1: \documentclass[times, 12pt,epsf]{article}

2: \usepackage{times}

3: \usepackage{psfig}

4: 

5: \setlength{\textheight}{9in} \setlength{\textwidth}{6.5in}

6: \setlength{\topmargin}{-0.4in} \setlength{\headheight}{0.0in}

7: \setlength{\oddsidemargin}{-0.1in}

8: 

9: \begin{document}

10: 

11: \title{\bf A Game Theoretic Economics Framework to understanding the Information Security outsourcing Market}

12: 

13: \author{

14: Wen Ding \hspace{1in} William Yurcik\\

15: National Center for Supercomputing Applications (NCSA)\\

16: University of Illinois at Urbana-Champaign\\

17: \{wending,byurcik\}@ncsa.uiuc.edu}

18: 

19: \maketitle

20: 

21: \thispagestyle{empty}

22: 

23: \begin{abstract}

24: 

25: On information security outsourcing market, an important reason

26: that firms do not want to let outside firms(usually called

27: MSSPs-Managed Security Service Providers) to take care of their

28: security need is that they worry about service quality MSSPs

29: provide because they cannot monitor effort of the MSSPs. Since

30: MSSPs action is unobservable to buyers, MSSPs can lower cost by

31: working less hard than required in the contract and get higher

32: profit. In the asymmetric information literature, this possible

33: secret shirking behavior is termed as moral hazard problem. This

34: paper considers a game theoretic economic framework to show that

35: under information asymmetry, an optimal contract can be designed

36: so that MSSPs will stick to their promised effort level. We also

37: show that the optimal contract should be performance-based, i.e.,

38: payment to MSSP should base on performance of MSSP's security

39: service period by period. For comparison, we also showed that if

40: the moral hazard problem does not exist, the optimal contract does

41: not depend on MSSP's performance. A contract that specifies

42: constant payment to MSSP will be optimal. Besides these, we show

43: that for no matter under perfect information scenario or imperfect

44: information scenario, the higher the transaction cost is, the

45: lower payment to MSSPs will be.

46: 

47: \end{abstract}

48: 

49: \noindent {\bf Keywords:} outsourcing, information security,

50: managed security service providers, economics of information

51: security

52: 

53: \vspace{0.1in}

54: 

55: \section{Introduction} \label{sec:intro}

56: 

57: Security outsourcing market where firms contract with outside

58: information security vendors to meet their organizational demands

59: has been growing at a double digit rate for the past $3$ years,

60: and experts predict that this growth rate will continue through

61: $2008$\cite{DeSo04}. Compared with the booming of the business,

62: theory of security outsourcing is less developed. In view of this

63: both buyers and MSSPs need to strategically understand the nature

64: of this market.

65: 

66: Information security outsourcing is different from traditional

67: outsourcing because information security is different from durable

68: goods and other services outsourced such as payroll and

69: accounting. As more and more firms automate processes, servers and

70: the networks work like the brains and vessels of a firm. If any

71: core system go down, the cost may be large due to lost data and

72: lost revenue. What makes it worse is that security breaches are

73: irreversible. While defects in manufacturing can be returned or

74: wrong paychecks can be reissued, monetary loss due to down time is

75: gone forever, and lost customer confidence may be hard to gain

76: back. Therefore, while most industries put cost saving as the

77: primary reason they outsource business processes other than

78: security, firms that outsource information security state service

79: quality is their primary motivation. This is supported by a survey

80: by Jeffrey Kaplan published in Business Communication Review

81: ($2003$)\cite{Kapl03}. It is reported that 40.6\% of the firms

82: outsource network operations based on concerns for service

83: quality.

84: 

85: Information asymmetry is another reason that firms have concerns

86: outsourcing their security. Since buyers cannot observe and

87: monitor MSSPs' action, MSSPs, as profit maximizing companies, have

88: an incentive to lower their effort level to reduce cost.

89: 

90: The model we present is a model where buyers and MSSPs engage in a

91: repeated game with infinite horizon where MSSPs' effort level in

92: not observable to buyers. We show that under this information

93: asymmetry, moral hazard problem will occur. Performance based

94: contracts are recommended to avoid such moral hazard problem.

95: 

96: For comparison, we also provide results under perfect information,

97: where buyers can have all information they need and shirking is

98: not an option for MSSPs. Under the scenario of perfect

99: information, the optimal solution(in terms how the contact is

100: written) is a price-only contract. This solution is called first

101: best because no deadweight loss is incurred under perfect

102: information assumption.

103: 

104: Besides the optimal contract form, we are particularly interested

105: in the effect of transaction cost on market equilibrium price.

106: Transaction cost includes all cost spent on searching for, arguing

107: and executing contracts with MSSPs\cite{Coas37}. We argue in

108: section(\ref{sec:theocost}) transaction cost  can be very high in

109: outsourcing non traditional services such as security because

110: standard rules and procedures have not been established yet. We

111: show that when transaction cost increases, price of security

112: outsourcing will be lowered.

113: 

114: There is a large body of literature on IT outsourcing, including

115: information security outsourcing as a sub-category. Ang and Straub

116: (1998)\cite{AnSt98} did an empirical study on the U.S. banking

117: industry and showed IT outsourcing is strongly influenced by the

118: production cost advantage offered by IT service vendors.

119: Transaction cost also influences outsourcing decisions with a much

120: smaller effect. Though their result is based on data of US banking

121: system, this result is probably true in a lot of areas outside the

122: banking system. Based on their result, we will assume decrease in

123: production cost out-weight increase in transaction cost throughout

124: this paper. Lacity and Willcocks'(1998)\cite{LaWi98} use US and UK

125: organizations survey data and provide empirical evidence that the

126: following practices are recommended to achieve cost saving

127: expected: selective outsourcing, senior executives and IT manager

128: make decisions together, invite both internal and external bids,

129: short-term contract, detailed fee-for-service contract. This paper

130: will provide theoretical support for the last practice. Mieghem

131: (1999)\cite{VanM99} builds a game theoretic model on production

132: outsourcing where investment decision has to be made before market

133: demand is revealed. After market demand is revealed, the firm's

134: production is limited to its investment level, and will use

135: outside production(outsource) to meet excess demand. His paper

136: studies three kinds of contracts 1), price-only contract,

137: 2),incomplete contract and 3), state-dependent contract. He shows

138: that only state-dependent contract is optimal in the sense that it

139: eliminates all decentralizing cost\footnote{centralized economy

140: system assumes there is a social planner who make decision by

141: pooling all available resources from different firms.

