Using a hybrid multi-criteria decision aid method for information systems outsourcing

An ever-increasing trend in today's firms is to exploit outsourcing for those information systems (IS) functions deemed to be outside the company's core competence. Given the multi-attribute nature of IS outsourcing decision, this paper argues that six factors, including economics, resource, strategy, risk, management and quality, should be considered for outsourcing decisions, and proposes the use of analytic hierarchy process (AHP) and preference ranking organization method for enrichment evaluations (PROMETHEE) as aids in making IS outsourcing decisions. The AHP is used to analyze the structure of the outsourcing problem and determine weights of the criteria, and PROMETHEE method is used for final ranking, together with changing weights for a sensitivity analysis. It shows by means of an application that the hybrid method is very well suited as a decision-making tool for the IS outsourcing decision. Finally, potential issues for future research are presented.     

Firm diversity and data breach risk: A longitudinal study

Research has extensively investigated the rationale of firm diversity from the economic perspective, but little is known about how such a strategy may affect information security. The present study is the first to examine how firm diversity is relevant to firms’ likelihood to experience data breaches (i.e., data breach risk). Drawing from the strands of literature on information security, diversification, and resource-based view, we propose hypotheses on the relationship between firm diversity and data breach risk, as well as the boundary conditions of this relationship. On the basis of a twelve-year sample of publicly-listed firms, our analysis provides evidence to support the negative association between firm diversity and data breach risk. Our analysis also delineates conditions under which the effects of firm diversity can intervene to reduce the data breach risk invoked, such as under related diversity and when managers are managerially capable. For academics, our research accentuates an intriguing but unexamined benefit of firm diversity because it relates to information security. For practicing professionals, this research highlights the significant impact of firms’ operational structure on information security.     

Profit-maximizing firm investments in customer information security

When a customer interacts with a firm, extensive personal information often is gathered without the individual's knowledge. Significant risks are associated with handling this kind of information. Providing protection may reduce the risk of the loss and misuse of private information, but it imposes some costs on both the firm and its customers. Nevertheless, customer information security breaches still may occur. They have several distinguishing characteristics: (1) typically it is hard to quantify monetary damages related to them; (2) customer information security breaches may be caused by intentional attacks, as well as through unintentional organizational and customer behaviors; and (3) the frequency of such incidents typically is low, although they can be very costly when they occur. As a result, predictive models and explanatory statistical analysis using historical data have not been effective. We present a profit optimization model for customer information security investments. Our approach is based on value-at-risk methods and operational risk modeling from financial economics. The main results of this work are that we: (1) provide guidance on the trade-offs between risk and return in customer information security investments; (2) define the range of efficient investments in technology-supported risk indemnification for sellers; (3) model how to handle government-dictated levels of investment versus self-regulation of investments in technology; and (4) characterize customer information security investment levels when the firm is able to pass some of its costs on to consumers. We illustrate our theoretical findings with empirical data from the Open Security Foundation, as a means of grounding our analysis and offering the reader intuition for the managerial interpretation of our theory and main results. The results show that we can narrow the decision set for solution providers and policy-makers based on the estimable risks and losses associated with customer information security. We also discuss the application of our approach in practice.     

A logistic regression framework for information technology outsourcing lifecycle management

We present a methodology for managing outsourcing projects from the vendor's perspective, designed to maximize the value to both the vendor and its clients. The methodology is applicable across the outsourcing lifecycle, providing the capability to select and target new clients, manage the existing client portfolio and quantify the realized benefits to the client resulting from the outsourcing agreement. Specifically, we develop a statistical analysis framework to model client behavior at each stage of the outsourcing lifecycle, including: (1) a predictive model and tool for white space client targeting and selection—opportunity identification (2) a model and tool for client risk assessment and project portfolio management—client tracking, and (3) a systematic analysis of outsourcing results, impact analysis, to gain insights into potential benefits of IT outsourcing as a part of a successful management strategy. Our analysis is formulated in a logistic regression framework, modified to allow for non-linear input–output relationships, auxiliary variables, and small sample sizes. We provide examples to illustrate how the methodology has been successfully implemented for targeting, tracking, and assessing outsourcing clients within IBM global services division.Scope and purposeThe predominant literature on IT outsourcing often examines various aspects of vendor–client relationship, strategies for successful outsourcing from the client perspective, and key sources of risk to the client, generally ignoring the risk to the vendor. However, in the rapidly changing market, a significant share of risks and responsibilities falls on vendor, as outsourcing contracts are often renegotiated, providers replaced, or services brought back in house. With the transformation of outsourcing engagements, the risk on the vendor's side has increased substantially, driving the vendor's financial and business performance and eventually impacting the value delivery to the client. As a result, only well-ran vendor firms with robust processes and tools that allow identification and active management of risk at all stages of the outsourcing lifecycle are able to deliver value to the client. This paper presents a framework and methodology for managing a portfolio of outsourcing projects from the vendor's perspective, throughout the entire outsourcing lifecycle. We address three key stages of the outsourcing process: (1) opportunity identification and qualification (i.e. selection of the most likely new clients), (2) client portfolio risk management during engagement and delivery, and (3) quantification of benefits to the client throughout the life of the deal.     

