Contracting managed security service: Double moral hazard and risk interdependency

Nan Feng, Shiyue Zhang, Minqiang Li, Dahui Li

Research output: Contribution to journalArticlepeer-review


The problem of double moral hazard seriously affects the efficiency of information security outsourcing. The interdependency risk of information security between managed security service providers (MSSPs) and client firms further complicates the double moral hazard problem. In the loss-based contract, both positive and negative risk interdependencies make outsourcing more inefficient in most instances. To solve the problem, a relational contract is proposed. We find that this relational contract leads to a greater social welfare with increase of discount factor, and the double moral hazard problem can be solved within the range that the discount factor is high. Furthermore, both positive and negative risk interdependencies can help relational contract to eliminate double moral hazard within a larger discount range. Finally, as some MSSPs’ efforts are considered to be verifiable, we find that by specifying thresholds in a relational contract, the benefits of an MSSP's default can be limited, thereby ensuring that the relational contract achieves social optimal outcomes in more general cases.

Original languageEnglish (US)
Article number101097
JournalElectronic Commerce Research and Applications
StatePublished - Nov 1 2021
Externally publishedYes

Bibliographical note

Funding Information:
The research was supported by the National Natural Science Foundation of China (nos. 71871155 and 71631003 ).

Publisher Copyright:
© 2021


  • Double moral hazard
  • Interdependency of information security risks
  • Managed security service
  • Relational contract


Dive into the research topics of 'Contracting managed security service: Double moral hazard and risk interdependency'. Together they form a unique fingerprint.

Cite this