Outsourcing Internet Security: The Effect of Transaction Costs on Managed Service Providers

Size: px

Start display at page:

Download "Outsourcing Internet Security: The Effect of Transaction Costs on Managed Service Providers"

Lawrence Marshall
5 years ago
Views:

1 Outsourcing Internet Security: The Effect of Transaction Costs on Managed Service Providers Abstract Wen Ding William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign Transaction costs are a significant factor in outsourcing decisions. In the case of Internet security, outsourcing has higher transaction costs for two major reasons: () the outsourcing process is not yet standardized and (2) there is uncertainty about the frequency and impact of cyber attacks creating large variations in coordination costs. In this paper we study the effects of transaction costs on provider pricing strategies aiming toward guidelines that are beneficial for both buyers and providers. We structure a game-theoretic model that incorporates the two special features of transaction costs for security outsourcing. When transaction costs are high, Managed Security Service Providers (MSSPs) have to charge a lower overall price for their services to balance these costs. The same result holds when the uncertainty associated with transaction cost increases. Our conclusion is that while performance-based contracts have to be employed to create an efficient risk-sharing mechanism, market competition provides incentives for MSSPs to share transaction costs with buyers. Keywords: economics of information security, transaction cost, outsourcing, information security, managed security service providers (MSSPs) Introduction Outsourcing is an important factor in the functional structure of any firm, however, it has only recently become a consideration for IT firms trying to cope with Internet security. The last several years has seen a new market form into has come to be known as Managed Security Service Providers (MSSPs). For a survey of MSSPs see [7]. There is an evolution in thinking abut Internet security. First, there is an increasing realization that Internet security risks will always exist while these risks can be mitigated they cannot be completely eliminated with a product or processes. Secondly, humans-in-the-loop are critical for effective Internet security humans recognize and respond to new risks. Humans attacking need humans to defend. MSSPs are the most efficient way to provide Internet security by leveraging the economies-of-scale in providing a critical mass of human Internet security expertise. In this paper we seek to analytically model the effects of transaction costs on provider pricing strategies (providing human Internet expertise). Transactions costs are key since they largely determine the outsource versus insource decision. Firms shrink by outsourcing if transaction costs fall relative to organization costs. We seek to understand if the effects of transactions costs are different for the case of Internet security as opposed to other domains and what can be learned about specifics within the MSSP market. It is ironic that while the Internet itself has had a large impact in decreasing transaction costs it has also simultaneously introduced new risks which create a critical need for protection. The remainder of this paper is organized as follows: We define terminology and concepts in Section 2. In Section 3 we introduce our analytical analysis model seeking to understand the effect of transaction costs on both firms and MSSPs. Section 4 is a survey of related work. We end with a summary and conclusions in Section 5. 2 Transaction Cost Theory 2. Definition Transaction costs refer to costs incurred when making any economic exchange. In the case of security outsourcing, transaction costs include the following: Searching Cost refers to the money, time, and effort invested in searching for a suitable Managed Security Service Provider (MSSP). To choose the best-fit MSSP is essential for a successful security outsourcing project. Unfortunately, this selection is not easy because there are no consensus met-