Outsourcing information systems: drawing lessons from a banking case study

Financial and costs benefits are often put forward as the reasons why organisations decide to outsource. Emerging patterns and trends indicate that today's outsourcing decisions are often motivated by factors other than cost. Thus, the decision-making process is more complex than it may at first appear. This paper presents findings from a case study from an organisation in the UK banking sector that was motivated to outsource aspects of its information technology/information system (IT/IS). The underlying motives and decision-making process that influenced the bank outsource its IT/IS are presented and discussed. Findings from the case study suggest political perspectives, as well as human and organisational issues influenced the bank's strategic decision-making to outsource certain aspects of its business. An examination of the case study findings suggests that cost alone is not always responsible for decisions to outsource, as it was found the bank's outsourcing decision was driven by a series of complex, interrelated motives in a bid to reduce the risks and uncertainties of managing its own technology. Considering the complex nature of the outsourcing process a frame of reference that can be used to assist managers with their decision to outsource IT/IS is propagated. The case study is used to present an organisation's experiences as to how and why it decided to outsource its IS and thus offers a learning opportunity for other organisations facing similar difficulties. In addition, the case study findings highlight the need to focus greater attention on discriminating between the short and long-term consequences of IT/IS decision-making.     

Value conflicts for information security management

A business’s information is one of its most important assets, making the protection of information a strategic issue. In this paper, we investigate the tension between information security policies and information security practice through longitudinal case studies at two health care facilities. The management of information security is traditionally informed by a control-based compliance model, which assumes that human behavior needs to be controlled and regulated. We propose a different theoretical model: the value-based compliance model, assuming that multiple forms of rationality are employed in organizational actions at one time, causing potential value conflicts. This has strong strategic implications for the management of information security. We believe health care situations can be better managed using the assumptions of a value-based compliance model.     

Supply chain information integration and its impact on the operational performance of manufacturing firms in Malaysia

PurposeThe purpose of this paper is to investigate the impact of Supply Chain Information Integration (SCII) on the Operational Performance of manufacturing firms in Malaysia considering the role of information leakage.Design/methodology/approachTo test the model developed, we conducted an online questionnaire survey with Malaysian manufacturing companies drawn from the Federation of Malaysian Manufacturers directory of 2018. Out of the 400 questionnaires sent out to the manufacturing companies, 144 useable responses were received giving a response rate of 36 %. The data were analyzed using SmartPLS, a second-generation statistical tool.FindingsThe findings of this study showed that information quality, information security, and information technology (IT) had a positive effect on SCII with an explanatory power of 47.2 % while SCII, in turn, had a positive effect on operational performance explaining 17% of the variance. Intentional information leakage (IIL) moderated the relationship between SCII and operational performance, whereas accidental information leakage did not moderate the same relationship.Practical implicationsThis study provides insights into difficulties faced when implementing SCII, particularly by medium and large manufacturing companies in Malaysia. It helps identify appropriate strategies that can guide the management in its effort to improve performance by SCII.Originality/valueThis research is arguably the first study that simultaneously investigates the effect of information quality, IT, and information security on SCII and the moderating effect of information leakage on the relationships between SCII and operational performance. The results of this study indicate that information security has the largest impact on SCII, followed by IT, and information quality. Furthermore, IIL as a negative aspect of information integration may deprive the strength of the relationship between SCII and operational performance.     