142: Decentralized economy system is one where firms make their own

143: decision using individual resources. It can be shown that outcome

144: of centralized economy {weakly} dominates outcome of decentralized

145: economy. Difference between the two is decentralization cost.} His

146: paper is related to security outsourcing because in security

147: outsourcing, an implicity assumption of centralized economy is

148: that all participants will work diligently. Therefore, with moral

149: hazard problem, decentralization cost is caused by the possibility

150: that MSSPs may shirk. This paper will investigate why

151: state-contingent contract is preferred to non state-contingent

152: contract from a information economics point of view. We argue that

153: state-contingent contract is the optimal contract form when there

154: is moral hazard problem.

155: %(Gray, Andy (1992) consider quality of

156: %security services, argue why firms consider outsourcing security,

157: %and measure cost/quality of service assessments under

158: %outsourcing.)

159: 

160: The rest of this paper is organized as follows: In Section 2 and

161: 3, we contrast information security outsourcing with other types

162: of outsourcing.  Next we set up an outsourcing model with perfect

163: and imperfect information to discuss what optimal contract look

164: like and what is the effect of transaction cost on prices in

165: Section 4. In Section 5, related work on this topic is summarized.

166: We end with a summary and conclusions in Section 6.

167: 

168: \thispagestyle{empty}

169: 

170: \section{Outsourcing Theory} \label{sec:theory}

171: 

172: Outsourcing is defined as `all the subcontracting relationships

173: between firms and the hiring of workers in non-traditional jobs'

174: (Heshmati 2003)\cite{Hesh03}. Business Process Outsourcing (BPO),

175: which includes outsourcing of human resources, finance and

176: accounting, procurement, shared services, billing, customer care

177: and so on, is estimated to grow at a 9.5\% compound annual rate

178: through 2007 reaching \$173 billion by Gartner\cite{SDSH03}. IT

179: Outsourcing (ITO) is expected to grow at a compound rate of 7.2\%

180: through 2008 reaching \$253.1 billion in 2008\cite{CYGS04}.

181: Furthermore, Information security outsourcing is predicted to grow

182: from \$4.1 billion in 2001 to \$9.0 billion in 2006, a compound

183: growth rate of double digits\cite{DeSo04}.

184: 

185: Behind this booming of outsourcing, the basic force is `cost

186: efficiency'. As markets become more competitive, outsourcing is an

187: essential way firms may reduce costs. By using information

188: security outsourcing, firm only need to pay a fraction of their

189: in-housing cost for outsourced security. Outsourcing can reduce

190: cost either because suppliers has lower input costs and/or larger

191: scale of production as in the case of offshore manufacturing

192: outsourcing; or because the suppliers have expertise or more

193: advanced technology as in payroll and IT outsourcing. However, at

194: the same time of reducing production cost, buyers incur

195: transaction costs\cite{Coas37} searching for, signing, and

196: executing contracts with suppliers. In the case of total

197: outsourcing, when firms keep no in-house production, firms also

198: lose sunk costs\footnote{Firm's investment specific to the

199: outsourced process}, which can be machines and plants that can

200: only be used to produce the outsourced product or can be money

201: spent on training technicians.

202: 

203: If cost reduction is the only concern for firms, firms will

204: outsource when reduction in production cost exceeds increase in

205: transaction cost. In standardized outsourcing procedures such as

206: payroll and manufacture goods, transaction cost has been reduced

207: as Coase\cite{Coas37} predicted `This(transaction) cost may be

208: reduced but it will not be eliminated by emergence of

209: specialist$\ldots$'. It is argued that transaction cost is some

210: percentage of the contract value since the larger the project, the

211: greater effort firms will spent on searching for a proper MSSP and

212: the more coordination is needed between firm and MSSP after

213: signing the contract.

214: 

215: The second outsourcing incentive is firms will be able to

216: concentrate on their core competence by outsourcing

217: support/routine functions. For example, although a lot computer

218: companies are based in the U.S., most keyboards are produced in

219: Asia. By outsourcing labor intensive processes to areas that are

220: abundant in labor, firms achieve cost reduction and become more

221: focused on core competence.

222: 

223: Yet another key reason for outsourcing is to obtain higher

224: quality. Outside companies accumulate more experience by

225: specializing in certain processes. They can afford larger

226: investment on R\&D to get updated technology and skills and better

227: trained expertise. A large client base also contributes to the

228: quality of goods and services of outside producers and service

229: providers. They gain experience and knowledge by serving varied

230: clients. Consulting, for example, the service providers have

231: professional knowledge that a non-consulting firm can never afford

232: to build by itself.

233: 

234: Argument against production outsourcing concerns unemployment

235: issue as in off-shore outsourcing: while argument against security

236: outsourcing focus on transaction cost control and service quality

237: monitoring. We will analyze these two concerns on information

238: security outsourcing in detail in the following section.

239: 

240: \thispagestyle{empty}

241: 

242: \section{Security Outsourcing: What is Special?}

243: \label{sec:secout}

244: 

245: In spite of all the advantages outsourcing may bring, some people

246: think security should not be outsourced, or firms should be really

247: careful when doing so.

248: 

249: \subsection{Quality Measurement Difficulty}

250: 

251: Security management is an art rather than science where we know

252: how to achieve a best solution; here we do not even know what the

253: best solutions are, nor do MSSPs. A security system can be a very

254: complicated project. People may think that they are safe with

255: firewalls and IDSs. Even so, firms have to decide which firewalls

256: and IDSs to buy, how to allocate limited budget on combination of

257: these devices to reach maximum level of security and how to manage

258: these devices and tune them so that they secure your system enough

259: and do not give too many alerts on harmless behaviors. The bright

260: side is MSSPs are gaining experience on these issues quickly by

261: their devotion and specialization in this area.