2 rics to compare vendors. At present, there are many MSSPs with diversified backgrounds and services serving this market. Contracting Cost refers to the money, time, and effort required to develop a service contract that specifies the responsibilities of both a buyer and a provider. It has been argued that for information security outsourcing a performance-based contract is more effective than a fixed-price contract [7]. In a performance-based contract, a metric for performance quality must be specified as well as the specific penalty if this metric is not satisfied. The contract timeframe is also important the decision whether to sign a long-term or short-term contract effects transaction costs. A long-term contract saves on the overhead cost of developing multiple contracts while a short-term contract is more flexible. As we will argue in Section 2.2, a short-term contract is appropriate for functions with large uncertainty. An empirical study of information technology outsourcing by U.S. banks shows that a short-term contract is more likely to be successful than a long-term contract [3]. Since information security is also subject to large uncertainty, a short-term contract is expected to be superior. Setup Cost: refers to the cost of procuring and tuning relevant computer network devices in order to support security services. Most MSSP services are based on a specific platforms. For example, some MSSPs manage only devices from a specific manufacturer. Counterpane has a proprietary device (socrates) that accepts input from most computer network devices. So, if a firm s existing devices do not meet MSSP requirements, a firm may need to buy new equipment. Monitoring Cost refers to the money, time, and effort needed to monitor MSSP performance. Monitoring MSSP performance is important to make sure an MSSP does its best to protect a firm. To do this, a buyer needs to collect and analyze MSSP performance data periodically as well determining if this performance data presented by the MSSP is reliable. Coordination Cost refers to the money, time, and effort spent on communications between the buyer and the MSSP including on-going negotiations about terms and payments and routine information dissemination. When not engaged with severe attacks that need immediate attention, MSSPs typically provide periodic reports to the buyer. When engaged with severe attacks, the MSSP should know what to do immediately according to pre-specified terms. In some cases, the MSSP can take actions before reporting to the buyer. In other cases, the MSSP may be required to contact organization executives Uncertainty is any change that cannot reasonably be foreseen such as zero-day attacks, technology improvement, vendor bankruptcy, etc. for approval before taking actions. For performance-based contracts, negotiations to evaluate performance are ultimately necessary to determine payments. Switching Cost: refers to the money, time, and effort a firm incurs to switch from one MSSP to another MSSP or to switch from outsourcing to insourcing. Switching cost includes sunk cost investments on infrastructure that are required by the contracted MSSP but may not be usable by another MSSP or by the firm itself if functions are insourced. As a result of outsourcing organization functionality, a firm may have to restructure by hiring new personnel or terminating some of its current security personnel. If switching costs are high, it becomes more expensive for a firm to switch than to remain contracted with their current MSSP, this is called lock-in. 2.2 The Role of Transaction Costs in General Economic Theory In this section we review the historical relationship between transaction costs and specialization as background to show that information security outsourcing is the expected market response when transaction costs associated with security services decrease. Economists have long noticed that the ease of market transactions directly affects firm specialization. The more efficient the market, the less costly to use the market, the more people will buy products and services from the market as opposed to producing the product or service themselves at home. In The Wealth of Nations, Adam Smith argues that extent of the market (how effectively and smoothly a market functions) effects labor specialization [9]. For example, in a barter market with no currency people trade good for good. If a person has a sheep and wants an axe, he has to find another person that has an axe and wants a sheep to complete the trade. This market is inefficient since finding exact trading matches takes significant search time and may not even be possible. In inefficient barter markets where transaction costs are high, it is less costly to raise the sheep and make the axe at home. Thus, in primitive economies households are typically self-sufficient producing almost everything its members need in-house. With the appearance of currency, transactions became easier due to reduced searching cost. People do not need to find an exact match to make exchanges when money is the medium of a transaction. The overall affect of currency as the medium of exchange on an economy is specialization, people stop producing everything themselves and instead focus only on producing products and services that maximize their

