Information security concerns in IT outsourcing: Identifying (in) congruence between clients and vendors
Introduction
Globalization requires that organizations transcend national boundaries to collaborate among distributed teams. Such global collaborations have transformed organizational structures around virtual teams, offshoring, outsourcing, and open sourcing [1]. However, information security is a significant sticking point in establishing a relationship between Information Technology (IT) outsourcing vendors and clients. While statistics related to outsourcing risks and failures abound, there has been a limited emphasis on understanding information security concerns in outsourced projects from both client and vendor perspectives [36], [75]. We argue that information security incongruence stems from the lack of fit between what IT outsourcing vendors consider to be the key success factors and what outsourcing clients perceive to be critical for the success of the relationship. It is important to undertake such an investigation because of two primary reasons: (1) There is a problem with the appreciation of the context within which IT vendors and clients operate. A majority of IT outsourcing projects fail because of a lack of appreciation as to what matters to the clients and the vendors [6], [30]. (2) Lack of congruence often leads to broken processes and misaligned priorities, which are a consequence of an organization's inability to manage the IT vendor-client relationship [18]. We study the information security incongruence problem through the following research questions:
- 1)
What are the key information security concerns that IT outsourcing clients and vendors face?
- 2)
What is the extent of (in)congruence between IT outsourcing clients and vendors with respect to the top ranked information security concerns?
There are two classes of definitions that need clarity. First, in our research IT outsourcing refers to the arrangement between a client and a vendor firm where a vendor may provide information technology related services to the client organization [35]. Second, in our research information security refers to the confidentiality, integrity, and availability of information or intellectual property pertaining to client and vendor firms engaged in IT outsourcing projects (see [11] for a detailed review). In the context of this research, we are concerned with the nature and scope of information security concerns in ongoing IT outsourcing arrangements between clients and vendors.
In this paper, we present an analysis of a two-phase study to investigate the extent of (in)congruence between outsourcing clients and vendors. In the first phase, we conduct an extensive Delphi Study to identify major information security concerns in outsourced projects. We rank the information security concerns to identify the priorities of the clients and vendors for the concerns. In the second phase, we conduct an intensive analysis of the concerns through in-depth interviews with several client and vendor firms. Based on the analysis, we define a framework to ensure information security in IT outsourcing.
Section snippets
Informing literature
In this research, we are informed by the mainstream IT outsourcing literature. Within this literature, we are particularly interested in research that has focused on identifying information security concerns. Such research falls into two broad categories: research focusing on relationships between clients and vendors and research focusing on outsourcing risk assessment.
One of the earlier pieces of research by Michael Earl [18] notes, “the objectives of outsourcing are cost cutting; a desire to
Research methodology
In this research, we used the Delphi technique to identify important information security concerns pertinent to an IT outsourcing relationship. We followed up by undertaking in-depth qualitative interviews with the subject matter experts to understand the differences in the rankings obtained from IT outsourcing clients and vendors. The schematic illustrating the methodological steps in presented in Fig. 1.
Ranking of information security concerns in IT outsourcing
In this section, we present the results of Delphi study in two subsections. The first subsection presents the full list of the information security concerns in IT outsourcing identified by both clients and vendors. The second subsection presents rankings of the information security concerns provided by clients and vendors panels.
Discussion
In this section, we discuss the findings pertaining to the two research questions of this study.
Conclusion
In this paper, we have presented an in-depth study of information security concerns in an IT outsourcing arrangement. We argued that while several scholars have studied the relative success and failure of IT outsourcing, the emergent security concerns have not been addressed adequately. Considering this gap in the literature, we conducted a Delphi study to identify the top information security concerns in IT outsourcing from both clients and vendors perspectives. Finally, we engaged in
Dr. Gurpreet Dhillon is a professor of Information Systems in the School of Business, Virginia Commonwealth University, Richmond, VA, USA. He holds a PhD from the London School of Economics and Political Science, London, UK. His research interests include management of information security, ethical, and legal implications of information technology. His articles have been published in several journals including Information Systems Research, Journal of Management Information Systems, Decision
References (75)
Contracting for tacit knowledge: the provision of technical services in technology licensing contracts
J. Dev. Econ.
(1996)- et al.
Security and compliance challenges in complex it outsourcing arrangements: a multi-stakeholder perspective
Computers & Security
(2014) - et al.
An economic modelling approach to information security risk management
Int. J. Inf. Manage.
(2008) - et al.
Developing new products with knowledge management methods and process development management in a network
Comput. Ind.
(2008) - et al.
A framework and assessment instrument for information security culture
Comput. Secur.
(2010) - et al.
Interpreting information security culture: an organizational transformation case study
Comput. Secur.
(2016) Organizational competence in harnessing IT: a case study
Inf. Manage.
(2008)- et al.
Information security: the moving target
Comput. Secur.
(2009) Outsourcing the catalog department: a meditation inspired by the business and library literature
J. Acad. Librariansh.
(1996)- et al.
From culture to disobedience: recognising the varying user acceptance of IT security
Comput. Fraud Secur.
