibility for cybersecurity risk. In reality, ITO clients’ risk profile changes and becomes a combination of their risks and a subset of their ITO provider risks. This paper discusses cybersecurity risk challenges that are exacerbated in the ITO context and a commonly made argument that ITO client-provider trust can improve the management of cybersecurity risk. The paper proceeds to contrast three views on how to build trust with ITO providers: decision-theoretic view, transparency-based view, and market-based view. It shows that the market-based view is most likely to emerge as the dominant model for client-provider trust. Market-based trust involves market mechanisms that reward and penalize ITO service providers for obtaining cybersecurity certifications from independent, trusted third-party agencies. Specifically, the same way firms that obtain cybersecurity certifications benefit from positive market reactions that create firm value, so do firms that experience cybersecurity incidents indicating failures of certified IT security suffer punitive market reactions that destroy firm value. The paper elaborates on the feasibility of market-based trust in the ITO context, and shows that it works in the context of cyber failures and IT insourcing. The paper concludes with a discussion of obstacles to widespread adoption of market-based trust by ITO players.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Aknirolabu and New (2017) compared of 25 CSPs (SaaS providers) on eight transparency features (Architecture, Technology/Partners, Datacenter location, Security features, IT-related compliance certifications, Advertised Service Level Agreement (SLA), Disaster recovery/ business continuity, Monitoring/Support). The results show that: (1) the CSPs in vertical markets, such as the finance/ERP sub-group, scored the lowest points; and, (2) CSPs in the online workspace sub-group were found to be the most transparent.
- 2.
The risk reduction strategy involves taking steps that lower the underlying cost in case that risk events materialize (e.g., business continuity plans) and deploying security measures that reduce the likelihood of risk events occurrence (e.g., firewalls, encryption, security training, and role-based access rules). The risk avoidance strategy requires redesigning the way business activities are carried out and adapting or changing products and services. The risk transfer strategy involves the sale of risk to another party, primarily by buying cyber liability insurance in exchange.
- 3.
Internal controls are “policies, procedures, practices, and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected” (ITGI 2007).
- 4.
The U.S. follows a sectoral law approach, where federal regulations on data protection are industry- or sector-specific. India is expanding sectoral laws to attain a more comprehensive data protection. The EU, by contrast, offers guidelines aimed at becoming a working multi-national standard (e.g., OECD Guidelines, EU Data Directive). The EU Data Directive, for example, prescribes eight principles for: (1) limiting collection and use of personal data, (2) access by individuals to their information, (3) accountability for compliance by data controllers (firms), (4) transparency of process, (5) security safeguards, (6) destruction or anonymizing of data no longer serving the original purpose for which it was collected, (7) and so on.
- 5.
The objectives are: Security—system is protected against unauthorized physical and logical access; Availability—system is available for business use and operations as required; Processing integrity—system processing is complete, accurate, timely, and authorized; Confidentiality—restricted information is protected and access is limited to authorized users; and, Privacy—personal information is collected, used, guarded, disclosed, and destroyed in conformity with the firm’s privacy stated policy and generally accepted privacy principles issued by various standard-sponsoring organizations (e.g., AICPA).
References
Akinrolabu, O., & New, S. (2017). Can improved transparency reduce supply chain risks in cloud computing? Operations and Supply Chain Management, 10(3), 130–140.
Ali S., Padmanabhan, V., & Dixon, J. (2014). Why Cybersecurity is a Strategic Issue: Is your business one hack away from disaster?” Bain and Company. (https://www.bain.com/insights/why-cybersecurity-is-a-strategic-issue/).
Bellino, C., & Hunt, S. (2007). Auditing Application Controls. The Institute of Internal Auditors (IIA).
Benaroch, M. (2018). Properties of IT control deficiencies at the root of cyber incidents: theoretical and empirical examination, in Proceedings of the 12th ILAIS Conference. Israel.
