Cybersecurity Risk in IT Outsourcing—Challenges and Emerging Realities

IT outsourcing (ITO) is a major contributor to cybersecurity risk exposure. When organizations outsource IT needs and/or cybersecurity functions, they explicitly or implicitly assume that ITO providers bear the responsibility for cybersecurity risk. In reality, ITO clients’ risk profile changes and becomes a combination of their risks and a subset of their ITO provider risks. This paper discusses cybersecurity risk challenges that are exacerbated in the ITO context and a commonly made argument that ITO client-provider trust can improve the management of cybersecurity risk. The paper proceeds to contrast three views on how to build trust with ITO providers: decision-theoretic view, transparency-based view, and market-based view. It shows that the market-based view is most likely to emerge as the dominant model for client-provider trust. Market-based trust involves market mechanisms that reward and penalize ITO service providers for obtaining cybersecurity certifications from independent, trusted third-party agencies. Specifically, the same way firms that obtain cybersecurity certifications benefit from positive market reactions that create firm value, so do firms that experience cybersecurity incidents indicating failures of certified IT security suffer punitive market reactions that destroy firm value. The paper elaborates on the feasibility of market-based trust in the ITO context, and shows that it works in the context of cyber failures and IT insourcing. The paper concludes with a discussion of obstacles to widespread adoption of market-based trust by ITO players.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic €32.70 /Month

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Buy Now

Price includes VAT (France)

eBook EUR 149.79 Price includes VAT (France)

Softcover Book EUR 189.89 Price includes VAT (France)

Hardcover Book EUR 189.89 Price includes VAT (France)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Cybersecurity in outsourcing and cloud computing: a growing challenge for contract drafting

Article Open access 27 April 2021

Cyber risk and voluntary Service Organization Control (SOC) audits

Article 31 August 2022

Information Security as a Credence Good

Notes

Aknirolabu and New (2017) compared of 25 CSPs (SaaS providers) on eight transparency features (Architecture, Technology/Partners, Datacenter location, Security features, IT-related compliance certifications, Advertised Service Level Agreement (SLA), Disaster recovery/ business continuity, Monitoring/Support). The results show that: (1) the CSPs in vertical markets, such as the finance/ERP sub-group, scored the lowest points; and, (2) CSPs in the online workspace sub-group were found to be the most transparent.

The risk reduction strategy involves taking steps that lower the underlying cost in case that risk events materialize (e.g., business continuity plans) and deploying security measures that reduce the likelihood of risk events occurrence (e.g., firewalls, encryption, security training, and role-based access rules). The risk avoidance strategy requires redesigning the way business activities are carried out and adapting or changing products and services. The risk transfer strategy involves the sale of risk to another party, primarily by buying cyber liability insurance in exchange.

Internal controls are “policies, procedures, practices, and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected” (ITGI 2007).

The U.S. follows a sectoral law approach, where federal regulations on data protection are industry- or sector-specific. India is expanding sectoral laws to attain a more comprehensive data protection. The EU, by contrast, offers guidelines aimed at becoming a working multi-national standard (e.g., OECD Guidelines, EU Data Directive). The EU Data Directive, for example, prescribes eight principles for: (1) limiting collection and use of personal data, (2) access by individuals to their information, (3) accountability for compliance by data controllers (firms), (4) transparency of process, (5) security safeguards, (6) destruction or anonymizing of data no longer serving the original purpose for which it was collected, (7) and so on.

The objectives are: Security—system is protected against unauthorized physical and logical access; Availability—system is available for business use and operations as required; Processing integrity—system processing is complete, accurate, timely, and authorized; Confidentiality—restricted information is protected and access is limited to authorized users; and, Privacy—personal information is collected, used, guarded, disclosed, and destroyed in conformity with the firm’s privacy stated policy and generally accepted privacy principles issued by various standard-sponsoring organizations (e.g., AICPA).

