Serving client firms in a specific industry has become a trend in the practice of Managed Security Service Providers (MSSPs). Under the impact of firm competition and outsourcing risks, whether this practice benefits the MSSPs and client firms remains an open question. Constructing a contract-theory model, this study investigates four security management cases faced by two competing firms, that is, both firms manage security in-house, they outsource security to different MSSPs, they outsource security to the same MSSP, and one firm outsources security to an MSSP whereas its competitor manages it in-house. Our analysis shows that two types of competition between client firms, i.e., price competition and security competition, have opposite impacts on both the MSSPs’ and the client firm’s equilibrium decisions. We also consider two outsourcing risks, information leakage risk and system interdependency risk. We find that, an MSSP acts as a mechanism to alleviate firm competition when the two competing firms outsource security to the same MSSP. Furthermore, we find that the MSSPs’ practice of focusing on a particular industry is suitable only when one (price or security) competition effect dominates the other effect and the system interdependency risk is not too high. More interestingly, we find that social welfare is never optimal when one firm outsources security to an MSSP and its competitor manages it in-house, because the MSSP and the firms have conflicting incentives under this case. |