262: 

263: However, people argue that it is hard to evaluate products and

264: services of MSSPs both ex ante and ex post. As security

265: outsourcing market becoming prominent over the last few years; a

266: large number of MSSPs emerged from diversified backgrounds. The

267: largest ones include firms formed solely to solve internet

268: security problems such as Counterpane, firms from research and

269: computer production such as IBM, anti virus companies such as

270: Symantec, firms from internet providers such as AT\&T and so on.

271: This diversification in background reflects on their diversified

272: product and services making it really hard for the firms to

273: compare and choose from them. (See appendix I for major MSSPs and

274: their products.)

275: 

276: Also, evaluating MSSPs' products by performance of their products

277: is tricky because the outcome is highly random and can even be

278: misleading. A better secured system may be down because of

279: intensive attacks; systems that ignore patching notices from time

280: to time may go well for a long time. On the other hand, it is not

281: true that the more money spent on security, the fewer bleaches a

282: system will have. Sophisticated hackers are more attracted to

283: systems that are hard to break into.

284: 

285: However, a 'better' secured system should be less vulnerable in

286: statistical sense in the long run. This paper will use

287: \underline{\emph{expected}} performance to evaluate a security

288: system. We assume buyers have access to historical data of MSSP's

289: service performance, and can generate a distribution of benefit

290: from using security outsourcing.

291: 

292: \subsection{Effective Cost Reduction?}\label{sec:theocost}

293: 

294: Based on a survey on IT managers, directors and other decision

295: makers from both firms that outsourced security and those who did

296: not, cost reduction remains their focus\cite{Kapl03}.

297: 

298: There is evidence that security outsourcing will reduce production

299: cost. Device management for example, which tunes and monitors

300: firewalls, IDSs and runs vulnerability testing, a security

301: personnel cost\$8,000 to \$16,000 per month. And to get 24*7

302: support, this figure may need to be more than tripled. For the

303: same functions, MSSPs charge between \$600 and \$4,000. For

304: network monitoring, Counterpane, one of the most successful MSSPs,

305: claims that it only charges a fraction of the money for net

306: management a firm need to spend to do the security in house: `From

307: an annualized basis, its going to cost you \$1 million to \$1.2

308: million just to look at the sam information we monitor, and our

309: average contract ranges from \$40,000 to \$150,000 a year ---

310: between 4\% and 10\% of what it would cost to do yourself

311: $\ldots$'\cite{Mill04}.

312: 

313: However, although security vendors' may provide huge reduction in

314: production cost, transaction cost may be quite high. Since

315: standard measure for security services has not been established

316: and each MSSP uses their featured(different) technology, most of

317: the time it is very hard to do comparison across different MSSPs.

318: This quality measurement difficulty may increase transaction cost

319: potentially\cite{PoZe98}.

320: 

321: Also, writing up the contract and decide who is responsible for

322: what kind of losses due to security breaches can be painful. Firms

323: would feel more comfortable if security vendors can take

324: responsibility if losses occur. But it is not always the security

325: vendor's fault because no matter how well security devices are

326: designed and tuned, there is always probability that the system is

327: broken into. More tricky things can be if security vendors take

328: responsibility for the losses, firms may not play due diligence as

329: they should. Therefore, although this paper is devoted to

330: discussion of MSSPs' moral hazard behavior, the optimal contract

331: needs to guard against firms' moral hazard behavior as well, which

332: may increase transaction cost significantly. Therefore although we

333: will assume that transaction cost is lower than reduction in

334: production cost, effect of transaction cost needs to be further

335: explored.

336: 

337: \thispagestyle{empty}

338: 

339: \section{The Model} \label{sec:model}

340: 

341: Based on above observation of how security outsourcing is special,

342: We set up the model in the following way.

343: 

344: There are two sides on the security outsourcing market: potential

345: security service buyers (``buyers" for short), and security

346: vendors(MSSPs). Vendors and buyers all seek to maximize their

347: individual profit.

348: 

349: Basic assumptions are:

350: \begin{itemize}

351:    \item A1: Vendors are more cost efficient than firms; transaction cost

352:    is lower than production cost advantage.

353:    \item A2: Services provided by different security vendors are imperfect

354: substitutes\footnote{imperfect substitutes are goods that are not

355: identical but have similar functions, e.g. lap-top and desk-tops.

356: }.

357:     \item A3: Buyers do not have moral hazard problem.

358: \end{itemize}

359: 

360: In the following three subsections, we show that:

361: \begin{enumerate}

362: \item With imperfect information, we have moral hazard problem on

363: MSSP side. Optimal contract depends non-trivially on MSSPs

364: performance.

365: 

366: \item With perfect information, optimal contract is a price-only

367: contract.

368: 

369: \item With either perfect information or imperfect information,

370: price is decreasing on transaction cost.

371: \end{enumerate}

372: 

373: \subsection{Optimal contract with imperfect information\\ --- Performance based contract}\label{sec:imp}

374: 

375: Due to imperfect information, actions of the players are not

376: directly observable. Both MSSPs and security buyers can disobey

377: their promises secretly. In this paper, we focus on how to avoid

378: moral hazard behavior of MSSPs, and assume buyers will always

379: follow the contract as it is. The optimal contract will be such

380: that following the contract is the best choice for both players.

381: We temporarily assume transaction cost is zero in this section.

382: 

383: Our analysis is based on principal-agent problem with infinite

384: horizon following Spear and Srivastava()\cite{SpSr87}, where

385: agent's action is not observable to principal. principal is

386: assumed to be risk neutral\footnote{A risk neutral player only

387: cares about average payoff.}and agent risk averse\footnote{A risk

388: averse player gets lower utility if variance of his payoff

389: increase}. Here, MSSP is agent to principal buyer. We are allowed

390: to assume security buyer is risk neutral because security buyers

391: have access to insurance market and can buy insurance to mitigate

392: risks that MSSPs cannot eliminate. However, the risk neutral

393: assumption is not essential to the result. We can discuss risk

394: averse buyers but it only make the mathematics more complicated

395: without accomplishing anything. So we just keep the simple

396: assumption that buyers are risk neutral.