References

Akinrolabu, O., & New, S. (2017). Can improved transparency reduce supply chain risks in cloud computing? Operations and Supply Chain Management,10(3), 130–140. ArticleGoogle Scholar
Ali S., Padmanabhan, V., & Dixon, J. (2014). Why Cybersecurity is a Strategic Issue: Is your business one hack away from disaster?” Bain and Company. (https://www.bain.com/insights/why-cybersecurity-is-a-strategic-issue/).
Bellino, C., & Hunt, S. (2007). Auditing Application Controls. The Institute of Internal Auditors (IIA). Google Scholar
Benaroch, M. (2018). Properties of IT control deficiencies at the root of cyber incidents: theoretical and empirical examination, in Proceedings of the 12th ILAIS Conference. Israel. Google Scholar
Benaroch, M. (2019). IT general control deficiencies and impact on firm IT capability and firm performance, in Working paper, Whitman School of Management. Syracuse University. Google Scholar
Benaroch, M., & Chernobai, A. (2015) Linking operational IT failures to IT control weaknesses, in Proceedings of AMCIS’2015. Puerto Rico. Google Scholar
Benaroch, M., & Chernobai, A. (2017). Operational IT failures, IT value-destruction, and board-level IT governance changes. MIS Quarterly,41(3), 729–762. ArticleGoogle Scholar
Benaroch, M., Chernobai, A., & Goldstein, J. (2012). An internal control perspective on the market value consequences of IT operational risk events. International Journal of Accounting Information Systems,13(4), 357–381. ArticleGoogle Scholar
Cayirci, E. (2015). Models for cloud risk assessment: A tutorial, in Accountability and Security in the Cloud (vol. 8937, pp 154–184) Berlin: Springer International Publishing. (http://link.springer.com/10.1007/978-3-319-17199-9).
Cayirci, E., Garaga, A., De Oliveira, A. S., & Roudier, Y. (2014). A cloud adoption risk assessment model, in Proceedings—2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing, UCC 2014 (pp. 08–913). (http://doi.org/10.1109/UCC.2014.148).
Chan, W., Leung, E., & Pili, H. (2012). Enterprise risk management for cloud computing. Committee of Sponsoring Organizations of the Treadway Commission 4. Google Scholar
Coleman, D. (2018). Nearly 65% of affected public companies did not report cybersecurity breaches to the SEC. Audit Analytics Report. (https://www.auditanalytics.com/blog/nearly-70-of-affected-public-companies-did-not-report-cybersecurity-breaches-to-the-sec/).
Croce, B. (2019). Majority of cybersecurity incidents go unreported to SEC, analysis finds. Pensions and Investments. (https://www.pionline.com/article/20190227/ONLINE/190229852/majority-of-cybersecurity-incidents-go-unreported-to-sec-analysis-finds).
Deane, J. K., Goldberg, D. M., Rakes, T. R., & Rees, L. P. (2019). The effect of information security certification announcements on the market value of the firm. Information Technology and Management. published online. Google Scholar
Dhillon, G., Syed, R., & Sá-Soares, F.de. (2017). Information security concerns in IT outsourcing: identifying (in) congruence between clients and vendors. Information and Management (54:4), 452–464. Google Scholar
Gadia, S. (2011). Cloud Computing Risk Assessment: A Case Study. ISACA Journal (4), 11–16. (http://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx).
Gozman, D., & Willcocks, L. (2019). The emerging Cloud Dilemma: Balancing innovation with cross-border privacy and outsourcing regulations. Journal of Business Research, forthcoming. Google Scholar
Horvath, A. S., & Agrawal, R. (2015). Trust in cloud computing, SoutheastCon 2015 (pp. 1–8). FL: Fort Lauderdale. Google Scholar
IDG. (2016). Data Centers in Flux: The IT Optimization Challenge, IDG Research Services. (https://www.insightcdct.com/getattachment/e900f48c-faa8-4d43-b9cf-07131e5cc713/Data-Centers-in-Flux-The-IT-Optimization-Challeng.aspx).
IIA. 2007. Scoping Information Technology General Controls (ITGC), The Institute of Internal Auditors. Google Scholar
ISACA & CSA. (2015). Cloud Computing Market Maturity, in ANISACA Cloud Vision Series White Paper (pp. 1–12). Google Scholar
ITGI. (20070. COBIT 4.1 Framework, IT Governance Institute, IL: Rolling Meadows. Google Scholar
