The majority of research works on the the economics of data privacy are not suitable for firms that outsource their business operations. In particular, the computation of security investment does not consider the bilateral security risk, and the used threat models do not consider the particular aspects of privacy threats and attacks, which show the use of multiple steps to thief and misuse the information, and depend on the type of the stolen information and its lifetime. We provide in this work an economic security investment model, allowing firms, which outsource their IT business functions, to determine their optimal security investment and the related residual risk. In this work, threats on data privacy are modeled considering the particular aspects of privacy attacks. A numerical analysis is conducted to analyze the impact of the quality of detection and reaction to privacy breaches, on optimal investment and residual risk. The analysis shows that the amount of optimal investment depends on the minimal time period to detect a security breach, the ability of the customer firm to react to such an attack as quickly as possible, and also on the type of threat on private data. In particular it has been shown that for threats related to private information theft, the customer firm can take advantage from the delay in detecting attacks at the outsourcing provider side. Moreover, it should not also put a lot of security investment effort in reducing the reaction time to these privacy attacks. In the contrary, for threats related to privacy exploitation by self-propagating malware, the customer firm has not to contact with an outsourcing company which is not committed to report an attack occurrence within a short delay, and should not to put a lot of security investment effort in reducing the reaction time to these attacks.
展开▼