397: 

398: Denote buyer's period t benefit(before payment to MSSP) from

399: security outsourcing as $y_t$. Because of the random nature of

400: cyber attacks, $y_t$ is a random variable. Denote MSSP's effort

401: level in period t as $a_t$, $a_t\in[\underline{a},\overline{a}]$.

402: Then distribution of security service performance $y_t$ is

403: conditional on MSSP's effort $a_t$. Denote the distribution as

404: $f(y,a_t)$. $P_t$ denotes buyer's compensation(price) to MSSP in

405: period t. History up to period t is denoted as:

406: $h_t=\{y_t,y_{t-1},\ldots,y_0\}$.

407: 

408: A price contract is composed of MSSP's effort level and price

409: buyer pays to MSSP: $\{a_t(h_{t-1}), P_t(h_t)\}$. Notice that

410: MSSP's period t effort level $a_t$ depends only on history up to

411: period t-1, since MSSP has to choose his effort level at beginning

412: of period t before period t benefit $y_t$ is realized. Payment to

413: MSSP in period t however depends on the whole performance history.

414: 

415: Let $u(P_t)-\phi(a_t)$ be net payoff to MSSP under contract

416: $\{a_t(h_{t-1}), P_t(h_t)\}$, where $u(P_t)$ is MSSP's utility

417: from payment $P_t$ and $\phi(a_t)$ measures cost of working at

418: effort level $a_t$. We assume $u'>0$, $u''<0$\footnote{$u''<0$

419: comes from risk averse assumption.} and $\phi'>0$. History $h_t$

420: evolve recursively by the following probability rule:

421: \begin{eqnarray}

422: \pi(h_t|h_{t-1})=f(y_t,a_t(h_{t-1}))\pi(h_{t-1})

423: \end{eqnarray}

424: 

425: Assume buyers and MSSP discount future payoff at same rate $\rho,

426: \rho\in[0,1]$, then buyer and MSSP's period t expected payoff are

427: $\int(y_t-P_t)f(y_t|a_t)dy_t$ and $u(P_t)-\phi(a_t)$:

428: 

429: Discount all future payoff to period 0, we have buyer and MSSP's

430: period 0 discounted payoff as:

431: \begin{eqnarray}

432: B_t(P_t, a_t)&=&\sum_{j=0}^{\infty}\sum_{h^{t+j}}\rho^j

433: [\int(y_t-P_t)f(y_t,a_t)dy_t]\pi(h_{t+j},a_{t+j}|h_t)\\

434: M_t(P_t,a_t)&=&\sum_{j=0}^{\infty}\sum_{h^{t+j}}\rho^j

435: [u(P_t)-\phi(a_t)]\pi(h_{t+j},a_{t+j}|h_t)

436: \end{eqnarray}

437: 

438: Therefore, the maximization problem for security buyer is to

439: choose a sequence of contracts $\{P_t(y), a_t\}_{t=0}^\infty$ to

440: maximize discounted expected utility subject to the constraint

441: that MSSP cannot benefit from deviating from the contract:

442: \begin{eqnarray}

443: \max_{\{P_t(y)\}_{t=0}^\infty, \{a_t\}_{t=0}^\infty}&\quad& B_t(P_t(y), a_t)\nonumber\\

444: \mbox{st}&\quad& M_t(P_t(y),a_t)\geq M_t(P_t(y),\tilde{a}_t) \quad

445: \forall \tilde{a}_t\in[\underline{a},\overline{a}]\label{equi:IC}

446: \end{eqnarray}

447: 

448: where, constraint in above maximization problem is called the

449: incentive compatibility(IC) constraint. It show that the effort

450: level $a_t$ is optimal for MSSP compared to any other possible

451: effort level $\tilde{a}_t$.

452: 

453: Since the above problem has infinitely unknown variables, it is

454: impossible to solve it directly. Instead, we rewrite it in the

455: recursive form.

456: 

457: In the recursive form, principal maximize current period's payoff

458: assuming he will behave optimally from next period on. Let $v$

459: denote payoff buyer promised to MSSP this period and $w(y)$ denote

460: the promised payoff to MSSP next period. $K(v)$ be maximized

461: payoff to buyer when MSSP gets v as promised expected payoff.

462: Hence, $K(w(y))$ is buyer's best possible payoff next period. Then

463: the maximization problem in recursive form is:

464: 

465: \begin{eqnarray}

466: K(v)&=\quad&\max_{P(y),w(y),a}\quad \int[y-P(y)+\rho K(w(y))]f(y,a)dy\nonumber\\

467: \mbox{st} &\quad& \int[u(P(y))+\rho w(y)]f(y,a)dy-\phi(a)\geq

468: v\quad \quad \quad \quad \mbox{(PK)}\nonumber\\

469: & & a\in \arg\max \int[u(P(y))+\rho w(y)]f(y,a)dy-\phi(a) \quad

470: \mbox{(IC)}\label{sys:rec}

471: \end{eqnarray}

472: 

473: The optimal contract should contain $\{P(y),w(y),a\}$. (PK) is

474: short for ``promise keeping''. It requires that if buyer promised

475: MSSP payoff v, the contract should guarantee expected payoff to

476: MSSP is at least v(equal to v in equilibrium). (IC) constraint is

477: same as in (\ref{equi:IC}).

478: 

479: The (IC) constraint implies the solution $a$ should satisfy both

480: the following first order condition and second order condition:

481: 

482: \begin{eqnarray}

483: (FOC)& &\quad \quad\int[u(P(y))+\rho w(y)]f_a(y,a)dy-\phi'(a)\\

484: (SOC)& &\quad \quad\int[u(P(y))+\rho

485: w(y)]f_{aa}(y,a)dy-\phi''(a)\leq 0 \quad\quad \forall w(y)

486: \end{eqnarray}

487: 

488: Assumption:

489: \begin{itemize}

490:     \item Convexity of distribution function condition(COFC):

491:     \begin{eqnarray}

492:     F_{aa}\geq 0

493:     \end{eqnarray}

494:     where $F(x,a)=\int_{-\infty}^x f(y,a)dy$

495: \end{itemize}

496: 

497: Rogerson(1985)\cite{Roge85} shows that when COFC is satisfied,

498: (SOC) is guaranteed. We can use (FOC) to substitute (IC)

499: constraint and get rid of the (SOC).