Benaroch, M. (2019). IT general control deficiencies and impact on firm IT capability and firm performance, in Working paper, Whitman School of Management. Syracuse University.
Benaroch, M., & Chernobai, A. (2015) Linking operational IT failures to IT control weaknesses, in Proceedings of AMCIS’2015. Puerto Rico.
Benaroch, M., & Chernobai, A. (2017). Operational IT failures, IT value-destruction, and board-level IT governance changes. MIS Quarterly, 41(3), 729–762.
Benaroch, M., Chernobai, A., & Goldstein, J. (2012). An internal control perspective on the market value consequences of IT operational risk events. International Journal of Accounting Information Systems, 13(4), 357–381.
Cayirci, E. (2015). Models for cloud risk assessment: A tutorial, in Accountability and Security in the Cloud (vol. 8937, pp 154–184) Berlin: Springer International Publishing. (http://link.springer.com/10.1007/978-3-319-17199-9).
Cayirci, E., Garaga, A., De Oliveira, A. S., & Roudier, Y. (2014). A cloud adoption risk assessment model, in Proceedings—2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing, UCC 2014 (pp. 08–913). (http://doi.org/10.1109/UCC.2014.148).
Chan, W., Leung, E., & Pili, H. (2012). Enterprise risk management for cloud computing. Committee of Sponsoring Organizations of the Treadway Commission 4.
Coleman, D. (2018). Nearly 65% of affected public companies did not report cybersecurity breaches to the SEC. Audit Analytics Report. (https://www.auditanalytics.com/blog/nearly-70-of-affected-public-companies-did-not-report-cybersecurity-breaches-to-the-sec/).
Croce, B. (2019). Majority of cybersecurity incidents go unreported to SEC, analysis finds. Pensions and Investments. (https://www.pionline.com/article/20190227/ONLINE/190229852/majority-of-cybersecurity-incidents-go-unreported-to-sec-analysis-finds).
Deane, J. K., Goldberg, D. M., Rakes, T. R., & Rees, L. P. (2019). The effect of information security certification announcements on the market value of the firm. Information Technology and Management. published online.
Dhillon, G., Syed, R., & Sá-Soares, F.de. (2017). Information security concerns in IT outsourcing: identifying (in) congruence between clients and vendors. Information and Management (54:4), 452–464.
Gadia, S. (2011). Cloud Computing Risk Assessment: A Case Study. ISACA Journal (4), 11–16. (http://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx).
Gozman, D., & Willcocks, L. (2019). The emerging Cloud Dilemma: Balancing innovation with cross-border privacy and outsourcing regulations. Journal of Business Research, forthcoming.
Horvath, A. S., & Agrawal, R. (2015). Trust in cloud computing, SoutheastCon 2015 (pp. 1–8). FL: Fort Lauderdale.
IDG. (2016). Data Centers in Flux: The IT Optimization Challenge, IDG Research Services. (https://www.insightcdct.com/getattachment/e900f48c-faa8-4d43-b9cf-07131e5cc713/Data-Centers-in-Flux-The-IT-Optimization-Challeng.aspx).
IIA. 2007. Scoping Information Technology General Controls (ITGC), The Institute of Internal Auditors.
ISACA & CSA. (2015). Cloud Computing Market Maturity, in ANISACA Cloud Vision Series White Paper (pp. 1–12).
ITGI. (20070. COBIT 4.1 Framework, IT Governance Institute, IL: Rolling Meadows.
Kang, H. S. (2014). An Analysis of Information Security Management System and Certification Standard for Information Security. Journal of Security Engineering, 11(6), 455–468.
Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017) Cyber security breaches survey 2017, in Ipsos MORI Social Research Institute and the Institute for Criminal Justice Studies. University of Portsmouth. (https://www.ipsos.com/sites/default/files/2017-04/sri-cybersecurity-breaches-survey-2017.pdf).