3 ability to trade for money. This idea about the relationship of transaction costs and specialization was extended to study the nature of firms by R.H. Coase in his seminal paper The Nature of The Firm [4]. In this paper, Coase identifies transaction costs as the primary reason a firm exists. Transactions between firms occur under a market price mechanism while within the firm the complicated market structure is substituted by a entrepreneur-coordinator. Some functions are kept within a firm because transactions within a firm are free from transaction cost. Coase argues that transaction costs can be categorized as follows: () the cost of discovering what the relevant prices are ; (2) the cost of negotiating and concluding a separate contract for each transaction which takes place on a market (these costs can be reduced but will not disappear); and (3) the cost of uncertainty involved in contracting relationships. To further describe transaction costs due to uncertainty, first there is the moral hazard problem a contractor may shirk without being discovered making output quality hard to predict. Also, because omniscient knowledge of people has practical limits, no contract can truly reflect the complexity of human performance. Therefore, some parts of an outsourcing contracts must be left open for future negotiation. These transaction costs due to monitoring and coordination costs add to a firm s cost. However, the level of uncertainty can be limited with contracts for shorter time periods. 2 Theoretically, if the uncertainty involved in a transaction is high, even over a very short period of time, that function should be kept inside the firm. Instead of complete specialization to outsource everything except core competancy, most firms typically choose to keep the majority of functions in-house in order to save on transaction costs. To keep a function inside a firm, the firm saves on transaction costs; but to have multiple functions inside a firm, the firm is subject to loss of efficiency of production. From the transaction cost point of view, whether one function is kept within a firm or outsourced depends on whether savings on transaction costs is higher than the benefits from specialization. In other words, whether a function is insourced or outsourced depends on the level of the transaction costs. Many functions such as accounting, payroll, and human resources that used to be considered core activities of a firm to only be supplied inside a firm have now been outsourced as these processes have become standardized and their corresponding transaction costs lowered. Theoretically, every function that is not a firm s core competency can be outsourced if the outsourcing is cost 2 the level of uncertainty may also be reduced with experience from track record efficient (low transaction costs). Security outsourcing is no exception. In summary, transaction costs have a more complicated effect on the firm s profit than just adding to its cost structure. Transaction costs may determine the functional structure of an organization based on which functions are insourced and which functions are outsourced. 2.3 The Effect of Transaction Costs on Outsourcing Firms Transaction costs affect outsourcing strategies of the buyer in various ways. Different outsourcing strategies incur different levels of transaction costs. Single-vendor outsourcing is more likely to invite the lock-in problem because it may become more expensive to switch to another MSSP due to sunk cost investment or there may be no other MSSPs with the required capabilities already established with the incumbent MSSP. On the other hand, if the relationship between buyer and vendor is well managed, a long-term relationship with a single vendor may help reduce cost and improve quality[6]. If the firm contracts with multiple vendors competition between the vendors pressures vendors to market price structures. For a detailed comparison of single-vendor outsourcing versus mutiple-vendor outsourcing and how to select between them, refer to Ngwenyama and Bryson(999). The effective period of the contract also affects transaction costs and thus a firm s profit. A long-term contract saves on contracting cost, while a shortterm contract is less vulnerable to uncertain future market conditions while also saving on monitoring and coordination transaction costs. 2.4 The Effect of Transaction Costs on MSSPs The security outsourcing market system is very complicated because both the buyers and vendors are autonomous and their strategies are interdependent. Transaction costs are not only a burden on the buyers, but also affect MSSP strategies as well. Before signing the contract, high transaction costs diminishes incentives to outsource. In order to make outsourcing appealing to a firm, the vendor has to offer a competitive price. After signing the contract, however, if the firm has invested in some specific devices and cannot switch to other MSSP easily then the outsourcer may be able to raise the price over the market price level.