Secure service composition with information flow control in service clouds

Service clouds built on cloud infrastructures and service-oriented architecture provide users with a novel pattern of composing basic services to achieve complicated tasks. However, in multiple clouds environment, outsourcing data and applications pose a great challenge to information flow security for the composite services, since sensitive data may be leaked to unauthorized attackers during service composition. Although model checking has been considered as a promising approach to enforce information flow security precisely, its high complexity on modeling and the heavy cost on verification cause great burdens to the process of service composition. In this paper, we propose a distributed approach to composing services securely with information flow control. In our approach, each service component is first verified through model checking, and then a compositional verification procedure is executed to ensure the information flow security along with the composition of these services. The experimental results indicate that our approach can reduce the cost of verification compared with the global verification approach.     

一种基于模糊层次分析法的外包系统信息安全评价模式的研究

面向外包信息系统,提出了一种基于模糊层次分析法的信息安全评价模式.首先分析了外包系统信息安全评价的特性,明确了选择合理评价方法的逻辑基础.接着深入研究了模糊层次分析法在外包系统信息安全评价中的应用理论.最后运用实例验证了模糊层次分析法在评价外包系统信息安全性时的实用性和可行性.     

Expected benefits of information security investments

Ideally, decisions concerning investments of scarce resources in new or additional procedures and technologies that are expected to enhance information security will be informed by quantitative analyses. But security is notoriously hard to quantify, since absence of activity challenges us to establish whether lack of successful attacks is the result of good security or merely due to good luck. However, viewing security as the inverse of risk enables us to use computations of expected loss to develop a quantitative approach to measuring gains in security by measuring decreases in risk. In using such an approach, making decisions concerning investments in information security requires calculation of net benefits expected to result from the investment. Unfortunately, little data are available upon which to base an estimate of the probabilities required for developing the expected losses. This paper develops a mathematical approach to risk management based on Kaplan–Meier and Nelson–Aalen non-parametric estimators of the probability distributions needed for using the resulting quantitative risk management tools. Differences between the integrals of these estimators evaluated for enhanced and control groups of systems in an information infrastructure provide a metric for measuring increased security. When combined with an appropriate value function, the expected losses can be calculated and investments evaluated quantitatively in terms of actual enhancements to security.     

Enabling privacy and leakage resistance for dynamic blockchain-based access control systems

With rise of 5G/6G network, low-storage devices usually outsource data for higher rate and less latency. Non-controlled outsourcing and complex communications incur security issues for IoT applications. Specially, user privacy and access reliability pose technical challenges for sensitive data outsourcing and sharing. In this paper, we harmonize functional encryption and blockchain to propose a reliable and privacy-aware access control system named R-PAC. It allows a result-form access without learning raw information and fair interaction against malicious users. With a combination of all-or-nothing encapsulation technology, R-PAC supports users’ dynamic joining and key leakage resistance. We design R-PAC from Boneh–Franklin identity-based encryption, with forward-coverable encryption and reverse-discoverable decryption, and formally prove its indistinguishability security. We implement a R-PAC prototype and deploy it to a simulated Ethereum network to evaluate its performance. Experiments from both data access and transaction overhead show that R-PAC is with reasonable cost and has a trade-off between efficiency and strong security/functionality.     

文档敏感信息控制模型DSI-CON研究与分析

为解决在当前信息系统和网络环境日趋复杂的情况下,敏感信息泄露途径多样、隐蔽性高的问题,提出文档敏感信息控制模型DSI-CON。首先在安全属性基础上建立敏感信息泄露威胁模型,分析了其泄露的主要方式,得出安全需求;然后基于使用控制模型提出DSI-CON,并对其进行形式化描述,同时针对安全需求制定了一系列安全策略,对模型安全性进行了研究分析;最后以教研室为例对模型举例应用,设计了模型部署方案。分析表明,DSI-CON能很大程度降低敏感信息泄露风险,对敏感信息起到保护作用。     

The effects of multilevel sanctions on information security violations: A mediating model

We proposed and empirically tested a mediating model for examining the effects of multilevel sanctions on preventing information security violations in the workplace. The results of the experiment suggested that personal self-sanctions and workgroup sanctions have significant deterrent effects on employee security violations, but that the effect of organizational sanctions becomes insignificant when the other two types of sanctions are taken into account. Theoretically, the study pointed out the importance of personal self-sanctions and informal workgroup sanctions. Practically, our results suggested that an “influencing” strategy may be more effective than an “enforcing” one in information security management.     

