Information security as a credence good
With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2013
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4761 https://ink.library.smu.edu.sg/context/sis_research/article/5764/viewcontent/usec13_submission_14__1_.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5764 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-57642020-01-16T10:28:50Z Information security as a credence good KE, Ping Fan HUI, Kai-Lung YUE, Wei Thoo With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may exploit their professional advantage and provide fraudulent diagnosis of clients’ vulnerabilities. Such an incentive to mis-represent clients’ risks is often called the credence goods problem in the economics literature[3]. Although different mechanisms have been introduced to tackle the credence goods problem, in the information security outsourcing context, such mechanisms may not work well with the presence of system interdependency risks[6], which are introduced by inter-connecting multiple clients’ systems by the MSSP. In particular, we find that allowing clients to seek alternative diagnosis of their vulnerabilities may not remove the MSSP’s fraudulent behaviors. We shall explore alternative ways to solve the credence goods problem in the information security outsourcing context. 2013-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4761 info:doi/10.1007/978-3-642-41320-9_6 https://ink.library.smu.edu.sg/context/sis_research/article/5764/viewcontent/usec13_submission_14__1_.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information security outsourcing credence good interdependency risks Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information security outsourcing credence good interdependency risks Information Security |
| spellingShingle |
Information security outsourcing credence good interdependency risks Information Security KE, Ping Fan HUI, Kai-Lung YUE, Wei Thoo Information security as a credence good |
| description |
With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may exploit their professional advantage and provide fraudulent diagnosis of clients’ vulnerabilities. Such an incentive to mis-represent clients’ risks is often called the credence goods problem in the economics literature[3]. Although different mechanisms have been introduced to tackle the credence goods problem, in the information security outsourcing context, such mechanisms may not work well with the presence of system interdependency risks[6], which are introduced by inter-connecting multiple clients’ systems by the MSSP. In particular, we find that allowing clients to seek alternative diagnosis of their vulnerabilities may not remove the MSSP’s fraudulent behaviors. We shall explore alternative ways to solve the credence goods problem in the information security outsourcing context. |
| format |
text |
| author |
KE, Ping Fan HUI, Kai-Lung YUE, Wei Thoo |
| author_facet |
KE, Ping Fan HUI, Kai-Lung YUE, Wei Thoo |
| author_sort |
KE, Ping Fan |
| title |
Information security as a credence good |
| title_short |
Information security as a credence good |
| title_full |
Information security as a credence good |
| title_fullStr |
Information security as a credence good |
| title_full_unstemmed |
Information security as a credence good |
| title_sort |
information security as a credence good |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2013 |
| url |
https://ink.library.smu.edu.sg/sis_research/4761 https://ink.library.smu.edu.sg/context/sis_research/article/5764/viewcontent/usec13_submission_14__1_.pdf |
| _version_ |
1770575024069017600 |