500: 

501: Let $\lambda$ be Lagrangian multiplier on (PK) constraint and

502: $\mu$ be the multiplier on (IC)-(FOC) constraint. We have the

503: Lagrangian equation:

504: \begin{eqnarray}

505: L&=&\int[y-P(y)+\rho K(w(y))]f(y,a)dy\nonumber\\

506: & &+\lambda(\int[u(P(y))+\rho w(y)]f(y,a)dy-\phi(a)-v)\nonumber\\

507: & &+\mu(\int[u(P(y))+\rho w(y)]f_a(y,a)dy-\phi'(a))

508: \end{eqnarray}

509: 

510: Take first order conditions w.r.t $P(y),w(y)$ and $a$, we get the

511: following first order conditions and the envelope condition:

512: \begin{eqnarray}

513: \{P(y)\}& &\quad\quad -1+\lambda u'(P(y))+\mu u'(P(y))\frac{f_a(y,a)}{f(y,a)}=0\label{equi:foc1}\\

514: \{w(y)\}& &\quad\quad \rho

515: K'(w(y))+\rho\lambda+\mu\rho\frac{f_a(y,a)}{f(y,a)}=0\label{equi:foc2}\\

516: \{a\}& &\quad\quad \int[y-P(y)+\rho P(w(y)]f_a(y,a)dy \nonumber\\

517: & &\quad \quad \quad\quad+\mu[\int[u(P(x))+\rho

518: w(y)]f_{aa}(y,a)dy-\phi''(a)]=0\label{equi:foc3}\\

519: \{ENV\} & & \quad\quad K'(v)=-\lambda\label{equi:ENV}

520: \end{eqnarray}

521: 

522: First order conditions (\ref{equi:foc1}) and (\ref{equi:foc2})

523: implies:

524: 

525: \begin{eqnarray}

526: \frac{1}{u'(P(y))}=-K'(w(y))=\lambda+\mu\frac{f_a(y,a)}{f(y,a)}\label{equi:equ}

527: \end{eqnarray}

528: 

529: Definition: MLRP(monotone likelihood ratio property)

530: \begin{itemize}

531:     \item Likelihood ratio $\frac{f_a(y,a)}{f(y,a)}$ is monotone

532:     in $y$

533:     or $\frac{d}{dy}[\frac{f_a(y,a)}{f(y,a)}]\geq 0$. This also

534:     implies: $\forall a>\tilde{a}, y>\tilde{y},

535:     \frac{f(y,a)}{f(\tilde{y},a)}\geq\frac{f(y,\tilde{a})}{f(\tilde{y},\tilde{a})}$.

536:     \end{itemize}

537: 

538: Intuitively, this means at a higher effort level $a$, it is more

539: probable to get a higher benefit $y$ than at a lower effort level

540: $\tilde{a}$.

541: 

542: Rogerson(1085)\cite{Roge85} shows that when the density function

543: $f(y,a)$ has monotone likelihood ratio property, $\mu$ the

544: multiplier on (IC) constraint is positive.

545: 

546: When MLRP holds, $\mu>0$, equation (\ref{equi:equ}) implies the

547: following results:

548: \begin{description}

549:     \item[Result 1]

550:     $y\uparrow\Rightarrow\frac{1}{u'(P(y))}\uparrow\Rightarrow

551:     P(y)\uparrow$.\\

552:     Reason: $u''(P(y))\leq 0$\\

553:     This result suggests contacts should be performance-based, i.e. payment to MSSP

554:     should be higher when benefit from security outsourcing increases and

555:     vice versa. And this supports empirical result of Lacity and Willcock(1998)\cite{LaWi98}.

556:     \item[Result 2]$y\uparrow\Rightarrow K'(w(y))\downarrow\Rightarrow

557:     w(y)\uparrow$\\ Reason: $K(w(y))$ is best possible payoff of buyer next period

558:     when MSSP's expected payoff is w(y). Since MSSP's payoff comes

559:     from compensation $P(y)$ from buyer, the higher MSSP's payoff

560:     $w(y)$ is, the lower buyer's payoff$K(w(y))$ will be.\\

561:     This result suggest buyer should reward MSSP with higher expected payoff

562:     for next period if buyer gets high benefit this period.

563:     \item[Result 3]$v\uparrow\Rightarrow\lambda\uparrow\Rightarrow

564:     P(y),w(y)\uparrow$\\Reason:

565:     $v\uparrow\Rightarrow\lambda\uparrow$ from the envelope

566:     condition (ENV). $\lambda\uparrow\Rightarrow

567:     P(y),w(y)\uparrow$ follows from equation (\ref{equi:equ}).\\

568:     This result shows that if buyer promise MSSP a higher current

569:     expected payoff, buyer should increase both current period

570:     compensation and next period promised expected payoff.

571: \end{description}

572: 

573: To sum up, from Result 1 - 3, we suggest that optimal contract

574: under moral hazard should depend on performance in a non-trivial

575: way. And effect of performance is persistently on future

576: compensations. The effect is carried over by promised value $v$

577: and $w(y)$ as shown in Result 2 and 3.

