The research, which will be presented at the Workshop on the Economics of Information Security (WEIS) 2010 next month, analyzed a common type of contract used today in which a provider assesses a fee for its managed security service, but refunds part of the fee -- as a penalty -- if there is a breach.
Using game-theory analysis, the researchers established that this commonly used contract model provides no incentive for the provider to notify its client of a breach.
Two other contract models, however, are more likely to provide incentives for better security, the researchers say. One variant assesses a penalty if there is a breach, but rewards the provider if they are the ones that reveal it. A second variant uses one provider for the managed security service and another to detect breaches.
Without a reward, "You are not providing any incentive for the managed security service provider to detect breaches," says Asunur Cezar, the paper's lead author and an instructor at the Middle East Technical University in Ankara, Turkey. "It may be penalized after some investigation, but that does not necessarily act as an incentive."
The research also found that, when penalties are limited in some way, the second variant -- using one MSSP for monitoring and another for detection -- provides better security. The researchers pointed to court cases that limit penalties against service providers, concluding that such real-world limits mean having one provider essentially audit the other leads to the best performance.
However, using two providers sacrifices any benefits or efficiencies from having a single provider do both functions, Cezar says.
"This trade-off is crucial when choosing to outsource information security," she wrote in the paper.
The results of the study could be interesting academically, but they might not translate well to real-world MSSP contracts, says John Pescatore, vice president of analyst firm Gartner. In the real world, service firms are providing a specific function, not blanket protection, so it is usually difficult to penalize the companies for a breach.
"The contract is to manage your firewalls or manage your firewalls, intrusion detection system, and antiviral -- they are not saying, 'Sign up with us, and we will protect you against all breaches,'" Pescatore says.
If a company's intrusion detection service misses an attack, for example, but after a signature update is able to detect compromised systems, the vendor's service has performed as advertised, Pescatore says. Typically providers offer a service-level agreement (SLA) that requires them to notify the client of any detected events within a certain time period -- say, one hour or 15 minutes.
What might not work for an external service provider, however, could work with an internal IT department, Pescatore argues.
"I think if you turn the calculus around, the argument almost makes more sense when companies are running their own firewalls," he says. "There is a reluctance when there is a serious problem to tell people in the company."
The research does highlight some of the forces that are driving the managed security services market. For example, analysis of the trade-off between monitoring and detection suggests that companies will settle for detecting hard-to-prevent security breaches after the fact if prevention is too costly. Conversely, if detecting security breaches after the fact is too costly -- because of the damage done -- then more money will flow into monitoring and prevention services, the paper argues.
These forces -- in addition to the limits on penalties -- suggest that using two services might be a better choice, METU's Cezar says.
"Our results suggest that we will see more two-MSSP contracts," she says.
Already, there are some signs that such two-party security services are becoming more common, Pescatore says. He points to the use of vulnerability-scanning firms, such as Qualys, to check that a managed firewall service is working appropriately.
"It is not unusual, even today, for people to outsource checks on their security," he says. "There are even SLAs that require software-as-a-service vendors to run vulnerability scans against their services."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.