To outsource or not: The impact of information leakage risk on information security strategy

Nan Feng, Yufan Chen, Haiyang Feng, Dahui Li, Minqiang Li

Research output: Contribution to journalArticlepeer-review

27 Scopus citations


Emerging studies advocate that firms shall completely outsource their information security for cost and technical advantages. However, the risk of information leakage in outsourcing to managed security service providers (MSSPs) is overlooked and poses a confidentiality threat. We develop analytical models to describe several strategies for firms to consider when they decide to outsource to MSSPs. Based on our results, we suggest partial outsourcing as an alternative strategy when the firm faces information leakage risk. Besides, we suggest that in-house information security strategy is the optimal solution when the risk of being attacked is low regardless of the risk of information leakage. We then extend scenarios to the competitive environment where firms that are in the same market are highly likely to choose the same strategy.

Original languageEnglish (US)
Article number103215
JournalInformation and Management
Issue number5
StatePublished - Jul 2020

Bibliographical note

Funding Information:
The research was supported by the National Natural Science Foundation of China (nos. 71871155 , 71631003 , and 71971153 ). Special thanks to Gina Chiodi Grensing for her assistance in editing this paper.

Publisher Copyright:
© 2019 Elsevier B.V.


  • Information leakage
  • Information security strategy
  • Managed security service
  • Partial outsourcing


Dive into the research topics of 'To outsource or not: The impact of information leakage risk on information security strategy'. Together they form a unique fingerprint.

Cite this