4 3 Analysis Model In this section we study how transaction costs affect equilibrium market prices. We show that the market equilibrium price decreases when transaction cost increases. If we use P (y) to denote buyer s compensation to MSSP. Since buyers need to pay transaction cost on top of service price, the actual out-of-pocket price buyers of MSSP face is ( + α)p (y), where αp (y) denotes the transaction cost. Transaction cost is modelled as a percentage of contract value because as the project gets larger, buyer and MSSP need to spend more time and money on the negotiation stage before and after signing the contract [5]. A survey done by Barthelemy(200) [3] reports that transaction costs can be as high as 6% for contracts lower than $0 million. 3. Modeling Transaction Costs from the Buyer Perspective First, we will look at effect of transaction costs on the outsourcing buy decision. A standard model studying an optimal contract considering an agent s moral hazard behavior can be written in recursive form as the following: K(v) = max P (y),w(y) {y P (y) + ρk(w(y))}f(y a)dy st {u(p (y)) + ρw(y)}f(y a)dy φ(a) v (P K) () a arg max {u(p (y)) + ρw(y)}f(y a)dy φ(a) (IC) where the variables are defined as: y, output of current period P (y), payment to the agent v, the agent s revenue stream discounted to current period w(y), the agent s revenue from next period on u( ), the agent s utility function a, the agent s effort level φ(a), cost that the agent incurs by working at effort level a f(y a), probability distribution of output given the agent s effort level is a By using the recursive formulation, this model utilizes the idea of dynamic programming: optimize one period at a time assuming optimal behavior in following periods. Thus, the objective function consists of two parts: y P (y) is the principal s payoff in the current period and K(w(y)) represents the principal s best payoff from next period on. With the discounting factor ρ, y P (y) + ρk(w(y)) represents principal s discounted profit. Since output y is random, expected payoff is calculated by taking the integration w.r.t y. The first constraint is usually called the promise keeping (PK) constraint. It restricts a principal s choice set of P (y) and w(y) to those that provide payoff to the agent. The second constraint is called the incentive compatibility (IC) constraint. This constraint incorporates the moral hazard behavior of the agent for any given contract P (y) and w(y), the agent always chooses an effort level a based on rational self-interest. Altogether, this model shows how a principal maximizes profit by choosing a current period payment P (y) and a future payoff w(y) to the agent in presence of the agent s moral hazard behavior. With transaction cost, we modify the maximization problem of buyer as: K(v) = max P (y),w(y),a [y ( + α)p (y) + ρk(( + α)w(y))]f(y, a)dy st [u(p (y)) + ρw(y)]f(y, a)dy φ(a) v (PK) a arg max [u(p (y)) + ρw(y)]f(y, a)dy φ(a) (IC) (2) Corresponding first order conditions are: {P (y)} ( + α) + λu (P (y)) + µu (P (y)) f a(y, a) f(y, a) = 0 (3) {w(y)} ρk (w(y)) + ρλ + µρ f a(y, a) f(y, a) = 0 From first order conditions (3) and (4) we get conditions from which optimal payment P (y) and w(y) can be derived.

5 + α u (P (y)) = λ + µf a(y, a) f(y, a) K (w(y)) = λ + µ f a(y, a) f(y, a) From equation (4), λ is a fixed positive constant, and by conventional assumption, the buyer s utility function u( ) is concave, i.e. u ( ) < 0. Therefore, if α increases, P (y), the optimal price that the buyer is willing to accept, decreases. Which means that all other things being equal, transaction costs diminish buyer willingness to outsource which can then be measured by how much service is purchased. 3.2 Modeling Transaction Costs from the MSSP Perspective Another effect of transaction costs on market price comes from competition among MSSPs. As we will show, as transaction costs increase, nominal market prices will decrease. In this section, we analyze the scenario where MSSPs engage in price competition against each other. We derive the Nash Equilibrium 3 [5] price under this scenario. To see effect of competition among the MSSPs, we ignore effect of the buyers and the moral hazard problem. We show that MSSPs will lower prices to bear part of the transaction cost due to competition with other MSSPs. The division of the transaction cost between buyers and vendors depends on price elasticity of demand for security