Read Full Paper

A few years ago, a data breach compromised the information of more than 100 million Target customers and cost the company US$148 million. Target had outsourced its security to a managed security service (MSS) provider called FireEye, but then failed to take action after FireEye alerted it to the breach. In a timely study, HKUST professors Kai-Lung Hui and Ping Fan Ke, along with co-researchers, sought ways to ensure that both MSS providers and clients invest the effort necessary to prevent future incidents like the Target data breach.

Although outsourcing security protection does not completely shield firms from cyberattacks and intrusions, the MSS market is growing rapidly. Meanwhile, firms and MSS providers are becoming ever more closely integrated. “This closely knit collaborative relationship raises questions,” say the researchers. For example, should MSS providers be held fully accountable for losses suffered by clients due to security breaches? The researchers think not. “The quality of the service,” they explain, “is highly dependent on both the client’s efforts and the MSS provider’s efforts.”

All information security contracts address the issue of loss. Simple loss-based contracts require the MSS provider “to compensate the client fully in case of a security breach,” the researchers explain. In others, the liability surrounding a loss is shared. The researchers aimed to improve the design of bilateral contracts by better defining the obligations of firms and MSS providers. This, they hoped, would “incentivize both the client and the MSS provider to work hard.”

In a novel extension of the legal concept of negligence, the researchers devised two contracts in which liability is shared between a firm and its MSS provider. In the spirit of “comparative negligence,” the variable-liability contract “assigns liability based on the effort invested by the client.” In contrast, the threshold-based liability contract follows the spirit of contributory negligence. “Under this contract,” the authors tell us, “the client will receive compensation if and only if her effort exceeds a certain threshold.”

The next step was to assess how well the two new contracts performed in encouraging clients and MSS providers to invest effort in preventing and responding to security breaches. Compared with traditional loss-based approaches, sharing liability was much more effective. Indeed, “only the variable-liability contract and threshold-based liability contract can lead to socially optimal outcomes,” the researchers tell us.

When the researchers tested the shared-liability contracts under real-world constraints, they discovered something surprising—that “effort verification need not be complete.” Merely having a threshold was sufficient. In the tested real-world scenarios, therefore, the threshold-based liability contract performed better than the variable-liability contract.

This pioneering study, which expands the concept of liability to encompass legal definitions of negligence while acknowledging real-world constraints, provides a robust framework for future work. For example, the researchers note, it offers a basis for “exploring the optimal design of MSS contracts in other complex settings, such as the presence of strategic hackers or collaborative multiparty security protection.” In an increasingly connected world that is ever more vulnerable to cyberthreats, such research is of utmost importance.