Exploitation of auctions for outsourcing security-critical projects

ICT outsourcing may introduce several risks. This paper attempts to mitigate this problem by applying an auctioning scheme. By adopting the scheme, the involved organization selects one or more potential outsourced service providers via an auction similar to the FCC spectrum ones. The project is divided in sub-projects, bidders are pre-evaluated, in terms of security and each bid is assessed in terms of cost and appropriate security metrics. The bidding process continues according to the auction rules allocating all the sub-projects to the best bidders. The ultimate goal is to achieve upgraded security, while keeping the cost at a reasonable level and meeting adequate security requirements. In this direction our model provokes competition and motivates providers to place superior bids, in terms of security, while providing flexibility to the organization. The auction process is demonstrated through a case study, where the outsourcer is a critical infrastructure organization.

[1]  William Vickrey,et al.  Counterspeculation, Auctions, And Competitive Sealed Tenders , 1961 .

[2]  Robert B. Wilson Chapter 8 Strategic analysis of auctions , 1992 .

[3]  B. Bahli,et al.  Validating measures of information technology outsourcing risk factors , 2005 .

[4]  Charles A. Holt,et al.  An Experimental Test of Flexible Combinatorial Spectrum Auction Formats , 2010 .

[5]  José L. Gascó,et al.  Information systems outsourcing risks: a study of large firms , 2005, Ind. Manag. Data Syst..

[6]  Suzanne Rivard,et al.  The information technology outsourcing risk: a transaction cost and agency theory-based perspective , 2003, J. Inf. Technol..

[7]  Debasis Mishra,et al.  A multi-attribute reverse auction for outsourcing , 2002, Proceedings. 13th International Workshop on Database and Expert Systems Applications.

[8]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics , 2007 .

[9]  David Porter,et al.  Combinatorial auction design , 2003, Proceedings of the National Academy of Sciences of the United States of America.

[10]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[11]  Pavol Zavarsky,et al.  Managing Risk of IT Security Outsourcing in the Decision-Making Stage , 2009, 2009 International Conference on Computational Science and Engineering.

[12]  Costas Courcoubetis,et al.  Pricing communication networks - economics, technology and modelling , 2003, Wiley-Interscience series in systems and optimization.

[13]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[14]  Colette Fenn,et al.  IT Security Outsourcing: How Safe is your IT Security? , 2002, Comput. Law Secur. Rev..

[15]  Costas Courcoubetis,et al.  Pricing Communication Networks , 2003 .

[16]  Mark M. Bykowsky,et al.  Mutually Destructive Bidding: The FCC Auction Design Problem , 2000 .

[17]  R. Weber Multiple-Object Auctions , 1981 .

[18]  Yeon-Koo Che Design competition through multidimensional auctions , 1993 .

[19]  P. Klemperer Auction Theory: A Guide to the Literature , 1999 .

[20]  Gerald Quirchmayr,et al.  A framework for outsourcing IS/IT security services , 2006, Inf. Manag. Comput. Secur..

[21]  B. Schneier,et al.  The case for outsourcing security , 2002 .

[22]  David Lucking-Reiley Vickrey Auctions in Practice: From Nineteenth-Century Philately to Twenty-First-Century E-Commerce , 2000 .

[23]  Nik Zulkarnaen Khidzir,et al.  Information security risk management: An empirical study on the importance and practices in ICT outsourcing , 2010, 2010 International Symposium on Information Technology.

[24]  Lance Hayden,et al.  It Security Metrics: A Practical Framework for Measuring Security & Protecting Data , 2010 .

[25]  Elmar G. Wolfstetter AUCTIONS: AN INTRODUCTION , 1996 .

[26]  Jeremy I. Bulow,et al.  Auctions versus Negotiations , 1996 .

[27]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[28]  Roger B. Myerson,et al.  Optimal Auction Design , 1981, Math. Oper. Res..

[29]  Michael R. Baye,et al.  The all-pay auction with complete information , 1990 .

[30]  Suzanne Rivard,et al.  A framework for information technology outsourcing risk management , 2005, DATB.

[31]  William Yurcik,et al.  Outsourcing Internet Security: Economic Analysis of Incentives for Managed Security Service Providers , 2005, WINE.

[32]  Abdulwahed Mohammed Khalfan,et al.  Information security considerations in IS/IT outsourcing projects: a descriptive case study of two sectors , 2004, Int. J. Inf. Manag..