products. A price competition is where every MSSP uses price as a strategic variable to compete with other MSSP s. That is, in a price competition, each MSSP chooses a price that maximizes his profit given pricing chosen by other MSSPs. Explicitly, profit maximization problem for vendor i is: max {P i N i (( + α)p ) C i (N i (( + α)p ))} (6) P i P i denotes price the ith MSSP charges. P (with no superscript) denotes the price vector {P i, i =,..., V } = {P i, P i }, where P i is market price the 3 A strategy vector x with payoff vector π is called a Nash Equilibrium if π i (x i, x i ) π i ( x i, x i ), x i X i, i. X i is set of all possible actions player i can take. This condition means that Nash Equilibrium is such that no player can benefit from unilateral deviations. (4) (5) ith MSSP charges. N i is demand for MSSP i service, which depends on P, the whole vector of market price. It also depends on service quality of each MSSP. C i ( ) is MSSP i total cost of serving N i customers. The more customers a MSSP has, the higher the cost will be, therefore, C i ( ) is increasing in N i, the number of customers. Also, C i includes both fixed cost(f C) and variable cost(v C), Fixed cost is the cost that does not change with the number of customers such as R&D expenditure, expenses on rental office space, and variable cost includes cost that increases with number of customers such labor hours. Explicitly, C i (N i ( )) = F C + V C(N i ( )) (7) Then the maximization problem (6) shows how the ith MSSP will maximize their net profit (revenue minus cost) by choosing a price P i given that price charged by other vendors is P i. Optimal price P i solves the following first order condition of the maximization problem w.r.t P i : N i ( ) + P i N i ( ) P i ( + α) = C (N i ( )) N i ( ) P i ( + α) (8) Divide both sides of equation (8) with N i ( ) P ( + α) and rearrange terms, i we get: P i ( η i ( + α) ) = C (N i ( )) i =,..., V (9) where η i = ( N i ( )/N i )/( P i /P i ) represents percentage change in demand due to percentage change in price which is the price elasticity of vendor i s demand. Price elasticity of demand measures how sensitive market demand is to changes in price. Because d( )/ (P ) < 0 (demand drops when the price increases and vice versa), a negative sign is added so that η i > 0. Solving P i from optimizing condition (9), under regularity conditions, the optimal solution P i is a continuous function of P i, α and η: P i = r(p i, α, η) (0) Equation(0) shows how the price MSSPi charges depends on P i prices of other MSSPs. Therefore, for all MSSPs on the market, since all MSSPs are choosing prices simultaneously, we solve the following equation system which determines the optimal prices for the MSSP market.

6 P = r(p, α, η), P 2 = r(p 2, α, η),... P V = r(p V, α, η) () Let P denote the solution of this equation system. Then P is the Nash Equilibrium for the game between the MSSPs because for each MSSP, P i is his profit maximizing price given other MSSPs choices on price. In other words, a MSSP cannot increase profit unilaterally by deviating from the Nash Equilibrium price P i. Equilibrium price vector P together with a vector of the MSSPs s profit corresponding to market price P comprises the Nash Equilibrium of this price competition. Under regularity conditions, this equilibrium price vector exists and is unique [5]. To give an idea how this Nash Equilibrium price look like, we present a graphic solution for the simplified case when V = 2. With equilibrium conditions, () reduces to the following: 0 P 2 P 2 P 2 P A(P 0, P 2 0 ) (a) Nash Equilibrium Prices when α = 0 r (P, α>0, η) 2 r (P, α=0, η) 2 P = r(p 2, α, η) P 2 = r(p, α, η) (2) To simplify, we make the following two assumptions: (), Marginal cost C i ( ) is constant. (i.e. it costs MSSP i same amount of η money to serve one additional buyer) and (2) i (P i /P i ) > 0. That is, as the price ratio P i /P i ) increases which means demand for MSSP i s service is more sensitive to price changes. In other word, as MSSP i s service becomes relatively more expensive than service provided by the other MSSP, a same percentage increase in P i will induce greater percentage reduction in demand for MSSP i s service. The two response functions in (2) are plotted in Figure where the horizontal axis represents MSSP s price and the vertical axis represent MSSP 2 s price. With the two simplifying assumptions, Feenstra[8] showed that both reaction curves have positive slopes. Fig.(a) shows the slope of MSSP s response curve is larger than slope of that of MSSP 2 s response curve. Because the response curve is the locus of MSSP best choice of price given competing MSSP prices, the intersection point E is the equilibrium point in P* 2 P** 2 E P** P* E r (P, α=0, η) 2 (b) Nash Equilibrium Prices when α > 0 r 2(P, α>0, η) Figure : Effect of Transaction Cost on Equilibrium Price the sense that neither of the MSSPs wants to deviate from it since any unilateral deviation from E lowers MSSP profit. Therefore, point E in Figure is the Nash Equilibrium. This Nash Equilibrium is also a stable equilibrium P