578: 

579: 

580: 

581: \subsection{Optimal contract with perfect information \\--- price only contract}\label{subsec:per}

582: 

583: %\subsubsection{}

584: With perfect information, buyer can monitor MSSP's behavior very

585: well. Then MSSP is not able to shirk and moral hazard problem does

586: not exist. In this scenario, Maximization problem of

587: buyer(\ref{sys:rec}) reduces to:

588: \begin{eqnarray}

589: K(v)&=\quad&\max_{P(y),w(y),a}\quad \int[y-P(y)+\rho K(w(y))]f(y,a)dy\nonumber\\

590: \mbox{st} &\quad& \int[u(P(y))+\rho w(y)]f(y,a)dy-\phi(a)\geq

591: v\quad \quad \quad \quad \mbox{(PK)}

592: \end{eqnarray}

593: 

594: Corresponding first order conditions are:

595: \begin{eqnarray}

596: \{P(y)\}& &\quad\quad -1+\lambda u'(P(y))=0\label{equi:foc4}\\

597: \{w(y)\}& &\quad\quad \rho K'(w(y))+\rho\lambda=0\label{equi:foc5}\\

598: \{a\}& &\quad\quad \int[y-P(y)+\rho P(w(y)]f_a(y,a)dy=0\label{equi:foc6}\\

599: \{ENV\} & & \quad\quad K'(v)=-\lambda\label{equi:ENV}

600: \end{eqnarray}

601: 

602: Equation {\ref{equi:foc4}} and (\ref{equi:foc5}) imply:

603: \begin{eqnarray}

604: \frac{1}{u'(P(y))}=-K'(w(y))=\lambda\label{equi:equ1}

605: \end{eqnarray}

606: 

607: This suggests that without moral hazard problem, optimal

608: compensation and next period promised value does not depend on

609: this period's outcome $y$. Constant compensation and promised

610: value would be optimal.

611: 

612: \subsection{Effect of transaction cost}

613: 

614: \subsubsection{Effect from game between buyer and MSSP}

615: 

616: In this section, we will study how transaction cost affects

617: equilibrium market price. No matter whether buyer has perfect

618: information about MSSP's effort level or not, existence of

619: transaction cost reduces buyers compensation to MSSP.

620: 

621: As in section(\ref{sec:imp}), we use $P(y)$ to denote buyer's

622: compensation to MSSP. Since buyers will also need to pay

623: transaction cost on top of service price, the actual out of pocket

624: price buyers of MSSP face is $(1+\alpha)P(y)$, where $\alpha P(y)$

625: is the transaction cost\footnote{transaction cost is modelled as a

626: percentage of contract value because as the project gets larger,

627: buyer and vendor need to spend more time and money on the

628: negotiation and coordination part \cite{Coll04}. A Survey done by

629: Barthelemy(2001)\cite{Bart01} shows that transaction cost is up to

630: 6\% for contracts lower than \$10million value}.

631: 

632: With transaction cost, we modify the maximization problem of buyer

633: as:

634: \begin{eqnarray}

635: K(v)&=\quad&\max_{P(y),w(y),a}\quad \int[y-(1+\alpha)P(y)+\rho K(w(y))]f(y,a)dy\nonumber\\

636: \mbox{st} &\quad& \int[u(P(y))+\rho w(y)]f(y,a)dy-\phi(a)\geq

637: v\quad \quad \quad \quad \mbox{(PK)}\nonumber\\

638: & & a\in \arg\max \int[u(P(y))+\rho w(y)]f(y,a)dy-\phi(a) \quad

639: \mbox{(IC)}\end{eqnarray}

640: 

641: Corresponding first order conditions are:

642: \begin{eqnarray}

643: \{P(y)\}& &\quad\quad -(1+\alpha)+\lambda u'(P(y))+\mu u'(P(y))\frac{f_a(y,a)}{f(y,a)}=0\label{equi:foc7}\\

644: \{w(y)\}& &\quad\quad \rho

645: K'(w(y))+\rho\lambda+\mu\rho\frac{f_a(y,a)}{f(y,a)}=0\label{equi:foc8}\\

646: \{a\}& &\quad\quad \int[y-P(y)+\rho P(w(y)]f_a(y,a)dy \nonumber\\

647: & &\quad \quad \quad\quad+\mu[\int[u(P(x))+\rho

648: w(y)]f_{aa}(y,a)dy-\phi''(a)]=0\label{equi:foc9}\\

649: \{ENV\} & & \quad\quad K'(v)=-\lambda\label{equi:ENV1}

650: \end{eqnarray}

651: 

652: From first order conditions (\ref{equi:foc7}) we have %and

653: \begin{eqnarray}

654: \frac{1+\alpha}{u'(P(y))}=\lambda+\mu\frac{f_a(y,a)}{f(y,a)}\label{equi:equ2}

655: \end{eqnarray}

656: 

657: Similarly, under perfect information, we have:

658: \begin{eqnarray}

659: \frac{1+\alpha}{u'(P(y))}=\lambda\label{equi:equ3}

660: \end{eqnarray}

661: 

662: Compare with equation (\ref{equi:equ}) and equation

663: (\ref{equi:equ1}), it can be implied that all other things same,

664: compensation $P(y)$ is smaller with transaction cost.

665: 

666: \subsubsection{Effect from game among MSSPs}

667: Another effect of transaction cost on market price comes from

668: competition among MSSPs. This effect also suggests when

669: transaction cost increase, nominal market price will decrease.

670: \begin{itemize}

671:    \item A3: Vendors engage in a price competition against each other.

672: \end{itemize}

673: 

674: We will derive the Nash Equilibrium\footnote{A strategy vector x

675: with payoff vector $\pi$ is called a Nash Equilibrium if

676: $\pi_i(x_i, x_{-i})\geq \pi_i(\tilde{x_i}, x_{-i}),\forall

677: \tilde{x_i}\in X_i, \forall i$. $X_i$ is set of all possible

678: actions player $i$ can take. This condition means that Nash

679: Equilibrium is such that no player can benefit from unilateral

680: deviations.}\cite{Nash50} price under the assumption A1-A3. For

681: this section, to see effect of MSSPs' competitions, we ignore

682: effect of buyers, and assume perfect information(as shown in

683: section(\ref{subsec:per}), optimal contract specifies a

684: non-performance-dependent price, $P(y)$ is replaced with $P$). We

685: will show that MSSPs will lower price to bear part of the

686: transaction cost due to competition with other MSSPs. Division of

687: the transaction cost between buyers and vendors depends on demand

688: elasticity for security products.

