Information security as a credence good

Ping Fan Ke; Kai Lung Hui; Wei T. Yue

doi:10.1007/978-3-642-41320-9_6

Information security as a credence good

Ping Fan Ke, Kai Lung Hui, Wei T. Yue

Department of Information Systems, Business Statistics & Operations Management

Research output: Chapter in Book/Conference Proceeding/Report › Conference Paper published in a book › peer-review

Abstract

With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may exploit their professional advantage and provide fraudulent diagnosis of clients' vulnerabilities. Such an incentive to mis-represent clients' risks is often called the credence goods problem in the economics literature[3]. Although different mechanisms have been introduced to tackle the credence goods problem, in the information security outsourcing context, such mechanisms may not work well with the presence of system interdependency risks [6], which are introduced by inter-connecting multiple clients' systems by the MSSP. In particular, we find that allowing clients to seek alternative diagnosis of their vulnerabilities may not remove the MSSP's fraudulent behaviors. We shall explore alternative ways to solve the credence goods problem in the information security outsourcing context.

Original language	English
Title of host publication	Financial Cryptography and Data Security - FC 2013 Workshops, USEC and WAHC 2013, Revised Selected Papers
Pages	83-93
Number of pages	11
DOIs	https://doi.org/10.1007/978-3-642-41320-9_6
Publication status	Published - 2013
Event	16th International Conference on Financial Cryptography and Data Security, FC 2013 - Okinawa, Japan Duration: 1 Apr 2013 → 1 Apr 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7862 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	16th International Conference on Financial Cryptography and Data Security, FC 2013
Country/Territory	Japan
City	Okinawa
Period	1/04/13 → 1/04/13

Keywords

Credence good
Information security outsourcing
Interdependency risks

Access to Document

10.1007/978-3-642-41320-9_6

Cite this

Ke, P. F., Hui, K. L., & Yue, W. T. (2013). Information security as a credence good. In Financial Cryptography and Data Security - FC 2013 Workshops, USEC and WAHC 2013, Revised Selected Papers (pp. 83-93). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7862 LNCS). https://doi.org/10.1007/978-3-642-41320-9_6

@inproceedings{34cd82cd27054bf9aa029cff41297de2,

title = "Information security as a credence good",

abstract = "With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may exploit their professional advantage and provide fraudulent diagnosis of clients' vulnerabilities. Such an incentive to mis-represent clients' risks is often called the credence goods problem in the economics literature[3]. Although different mechanisms have been introduced to tackle the credence goods problem, in the information security outsourcing context, such mechanisms may not work well with the presence of system interdependency risks [6], which are introduced by inter-connecting multiple clients' systems by the MSSP. In particular, we find that allowing clients to seek alternative diagnosis of their vulnerabilities may not remove the MSSP's fraudulent behaviors. We shall explore alternative ways to solve the credence goods problem in the information security outsourcing context.",

keywords = "Credence good, Information security outsourcing, Interdependency risks",

author = "Ke, \{Ping Fan\} and Hui, \{Kai Lung\} and Yue, \{Wei T.\}",

year = "2013",

doi = "10.1007/978-3-642-41320-9\_6",

language = "English",

isbn = "9783642413193",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "83--93",

booktitle = "Financial Cryptography and Data Security - FC 2013 Workshops, USEC and WAHC 2013, Revised Selected Papers",

note = "16th International Conference on Financial Cryptography and Data Security, FC 2013 ; Conference date: 01-04-2013 Through 01-04-2013",

}

Ke, PF, Hui, KL & Yue, WT 2013, Information security as a credence good. in Financial Cryptography and Data Security - FC 2013 Workshops, USEC and WAHC 2013, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7862 LNCS, pp. 83-93, 16th International Conference on Financial Cryptography and Data Security, FC 2013, Okinawa, Japan, 1/04/13. https://doi.org/10.1007/978-3-642-41320-9_6

Information security as a credence good. / Ke, Ping Fan; Hui, Kai Lung; Yue, Wei T.
Financial Cryptography and Data Security - FC 2013 Workshops, USEC and WAHC 2013, Revised Selected Papers. 2013. p. 83-93 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7862 LNCS).

Research output: Chapter in Book/Conference Proceeding/Report › Conference Paper published in a book › peer-review

TY - GEN

T1 - Information security as a credence good

AU - Ke, Ping Fan

AU - Hui, Kai Lung

AU - Yue, Wei T.

PY - 2013

Y1 - 2013

N2 - With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may exploit their professional advantage and provide fraudulent diagnosis of clients' vulnerabilities. Such an incentive to mis-represent clients' risks is often called the credence goods problem in the economics literature[3]. Although different mechanisms have been introduced to tackle the credence goods problem, in the information security outsourcing context, such mechanisms may not work well with the presence of system interdependency risks [6], which are introduced by inter-connecting multiple clients' systems by the MSSP. In particular, we find that allowing clients to seek alternative diagnosis of their vulnerabilities may not remove the MSSP's fraudulent behaviors. We shall explore alternative ways to solve the credence goods problem in the information security outsourcing context.

AB - With increasing use of information systems, many organizations are outsourcing information security protection to a managed security service provider (MSSP). However, diagnosing the risk of an information system requires special expertise, which could be costly and difficult to acquire. The MSSP may exploit their professional advantage and provide fraudulent diagnosis of clients' vulnerabilities. Such an incentive to mis-represent clients' risks is often called the credence goods problem in the economics literature[3]. Although different mechanisms have been introduced to tackle the credence goods problem, in the information security outsourcing context, such mechanisms may not work well with the presence of system interdependency risks [6], which are introduced by inter-connecting multiple clients' systems by the MSSP. In particular, we find that allowing clients to seek alternative diagnosis of their vulnerabilities may not remove the MSSP's fraudulent behaviors. We shall explore alternative ways to solve the credence goods problem in the information security outsourcing context.

KW - Credence good

KW - Information security outsourcing

KW - Interdependency risks

UR - https://openalex.org/W2175404060

UR - https://www.scopus.com/pages/publications/84892884240

U2 - 10.1007/978-3-642-41320-9_6

DO - 10.1007/978-3-642-41320-9_6

M3 - Conference Paper published in a book

SN - 9783642413193

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 83

EP - 93

BT - Financial Cryptography and Data Security - FC 2013 Workshops, USEC and WAHC 2013, Revised Selected Papers

T2 - 16th International Conference on Financial Cryptography and Data Security, FC 2013

Y2 - 1 April 2013 through 1 April 2013

ER -

Information security as a credence good

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this