7 where MSSP prices eventually converge. Suppose we start with a price combination at point A(P 0, P 0 2 ). Given MSSP 2 charges P 0 2, it is optimal for MSSP to charge P according to the response curve of MSSP. Similarly, given MSSP charges P, it is optimal for MSSP 2 to charge P 2, so on and so forth, following the arrows in Fig.(a), the price vector will eventually converge to point E. Differentiate the optimization condition (9), dp i ( η i ( + α) ) + P i dη i η i2 ( + α) + P i dα η i ( + α) 2 = C (N( )) (3) By assumption that the marginal cost C ( ) is constant, C (N( )) = 0. 4 Then equation (3) implies: dp i ( η i ( + α) + dη i /η i dp i /P i η i ( + α) ) = P i dα η i ( + α) (4) We are interested how changes in transaction cost α affects equilibrium market price P. From equation (4), we argue that when the following condition is satisfied, equilibrium price decreases when transaction cost increases. or dη i /η i η i ( + α) + dp i /P i η i ( + α) > 0 η i ( + α) > dηi /η i dp i /P i (5) Since we assumed that when P i increases, demand for MSSP i s service becomes more elastic. The derivative of price elasticity w.r.t price is positive, i.e., > 0. Then the right hand side of condition (5) is smaller than dη i /η i dp i /P i. For α > 0, the left hand side η i ( + α) is always greater than if demand for MSSP i s service is elastic, which means the price elasticity of demand is greater than. Demand is elastic means if price increases a%, demand 4 It can shown that result of this paper holds as long as marginal cost decreases in number of customers of a MSSP. When it costs the MSSP less and less to serve an additional customer, we say the MSSP has economy of scale. decreases more than a%. On the other hand, if price elasticity of demand is smaller than, then demand for this good or service is inelastic. Demand for necessities are usually inelastic. Also, demand for goods or services with easily available substitutes is elastic, because if these goods become relatively more expensive, the buyers can easily shift to substitute goods. Demand for managed security services is elastic because there are many MSSPs on the market providing similar and substitutable services, or the firm can choose to keep its own internet security department. Therefore, we assume η i >, i. Then the left hand side of condition (5) is greater than. Thus condition (5) is satisfied since the right hand side of it is always smaller than. Price elasticity greater than is sufficient but not a necessary condition (5) (as long as demand is not too inelastic close to 0). Then under condition (5), equation (4) implies when transaction cost increases (dα > 0), the price that the ith MSSP wants to charge decreases(dp i < 0). Since this is true for all MSSPs, this shows that when transaction cost increases, MSSPs reduce their prices simultaneously. Graphically, the price MSSP charges decreases when α > 0 means P decreases no matter what value P 2 takes. This means the reaction curve of MSSP shifts to the left. Similarly, price MSSP 2 charges is lower when α > 0. MSSP 2 s reaction curve P 2 = r(p, α, η) shifts down. As shown in Figure-(b), the two dotted lines represent MSSP reaction curves when transaction cost is positive. The intersection gives the Nash Equilibrium when transaction cost is introduced into the model. Compared with the solid reaction curves when there is no transaction cost, the new market equilibrium price is lower for both MSSPs. Intuitively, this means competition among MSSPs creates pressure to lower prices including MSSPs bearing part of the transaction cost themselves. 3.3 Revised Model With Varying Transaction Costs In this section, we investigate how variation in transaction costs affects how MSSPs set their market prices. As argued in section 3.2, besides searching and coordination costs, transaction costs also reflect the uncertainty involved in the contracting relationships. Therefore, instead of being a constant, the transaction cost is actually a random variable. We consider the simplified case where transaction cost may take on two values () high transaction cost ᾱ and (2) low transaction cost α with probability π and π respectively. Then expected transaction cost can be calculated by πᾱ + ( π)α. Also, it can be shown that the variance of transaction cost equals to σ 2 = π( π)(ᾱ α) 2.