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.     

The information security digital divide between information security managers and users

Empirical findings from surveys and in-depth interviews with information security managers and users indicate that a digital divide exists between these groups in terms of their views on and experience of information security practices. Information security professionals mainly regard users as an information security threat, whereas users believe themselves that they are an untapped resource for security work. The limited interaction between users and information security managers results in a lack of understanding for the other's point of view. These divergent views on and interpretations of information security mean that managers tend to base their practical method on unrealistic assumptions, resulting in management approaches that are poorly aligned with the dynamics of the users' working day.     

Modeling and evaluating information leakage caused by inferences in supply chains

While information sharing can benefit supply chains significantly, it may also have an adverse effect, namely, information leakage. A limitation common to many existing solutions for preventing information leakage in supply chains is that they rely, either implicitly or explicitly, upon two unrealistic assumptions. First, what information is confidential is well known. Second, confidential information will not be revealed, if only it is not shared, regardless of how much other information is being shared. As we shall show in this paper, those assumptions are not always true due to potential information leakage caused by inferences. Specifically, we propose a conceptual model of such information leakage. The model will enable companies in a supply chain to better understand how their confidential information may be leaked through inferences. On the basis of the proposed conceptual model, we then devise a quantitative approach to evaluating the risk of information leakage caused by inferences when a given amount of information is shared. The quantitative approach will allow companies in a supply chain to measure and consequently mitigate the risk of information leakage. Finally, we discuss a case study to illustrate how the proposed approaches work in practice.     

An empirical investigation of IT outsourcing versus quasi-outsourcing in France and Germany

An increasingly large number of firms outsource their information technology (IT). Firms that contemplate such outsourcing have two alternatives: (1) a contract with a vendor (i.e., outsourcing) or (2) setting up their own IT subsidiary (i.e., quasi-outsourcing). This study examines some of the determinants of the outsourcing versus quasi-outsourcing decision. Using primary data collected in France and Germany, we show that the decision is strongly influenced by both internal (i.e., asset-specificity, size, and internal organization of IT) and external (i.e., institutional environment) determinants.     

Factors considered when outsourcing an IS system: an empirical examination of the impacts of organizational size,strategy and the object of a decision

As IT expenditures have been growing over the last few years, organizations have started to scrutinize them more closely and some are deciding to outsource parts of their Information Systems (IS) operations. Unfortunately, there is a lack of research on the impact that the object of an outsourcing decision may have on the factors considered when making such a decision. The impact of organizational size and the firm's strategy has also not been conclusively established in the literature. This paper examines and compares the different supplier, internal, technology and cost factors considered when outsourcing Online Transaction Processing (OLTP) or Decision Support Systems (DSSs) (the object of a decision). It also examines the divergent decision factors for large, medium and small organizations, and the competitive strategy's impact on the factors that are considered. The paper is based on a study with samples from four large SAP Conferences and includes 1889 individuals working in organizations that use enterprise resource planning software. This research found that the object being outsourced, the firm's competitive strategies, and the organizational size are factors that significantly influence the outsourcing decision process. We found that the relative importance of decision factors for the outsourcing of OLTP is significantly different from those for a DSS and that, where the outsourcing object is of strategic importance, there is a closer attention to internal factors. Our findings confirm that outsourcing strategies are aligned with organizational strategies. For example, cost factors dominate in the outsourcing decision among organizations that employ a low-costs strategy as compared to those following a differentiation or niche strategy. Also, compared to firms pursuing other competitive strategies, for the outsourcing of DSS, differentiators place a significantly higher emphasis on supplier factors. Regarding the role of company size, we found significant differences in the importance given to supplier, internal, technology, and cost factors by organizations of different sizes. For example, compared to smaller organizations, larger organizations gave less importance to supplier and technology factors and more importance to cost factors.     

Knowledge sharing and investment decisions in information security

We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an “arms race” where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.