689: 

690: A price competition is where every MSSP uses price as a strategic

691: variable, and is free to choose a price that maximizes their

692: profit given price of other vendors. Explicitly, profit

693: maximization problem for vendor i is:

694: 

695: $$

696: \max_{P^i}\{P^i\cdot N^i((1+\alpha)P)- C^i(N^i((1+\alpha)P)\}

697: $$

698: 

699: $P$ denotes the price vector $\{P^i, i=1,\ldots , V\}=\{P^i,

700: P^{-i}\}$, where $P^i$ is market price MSSP$i$ charges. $P^{-i}$

701: is the price vector of prices of all other MSSPs except MSSP$i$

702: charges. $N^i$ is demand for MSSP$i$'s service, which depends on

703: market prices. It also depends on service quality MSSPs provide

704: implicitly. $C^i$ is MSSP$i$'s total cost of servicing $N^i$

705: customers. Then the above maximization problem shows how MSSP$i$

706: maximize its net profit(revenue minus cost) by choosing $P^i$ when

707: other vendors charge price $P^{-i}$.

708: 

709: $C^i$ includes both fixed cost($FC$) which does not change with

710: number of customers and variable cost($VC$) which does.

711: Explicitly,

712: \begin{equation}

713: C^i(N^i(\cdot))=FC + VC(N^i(\cdot)),

714: \end{equation}

715: 

716: $C(\cdot)$ increases with number of customers.

717: 

718: Optimal price MSSP$i$ should charge solves the following first

719: order condition of the maximization problem w.r.t $P^i$:

720: \begin{equation}

721: N^i(\cdot)+P^i\frac{\partial N^i(\cdot)}{\partial

722: P^i}(1+\alpha)=C'(N^i(\cdot))\frac{\partial N^i(\cdot)}{\partial

723: P^i}(1+\alpha) \label{equi:opti1}

724: \end{equation}

725: 

726: Divide both sides of equation (\ref{equi:opti1}) with

727: $\frac{\partial N^i(\cdot)}{\partial P^i}(1+\alpha)$ and rearrange

728: terms, we get:

729: \begin{equation}

730: P^i(1-\frac{1}{\eta^i(1+\alpha)})=C'(N^i(\cdot))\quad \mbox

731: i=1,\ldots, V \label{equi:opti2}

732: \end{equation}

733: where $\eta^i=-(\partial{N^i(\cdot)}/N^i)/(\partial{P^i}/P^i)$,

734: which represents percentage change in demand due to percentage

735: change in price, the price elasticity of vendor i's demand. It

736: measures how sensitive market demand changes with price. Because

737: $\partial d(\cdot)/\partial(P)<0$(demand and price move in

738: opposite directions), a negative sign is added so that $\eta>0$.

739: 

740: solving $P^i$ from optimizing condition (\ref{equi:opti2}), $P^i$

741: is a function of $P^{-i}$, $\alpha$ and $\eta$:

742: 

743: \begin{equation}

744: P^i=r(P^{-i}, \alpha, \eta)\label{equi:opti3}

745: \end{equation}

746: 

747: Equation(\ref{equi:opti3}) can be viewed as response function of

748: MSSP $i$ on prices of other security MSSPs $P^{-i}$. Therefore,

749: for all MSSPs on the market, $i=1,\ldots, V$, we can form a

750: equation system:

751: 

752: \begin{eqnarray}

753: P^1=r(P^{-1}, \alpha, \eta)\nonumber,

754: \\ P^2=r(P^{-2}, \alpha, \eta)\nonumber,

755: \\ \ldots \nonumber

756: \\ P^V=r(P^{-V}, \alpha, \eta)\label{equi:opti4}

757: \end{eqnarray}

758: 

759: The Nash Equilibrium of this price competition is a price vector

760: (\emph{strategies}) that solves the above equation system and a

761: corresponding vector of profit(\emph{payoffs}). Under regularity

762: conditions, this equilibrium price vector exists and is

763: unique\cite{Nash50}.

764: 

765: To give an idea how this Nash Equilibrium price look like, we

766: present a graphic solution for the simplified case when $V=2$.

767: Then optimization conditions (\ref{equi:opti4}) reduce to the

768: following:

769: 

770: \begin{eqnarray}

771: P^1=r(P^2, \alpha, \eta)\nonumber

772: \\ P^2=r(P^1, \alpha, \eta)

773: \label{equi:two0}

774: \end{eqnarray}

775: 

776: To make things easier, we make two more assumptions:

777: \begin{itemize}

778:    \item A4. Marginal cost $C_i'(\cdot)$ is constant, i.e. it

779: costs MSSP $i$ same amount of money to serve one additional buyer.

780:    \item A5. $\frac{\partial \eta^i}{\partial (P^i/P^{-i})}>0$,

781: meaning, as MSSP $i$'s service becomes more expensive relative to

782: services of other MSSPs, demand for MSSP $i$'s service become more

783: elastic. In other word, a same percentage increase in $P^i$ will

784: induce greater percentage reduction in $N^i$ for higher

785: $P^i/P^{-i}$ then lower.

786: \end{itemize}

787: 

788: Two response curves $P^i=r(P^{-i},\alpha, \eta), i=1,2$ are

789: plotted in figure 1 where the horizontal axe represent MSSP 1's

790: price and the vertical axe represent MSSP 2's price. Under A4 and

791: A5, Feenstra\cite{Feen04} showed that both reaction curves have

792: positive slopes. Then slope of MSSP 1's response curve is larger

793: than slope of that of MSSP 2's as shown in Fig.\ref{fig:equil}(a).

794: 

795: \begin {figure} [!h]

796: \begin{center}

797: \begin{minipage}[b] {2.3in}

798: \begin{center}

799: \centerline{\psfig{figure=fig1.eps,width=2.3in}} {\small (a) Nash

800: Equilibrium prices when $\alpha=0$}

801: \end{center}

802: \end{minipage}

803: \begin{minipage}[b] {2.3in}

804: \begin{center}

805: \centerline{\psfig{figure=fig2.eps,width=2.3in}} {\small (b) Nash

806: Equilibrium prices when $\alpha>0$}

807: \end{center}

808: \end{minipage}

809: \end{center}

810: \caption{Effect of transaction cost on equilibrium price}

811: \label{fig:equil}

812: \end {figure}

813: 

814: Because response curve is the locus of MSSP's best responses given

815: the other MSSP's action, the intersection point E is the

816: equilibrium point where both MSSPs are are choosing optimally and

817: simultaneously. By definition, they are the Nash Equilibrium

818: prices. Observe that this Nash Equilibrium is a stable equilibrium

819: in the sense that no matter what price the MSSPs start off with,

820: they will eventually arrive at point E, as shown by the arrows in

821: Fig.\ref{fig:equil}(a).

