Skip to main content

Cybersecurity Risk in IT Outsourcing—Challenges and Emerging Realities

  • Chapter
  • First Online:
Information Systems Outsourcing

Part of the book series: Progress in IS ((PROIS))

Abstract

IT outsourcing (ITO) is a major contributor to cybersecurity risk exposure. When organizations outsource IT needs and/or cybersecurity functions, they explicitly or implicitly assume that ITO providers bear the responsibility for cybersecurity risk. In reality, ITO clients’ risk profile changes and becomes a combination of their risks and a subset of their ITO provider risks. This paper discusses cybersecurity risk challenges that are exacerbated in the ITO context and a commonly made argument that ITO client-provider trust can improve the management of cybersecurity risk. The paper proceeds to contrast three views on how to build trust with ITO providers: decision-theoretic view, transparency-based view, and market-based view. It shows that the market-based view is most likely to emerge as the dominant model for client-provider trust. Market-based trust involves market mechanisms that reward and penalize ITO service providers for obtaining cybersecurity certifications from independent, trusted third-party agencies. Specifically, the same way firms that obtain cybersecurity certifications benefit from positive market reactions that create firm value, so do firms that experience cybersecurity incidents indicating failures of certified IT security suffer punitive market reactions that destroy firm value. The paper elaborates on the feasibility of market-based trust in the ITO context, and shows that it works in the context of cyber failures and IT insourcing. The paper concludes with a discussion of obstacles to widespread adoption of market-based trust by ITO players.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Aknirolabu and New (2017) compared of 25 CSPs (SaaS providers) on eight transparency features (Architecture, Technology/Partners, Datacenter location, Security features, IT-related compliance certifications, Advertised Service Level Agreement (SLA), Disaster recovery/ business continuity, Monitoring/Support). The results show that: (1) the CSPs in vertical markets, such as the finance/ERP sub-group, scored the lowest points; and, (2) CSPs in the online workspace sub-group were found to be the most transparent.

  2. 2.

    The risk reduction strategy involves taking steps that lower the underlying cost in case that risk events materialize (e.g., business continuity plans) and deploying security measures that reduce the likelihood of risk events occurrence (e.g., firewalls, encryption, security training, and role-based access rules). The risk avoidance strategy requires redesigning the way business activities are carried out and adapting or changing products and services. The risk transfer strategy involves the sale of risk to another party, primarily by buying cyber liability insurance in exchange.

  3. 3.

    Internal controls are “policies, procedures, practices, and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected” (ITGI 2007).

  4. 4.

    The U.S. follows a sectoral law approach, where federal regulations on data protection are industry- or sector-specific. India is expanding sectoral laws to attain a more comprehensive data protection. The EU, by contrast, offers guidelines aimed at becoming a working multi-national standard (e.g., OECD Guidelines, EU Data Directive). The EU Data Directive, for example, prescribes eight principles for: (1) limiting collection and use of personal data, (2) access by individuals to their information, (3) accountability for compliance by data controllers (firms), (4) transparency of process, (5) security safeguards, (6) destruction or anonymizing of data no longer serving the original purpose for which it was collected, (7) and so on.

  5. 5.

    The objectives are: Security—system is protected against unauthorized physical and logical access; Availability—system is available for business use and operations as required; Processing integrity—system processing is complete, accurate, timely, and authorized; Confidentiality—restricted information is protected and access is limited to authorized users; and, Privacy—personal information is collected, used, guarded, disclosed, and destroyed in conformity with the firm’s privacy stated policy and generally accepted privacy principles issued by various standard-sponsoring organizations (e.g., AICPA).

References

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Michel Benaroch .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Benaroch, M. (2020). Cybersecurity Risk in IT Outsourcing—Challenges and Emerging Realities. In: Hirschheim, R., Heinzl, A., Dibbern, J. (eds) Information Systems Outsourcing. Progress in IS. Springer, Cham. https://doi.org/10.1007/978-3-030-45819-5_13

Download citation

Publish with us

Policies and ethics