8 Therefore, variance of the transaction cost depends on the probability π and difference between high cost and low cost ᾱ α. For given ᾱ and α, variance of transaction cost is maximized at π = 0.5. Let P i denote a vector of buyer expected expenditures on security services. Therefore, P i includes both price P i and expected transaction costs. At P i, demand for MSSP i s security service will be N i ( P i ) based on the market demand function. Then, the MSSP s profit maximization problem can be written as the following: First order condition implies that max P i N i ( P ) C i (N i ( P )) (6) P i N i ( )+P i N i ( ) P i (+πᾱ+( π)α) C i (N i ( )) N i ( ) P i (+πᾱ+( π)α) = 0 For given π, ᾱ and α, the price that maximizes the MSSP i s profit is the one that solves the above first order condition. Therefore, price P i is a function of π, ᾱ and α. To see effect of the variance of transaction cost on P i through π, we totally differentiate the above first order condition and perform similar manipulation as in previous section. dp i ( η P i η( + πᾱ + ( π)α) + P i η η( + πᾱ + ( π)α) ) P i (ᾱ α) = η( + πᾱ + ( π)α) σ 2 π dσ 2 (7) where σ2 π = ( 2π)(ˆα α). Therefore, this term is positive if π < 0.5 and negative if π > 0.5. We assume that demand for security services is sufficiently elastic: η( + πᾱ + ( π)α) > η P i P i η Under this assumption, if high transaction costs are less probable to happen than low transaction cost, i.e., π < 0.5, increase in uncertainty of transaction cost leads to decrease in P i. On the other hand, if transaction cost is more likely to be high, π > 0.5, increase in the uncertainty in transaction cost leads to increase in P i. 3.4 Model Insights In previous sections, we discussed how magnitude and uncertainty of transaction cost affect both supply and demand of the security services. We show that with transaction costs, buyers want to outsource security under a lower price, and suppliers offer security services under a lower price as well. The overall effect is that the market price of security outsourcing becomes lower. This model can be used to analyze the ex post effect of transaction costs on the price of security services as well. Here, ex post means after the contract is signed. It is argued that once a buyer signs a contract with an MSSP, he is in a locked-in position with this security service provider. Transaction costs are the main reason to explain this lock-in. Switching to another MSSP takes additional time and effort to evaluate the potential outsourcing project. Also, since MSSPs provide security services on different platforms, switching to another MSSP may mean purchasing a new set of security devices. Thus, since the buyers cannot opt out easily, demand for MSSP service becomes inelastic, which means the price elasticity of demand η is close to 0. If this is true, the condition (5) is satisfied with reverse inequality. In this case, increase in transaction cost will lead to increase in price P i. The MSSP can increase price because he knows that it is more costly for the buyer to terminate the contract in order to find another security service provider. 4 Literature of Transaction Cost Theory Transaction Cost Economics (TCE) is the body of literature that has evolved from studying firm s outsourcing decisions. Many studies have been done on how firms make outsourcing decisions by comparing benefit from the outsourcing project and transaction costs incurred. Williamson(985)[20] argues that firms object is to maximize profit and equivalently, minimizing total cost which includes both production cost and transaction cost. He specifies variables that help measure the transaction cost. The variables include frequency of transactions, uncertainty (including environmental and behavioral uncertainty), and asset specificity. Towards this end, Rindfleisch and Heide(997)[7] argue that transaction costs also includes opportunity cost (potential benefit from another option). Opportunity cost may be very high if a firm chooses a bad option over a better one. Empirical work in this area primarily focuses on testing whether TCE is a significant factor in explaining outsourcing decision. There are both positive and negative results. Joseph (2003)[0] summarized empirical studies in tra-