822: 

823: %To investigate effect of transaction cost, we first assume there

824: %is no transaction cost, $\alpha=0$.

825: Denote price vendor $i$ would charge by $P^i_0$ when there is no

826: transaction cost($\alpha=0$), from equation system

827: (\ref{equi:two0}),

828: \begin{eqnarray}

829: P^i_0=r(P^{-i}, \alpha=0, \eta)%>r(P^{-i}, \alpha>0, \eta)=P^i_\alpha,

830: \quad, i=1,2

831: \end{eqnarray}

832: 

833: Totally differentiate optimization condition (\ref{equi:opti2}),

834: \begin{eqnarray}

835: dP^i(1- \frac{1}{\eta^i(1+\alpha)})+P^i \frac{d

836: \eta^i}{\eta^{i2}(1+\alpha)} +P^i\frac{d

837: \alpha}{\eta^i(1+\alpha)^2}=C''(N(\cdot)) \label{equi:total}

838: \end{eqnarray}

839: By A4

840: \begin{eqnarray}

841: C''(N(\cdot))=0

842: \end{eqnarray}

843: Equation (\ref{equi:total}) implies:

844: 

845: \begin{eqnarray}

846: dP^i(1-\frac{1}{\eta^i(1+\alpha)}+\frac{\frac{d\eta^i/\eta^i}

847: {dP^i/P^i}}{\eta^i(1+\alpha)})=-P^i\frac{d\alpha}{\eta^i(1+\alpha)}

848: \label{equi:total1}

849: \end{eqnarray}

850: 

851: Assume:

852: 

853: \begin{itemize}

854:     \item A6. $\frac{d\eta^i/\eta^i}{dP^i/P^i}>1-\eta^i(1+\alpha)$

855:     \label{assu:ineq}

856: \end{itemize}

857: Under assumption (\ref{assu:ineq}),

858: \begin{eqnarray}

859: 1-\frac{1}{\eta^i(1+\alpha)}+\frac{\frac{d\eta^i/\eta^i}

860: {dP^i/P^i}}{\eta^i(1+\alpha)}>0

861: \end{eqnarray}

862: 

863: Equation(\ref{equi:total1}) implies

864: \begin{eqnarray}

865: d\alpha>0\quad\Rightarrow\quad dP^i<0

866: \end{eqnarray}

867: 

868: This shows that when transaction cost increases, MSSPs reduce

869: their prices correspondingly.

870: 

871: Graphically, the reaction curve $P^1=r(P^2, \alpha, \eta)$ shifts

872: to the left and $P^2=r(P^1, \alpha, \eta)$ shifts down. therefore,

873: compare with the reaction curves when there is no transaction

874: cost. As shown in Figure-\ref{fig:equil}(b), reaction curves with

875: transaction cost intersect at lower price level for both MSSPs.

876: Remember that the intersection of reaction curves is the Nash

877: Equilibrium of the game.

878: 

879: As shown above, under assumptions 1-6, existence of transaction

880: cost reduces prices charged by MSSPs. The extend of reduction

881: depends on how sensitive market demand is to prices.

882: 

883: 

884: \section{Related Work} \label{sec:relwk}

885: 

886: \subsection{Empirical Work}

887: 

888: Empirical works on this issue were mostly done with surveys. Ang

889: and Straub (1998) performed a well designed survey on banks of

890: different sizes with items measuring degree of IT outsourcing,

891: production cost advantage, transaction cost, financial slack

892: (archive data also used here) outsourcing degree and firm size.

893: And they found that production cost advantage is the main driving

894: force of IT outsourcing, transaction cost dampens outsourcing

895: intention, but has a much smaller effect. They also reported

896: evidence that degree of IT outsourcing decreases with firm size.

897: They argued that this is because large firms are more likely to

898: generate economies of scale in their IT department, therefore are

899: more likely to produce IT services in-house. Lacity and Willcocks

900: (1998) measures success or failure of a IT outsourcing based on

901: seven factors, and found that outsourcing scope, length of

902: contract term, contract type are among the most important factors

903: that decides how successful an IT outsourcing is. Poppo and Zenger

904: (1998) includes technological uncertainty, measurement difficult

905: and quality satisfaction in their model, and showed that when it

906: is harder to measure performances, firm become less satisfied with

907: costs. Ang and Cummings (1997) found empirical evidence that in

908: hyper-competitive environments, not only firms act strategically,

909: but security vendors also.

910: 

911: \subsection{Analytical Work}

912: 

913: Analytical papers on the other hand have a strong game theoretic

914: flavor. Mieghem (1999) built a multivariate, multidimensional

915: competitive model, and investigated effect of subcontracting

916: complexity on coordination.

917: 

918: 

919: Ang and Cummings argued that organizations respond strategically

920: under hyper-competitive environments. Whang employed a game

921: theoretical approach to explain asymmetric information and

922: incentive compatible issue in software development.

923: 

924: \section{Conclusion}

925: 

926: Security outsourcing market benefits both vendors and buyers if it

927: works properly. In the first place, security outsourcing offers

928: cost reduction for buyers. We showed that for security

929: outsourcing, optimal form of contract should be performance-based.

930: Also, we showed that with transaction cost, price paid to MSSPs

931: are lower than otherwise. MSSPs take part of the transaction cost

932: to stimulate demand.

933: 

934: \thispagestyle{empty}

935: 

936: \bibliographystyle{plain}

937: \bibliography{../ref}

938: 

939: 

940: 

941: \thispagestyle{empty}

942: 

943: \end{document}

944: