A probabilistic model for optimal insurance contracts against security risks and privacy violation in IT outsourcing environments

Day by day the provision of information technology goods and services becomes noticeably expensive. This is mainly due to the high labor cost for the service providers, resulting from the need to cover a vast variety of application domains and at the same time to improve or/and enhance the services offered in accordance to the requirements set by the competition. A business model that could ease the problem is the development or/and provision of the service by an external contractor on behalf of the service provider; known as Information Technology Outsourcing. However, outsourcing a service may have the side effect of transferring personal or/and sensitive data from the outsourcing company to the external contractor. Therefore the outsourcing company faces the risk of a contractor who does not adequately protect the data, resulting to their non-deliberate disclosure or modification, or of a contractor that acts maliciously in the sense that she causes a security incident for making profit out of it. Whatever the case, the outsourcing company is legally responsible for the misuse of personal data or/and the violation of an individual’s privacy. In this paper we demonstrate how companies adopting the outsourcing model can protect the personal data and privacy of their customers through an insurance contract. Moreover a probabilistic model for optimising, in terms of the premium and compensation amounts, the insurance contract is presented.

[1]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[2]  Steven Haberman,et al.  Actuarial Models for Disability Insurance , 2018 .

[3]  S. Rivard,et al.  Série Scientifique Scientific Series Managing It Outsourcing Risk: Lessons Learned Managing It Outsourcing Risk: Lessons Learned , 2022 .

[4]  Albert L. Lederer,et al.  An agency theory model of ERP implementation , 2004, SIGMIS CPR '04.

[5]  Alessandro Acquisti,et al.  Privacy and Security of Personal Information - Economic Incentives and Technological Solutions , 2004, Economics of Information Security.

[6]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[7]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[8]  L. Camp Economics of Information Security , 2006 .

[9]  Eric T. G. Wang,et al.  Contracting structures for custom software development: the impacts of informational rents and uncertainty on internal development and outsourcing , 1997 .

[10]  Patrick Keil,et al.  Principal agent theory and its application to analyze outsourcing of software development , 2005, ACM SIGSOFT Softw. Eng. Notes.

[11]  Anthony DiRomualdo,et al.  Strategic Intent for IT Outsourcing , 1998 .

[12]  Andrew M. Odlyzko,et al.  Privacy, economics, and price discrimination on the Internet , 2003, ICEC '03.

[13]  Leslie P. Willcocks,et al.  An Empirical Investigation of Information Technology Sourcing Practices: Lessons From Experience , 1998, MIS Q..

[14]  Abraham Seidmann,et al.  Software Development Outsourcing Contract: Structure and Business Value , 1993, J. Manag. Inf. Syst..

[15]  Costas Lambrinoudakis,et al.  A formal model for pricing information systems insurance contracts , 2005, Comput. Stand. Interfaces.

[16]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[17]  J. Barthélemy The Hidden Costs of IT Outsourcing , 2001 .

[18]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[19]  D. J. Wu,et al.  Learning in ERP contracting: a principal-agent analysis , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[20]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[21]  J. Laffont,et al.  The Theory of Incentives: The Principal-Agent Model , 2001 .

[22]  Tridas Mukhopadhyay,et al.  Software Project Duration and Effort: An Empirical Study , 2002, Inf. Technol. Manag..

[23]  Suzanne Rivard,et al.  Assessing the risk of IT outsourcing , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[24]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.