9 ditional production areas such as automobile components, (Klein, Crawford and Alchian, 978[]); coal (Joskow, 990[9]); and chemicals (Lieberman, 99[4]), in which they argue that TCE is useful in understanding the outsourcing versus insourcing decision. In other newly emerged areas, it is a more complicated case. Thomas and Hubert(998)[8] show that in technology outsourcing (seeking outside technology alliances), assets specificity and uncertainty (both external and behavioral uncertainty) are significant in explaining how likely a firm will use technology outsourcing. Bartel, Lach and Sicherman(2005)[2] show that as technology uncertainty increases, firms are more likely to outsource and they also show that using more IT-intensive technology helps reduce cost in outsourcing IT-based services (e.g. Internet security). Other studies show that TCE can be at odds with reality. Lacity and Willcocks(996)[2] found that in a sample of 40 firms, TCE correctly predicted only 5 IT outsourcing decisions. Challenges on this result include Aubert and Weber(200)[], who argue that Lacity and Willcocks(996) may not have made correct measurements of a critical dimension of TCE, asset specificity. 5 Conclusions Transaction costs are a significant factor in any outsourcing decision. For Internet security outsourcing there are higher transaction costs for two major reasons: () the outsourcing process is still more of an art than a precise science and (2) increasing uncertainty about risks raises coordination costs cyberattacks may be rare and non-eventful during most periods but intensive and eventful during some periods. In this paper we use an analytical model to incorporate these two special features of transaction costs for Internet security. While most previous work has focused on how transaction costs affect a buyer s outsourcing decision, this paper focuses on how changes in transaction costs affects prices that suppliers charge in face of competition from other MSSPs. Using an analytical model, we show that when transaction costs are high, MSSPs have to charge a lower overall price for their services to balance these costs. The same result holds when the uncertainty associated increases. Our conclusion is that while performance-based contracts have to be employed to create an efficient risk-sharing mechanism, market competition provides incentives for MSSPs to share transaction costs with buyers. References [] Aubert, B. and Weber, R., Transaction Cost Theory, The Resourcebased View, And Information Technology Sourcing Decisions: A Reexamination Of Lacity et al. s Findings Institute of Applied Economics, May, 200. [2] Bartel, A.P., Lach, S. and Sicherman, N., Outsourcing and Technological Change, NBER Working Paper No. W58. Feb., [3] Barthelemy, J. The Hidden Cost of IT Outsourcing Sloan Management Rev, Vol.42, No.3, pp , 200. [4] Coase, R.H. The Nature of the Firm Economica New series, Vol.4, No. 6, pp , Nov., 937. [5] Collett, S. Pulling the Strings. Computerworld, Jun., [6] Deming, W. E. Out of the Crisis Cambridge University Press, 986. [7] Ding, W., Yurcik, W., and Yin, X. Outsourcing Internet Security: Economic Analysis of Incentives for Information Security Service Providers Workshop on Internet and Network Economics, [8] Feenstra, R Advanced International Trade-Theory and Evidence Princeton University Press, [9] Joskow, P. L Price Adjustment in Long Term Contracts: Further Evidence from Coal Markets, Rand Journal of Economics, Vol.2, pp , 990. [0] Joskow, P. Vertical Integration Handbook of New Institutional Economics, Kluwer, Dec., 2nd, [] Klein, B., Crawford, R and Alchian, A. Vertical Integration, Appropriable Rents, and the Competitive Contracting Process, Journal of Law and Economics, Vol.2, pp , 978. [2] Lacity, M., and Willcocks, L., Interpreting Information Technology Sourcing Decisions from a Transaction Cost Perspective: Findings and Critique, Accounting, Management, and Information Technologies, Vol.5, No. 3/4, pp , 996.

10 [3] Lacity, M. C., and Willcocks, L. P. An Empirical Investigation of Information Technology Sourcing Practices: Lessons from Experience MIS Quarterly Vol.22, No.3, pp , 998. [4] Lieberman, Marvin. Determinants of Vertical Integration: An Empirical Test, Journal of Industrial Economics. Vol.39, pp , 99. [5] Nash, J. Equilibrium Points in N-Person Games, Proc. of the National Academy of Sciences, Vol.36, 950. [6] Ngwenyama, O. K., and Bryson, N. Making the Information Systems Outsourcing Decision: A Transaction Cost Approach to Analyzing Outsourcing Decision Problems, European Journal of Operational Research, Vol.5 No.2, pp , 999. [7] Rindfleisch, A. and Heide, J. B. Transaction Cost Analysis: Past, present, and future applications, Journal of Marketing, Vol.6, No.4, pp , 997. [8] Robertson, T.S. and Gatignon, H. Technology Development Mode: A Transaction Cost Conceptualization, Strategic Management Journal, Vol. 9, No.6, pp , June 998. [9] Smith, A. The Wealth of Nations, 776. [20] Williamson, O. The Economic Institutions of Capitalism New York: Free Press, 985.