Kolstad, C., Ulen, T., & Johnson, G. (1990). Ex post liability for harm versus Ex ante safety regulation: substitutes or complements. American Economic Review (80:4).
Kopp, E., Kaffenberger, L., & Wilson, C. (2017). Cyber Risk, Market Failures, and Financial Stability, in IMF Working Paper (WP/17/185), International Monetary Fund.
Liu C.-W., Huang, P., & Lucas, H. (2017). IT centralization, security outsourcing, and cybersecurity breaches: evidence from the U.S. higher education, in ICIS 2017 Proceedings.
Malliouris, D. D., & Simpson, A. C. (2019). The stock market impact of information security investments: The case of security standards. Boston, MA: Workshop on Economics of Information Security.
NetDiligence. (2016). 2016 Cyber Claims Study. (https://netdiligence.com/wpcontent/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf).
New, S. (2009). Supply chain traceability and product provenance: challenges for theory and practice, in E. Sweeney (Ed.), Supply Chain Management and Logistics in a Volatile Global Environment. Dublin: Blackhall Publishing Ltd, ISBN 9781842181775.
New, S., & Brown, D. (2012). The four challenges of supply chain transparency. European Business Review, 1–7. (http://www.europeanbusinessreview.com/?p=4082).
O’Driscoll, G. P., Jr., & Hoskins, L. (2006). The case for market-based regulation. Cato Journal, 26(3), 469–487.
Park, C.-S., Jang, S.-S., & Park, Y.-T. (2010). A Study of Effect of Information Security Management System [ISMS] certification on organization performance. International Journal of Computer Science and Network Security (10:3).
PwC (Price Waterhouse Coopers). (2015). Insurance 2020 and Beyond: Reaping the Dividendsof Cyber Resilience. Price Waterhouse Cooper Insurance.
Raj, S. (2011). Common Assurance Maturity Model, 1–2. (http://www.fstech.co.uk/fst/FSTech_Conference_2011/Common_Assurance_Maturity_Model_Raj_Samani.pdf).
Szubartowicz, E., & Schryen, G. (2018) Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements,” Working paper. Germany: University Regensburg. (https://epub.uni-regensburg.de/37576/).
Vasishta, N. V., Gupta, M., Misra, S. K., Mulgund, P., & Sharman, R. (2018). Optimizing cybersecurity program—evidence from data breaches in healthcare, in 13th Annual Symposium on Information Assurance (ASIA’18). NY: Albany.
Verizon. (2017). Data Breach Investigations Report 2017. Verizon Enterprise. (http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf).
Vijayan, J. (2015). Cloud Security: Transparency Is Crucial for Service Providers. (http://www.cio.com/article/2925773/cloud-security/cloudsecurity-transparency-is-crucial-for-service-providers.html).
Weber, R. H., & Staiger, D. N. (2014). Cloud computing: A cluster of complex liability issues. Web Journal of Current Legal Issues (20:1), 1–13. (http://webjcli.org/article/view/303/418).
Weiss, M., & Solomon, M. G. (2016) Auditing IT Infrastructures for Compliance. Jones and Bartlett Learning, LLC, an Ascend Learning Company.
Wisner, J. D., Tan, K. C., & Leong, G. K. (2008). Principles of Supply Chain Management—A Balanced Approach. Cengage Learning.
Yuen, S. (2008). Exporting trust with data: Audited self-regulation as a solution to cross-border data transfer protection concerns in the offshore outsourcing industry. The Columbia Science and Technology Law Review (IX), 41–86.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Benaroch, M. (2020). Cybersecurity Risk in IT Outsourcing—Challenges and Emerging Realities. In: Hirschheim, R., Heinzl, A., Dibbern, J. (eds) Information Systems Outsourcing. Progress in IS. Springer, Cham. https://doi.org/10.1007/978-3-030-45819-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-45819-5_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45818-8
Online ISBN: 978-3-030-45819-5
eBook Packages: Business and ManagementBusiness and Management (R0)