To outsource or not: The impact of information leakage risk on information security strategy

Nan Feng, Yufan Chen, Haiyang Feng, Dahui Li, Minqiang Li

Research output: Contribution to journalArticle

1 Scopus citations


Emerging studies advocate that firms shall completely outsource their information security for cost and technical advantages. However, the risk of information leakage in outsourcing to managed security service providers (MSSPs) is overlooked and poses a confidentiality threat. We develop analytical models to describe several strategies for firms to consider when they decide to outsource to MSSPs. Based on our results, we suggest partial outsourcing as an alternative strategy when the firm faces information leakage risk. Besides, we suggest that in-house information security strategy is the optimal solution when the risk of being attacked is low regardless of the risk of information leakage. We then extend scenarios to the competitive environment where firms that are in the same market are highly likely to choose the same strategy.

Original languageEnglish (US)
Article number103215
JournalInformation and Management
StateAccepted/In press - Jan 1 2019
Externally publishedYes



  • Information leakage
  • Information security strategy
  • Managed security service
  • Partial outsourcing

Cite this