Kang, H. S. (2014). An Analysis of Information Security Management System and Certification Standard for Information Security. Journal of Security Engineering,11(6), 455–468. ArticleGoogle Scholar
Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017) Cyber security breaches survey 2017, in Ipsos MORI Social Research Institute and the Institute for Criminal Justice Studies. University of Portsmouth. (https://www.ipsos.com/sites/default/files/2017-04/sri-cybersecurity-breaches-survey-2017.pdf).
Kolstad, C., Ulen, T., & Johnson, G. (1990). Ex post liability for harm versus Ex ante safety regulation: substitutes or complements. American Economic Review (80:4). Google Scholar
Kopp, E., Kaffenberger, L., & Wilson, C. (2017). Cyber Risk, Market Failures, and Financial Stability, in IMF Working Paper (WP/17/185), International Monetary Fund. Google Scholar
Liu C.-W., Huang, P., & Lucas, H. (2017). IT centralization, security outsourcing, and cybersecurity breaches: evidence from the U.S. higher education, in ICIS 2017 Proceedings. Google Scholar
Malliouris, D. D., & Simpson, A. C. (2019). The stock market impact of information security investments: The case of security standards. Boston, MA: Workshop on Economics of Information Security. Google Scholar
NetDiligence. (2016). 2016 Cyber Claims Study. (https://netdiligence.com/wpcontent/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf).
New, S. (2009). Supply chain traceability and product provenance: challenges for theory and practice, in E. Sweeney (Ed.), Supply Chain Management and Logistics in a Volatile Global Environment. Dublin: Blackhall Publishing Ltd, ISBN 9781842181775. Google Scholar
New, S., & Brown, D. (2012). The four challenges of supply chain transparency. European Business Review, 1–7. (http://www.europeanbusinessreview.com/?p=4082).
O’Driscoll, G. P., Jr., & Hoskins, L. (2006). The case for market-based regulation. Cato Journal,26(3), 469–487. Google Scholar
Park, C.-S., Jang, S.-S., & Park, Y.-T. (2010). A Study of Effect of Information Security Management System [ISMS] certification on organization performance. International Journal of Computer Science and Network Security (10:3). Google Scholar
PwC (Price Waterhouse Coopers). (2015). Insurance 2020 and Beyond: Reaping the Dividendsof Cyber Resilience. Price Waterhouse Cooper Insurance. Google Scholar
Raj, S. (2011). Common Assurance Maturity Model, 1–2. (http://www.fstech.co.uk/fst/FSTech_Conference_2011/Common_Assurance_Maturity_Model_Raj_Samani.pdf).
Szubartowicz, E., & Schryen, G. (2018) Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements,” Working paper. Germany: University Regensburg. (https://epub.uni-regensburg.de/37576/).
Vasishta, N. V., Gupta, M., Misra, S. K., Mulgund, P., & Sharman, R. (2018). Optimizing cybersecurity program—evidence from data breaches in healthcare, in 13th Annual Symposium on Information Assurance (ASIA’18). NY: Albany. Google Scholar
Verizon. (2017). Data Breach Investigations Report 2017. Verizon Enterprise. (http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf).
Vijayan, J. (2015). Cloud Security: Transparency Is Crucial for Service Providers. (http://www.cio.com/article/2925773/cloud-security/cloudsecurity-transparency-is-crucial-for-service-providers.html).
Weber, R. H., & Staiger, D. N. (2014). Cloud computing: A cluster of complex liability issues. Web Journal of Current Legal Issues (20:1), 1–13. (http://webjcli.org/article/view/303/418).
Weiss, M., & Solomon, M. G. (2016) Auditing IT Infrastructures for Compliance. Jones and Bartlett Learning, LLC, an Ascend Learning Company. Google Scholar
Wisner, J. D., Tan, K. C., & Leong, G. K. (2008). Principles of Supply Chain Management—A Balanced Approach. Cengage Learning. Google Scholar
Yuen, S. (2008). Exporting trust with data: Audited self-regulation as a solution to cross-border data transfer protection concerns in the offshore outsourcing industry. The Columbia Science and Technology Law Review (IX), 41–86. Google Scholar

Author information

Authors and Affiliations

Whitman School of Management, Syracuse University, Syracuse, USA Michel Benaroch

Michel Benaroch