(2009)
An investigation of factors that influence the duration of IT outsourcing relationships
Decis. Support Syst.
The perilous effects of capability loss on outsourcing management and performance
J. Oper. Manage.
Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness
Decis. Support Syst.
Use of Delphi methods in higher education
Technol. Forecasting Social Change
Information security considerations in IS/IT outsourcing projects: a descriptive case study of two sectors
Int. J. Inf. Manage.
The impact of knowledge sharing, organizational capability and partnership quality on IS outsourcing success
Inf. Manage.
A comparative study of important risk factors involved in offshore and domestic outsourcing of software development projects: a two-panel Delphi study
Inf. Manage.
Protecting knowledge in strategic alliances: resource and relational characteristics
J. High Technol. Manage. Res.
The Delphi method as a research tool: an example, design considerations and applications
Inf. Manage.
Managing risks in information systems outsourcing: an approach to analyzing outsourcing risks and structuring incentive contracts
Eur. J. Oper. Res.
A framework for the governance of information security
Comput. Secur.
Bringing together strategic outsourcing and corporate strategy: outsourcing motives and risks
Eur. Manage. J.
Information security management standards: problems and solutions
Inf. Manage.
Towards an information security competence maturity model
Comput. Fraud Secur.
Data integrity assurance in a layered security strategy
Comput. Fraud Secur.
A conceptual framework for understanding the outsourcing decision
Eur. Manage. J.
Developing a decision model for business process outsourcing
Comput. Oper. Res.
Information systems outsourcing: a literature analysis?
Inf. Manage.
Outsourcing to an unknown workforce: exploring opensourcing as a global sourcing strategy
MIS Q.
A framework for information technology outsourcing risk management
ACM SIGMIS Database
Assessing the risk of IT outsourcing
Proceedings of the Thirty-First Hawaii International Conference on System Sciences, IEEE
The hidden costs of IT outsourcing
MIT Sloan Manage. Rev.
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Q.
On security preparations against possible IS threats across industries
Inf. Manage. Comput. Secur.
Understanding information security
J. Inf. Syst. Secur.
Multi-level information system security in outsourcing domain
Bus. Process Manage. J.
The risks of outsourcing IT
Sloan Manage. Rev.
Cited by (48)
Firm diversity and data breach risk: A longitudinal study
2022, Journal of Strategic Information SystemsCitation Excerpt :A common practice of firms is to disregard in-house hiring and turn to outsourcing their IT needs. However, IT outsourcing frequently has to turn over customer firms’ IT-related functions and long-term privileged information access to third-party vendors and also allows the latter to operate the outsourced IT functions off-site (Dhillon et al. 2017; Khalfan 2004). This situation will lead to the fragmentation of firm protection barriers and poses considerable security challenges for customer firms.
Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management
2021, Technological Forecasting and Social ChangeCitation Excerpt :A strategic alliance with other technological organizations can help in the development of resources and technological skills (Safa et al., 2018). Collaboration with other organizations can serve as a catalyst for the technological infrastructure development of the organization, which will directly help in cybersecurity management (Dhillon et al., 2017; Happa, Glencross, and Steed, 2019). This study also enriches organizational learning theory.
Promoting information-resource sharing within the enterprise: A perspective of blockchain consensus perception
2021, Journal of Open Innovation: Technology, Market, and ComplexityTo outsource or not: The impact of information leakage risk on information security strategy
2020, Information and ManagementCitation Excerpt :Nevertheless, whether MSSPs can meet client firms’ security requirements remains unclear. Introducing an MSSP in a firm’s business relationship may increase the uncertainty in the firm’s business operations and lead to failures in information protection [5]. Firms realize they have to absorb the monetary losses stemming from MSSPs.
Vendor selection in the wake of data breaches: A longitudinal study
2024, Journal of Operations ManagementUsing Rational Choice Theory to Explore Factors Impacting Contact Tracing Application Adoption
2024, Information Systems Management
Dr. Gurpreet Dhillon is a professor of Information Systems in the School of Business, Virginia Commonwealth University, Richmond, VA, USA. He holds a PhD from the London School of Economics and Political Science, London, UK. His research interests include management of information security, ethical, and legal implications of information technology. His articles have been published in several journals including Information Systems Research, Journal of Management Information Systems, Decision Support Systems, Journal of Strategic Information Systems, Information Systems Journal, European Journal of Information Systems, Information & Management, Communications of the ACM, and Computers & Security. Gurpreet has authored seven books including Principles of Information Systems Security: text and cases (John Wiley, 2007). He is also the editor-in-chief of the Journal of Information System Security. His research has been featured in various academic and commercial publications and his expert comments have appeared in the Knowledge@Wharton, New York Times, USA Today, Business Week, and NBC News.
Dr. Romilla Syed is an assistant professor of Management Science and Information Systems at the University of Massachusetts, MA, Boston. She received PhD in Information Systems from Virginia Commonwealth University. Her research interests include social media, information security, decision analytics, and data science. Her work has been published and presented in various journals and international conferences, respectively.
Dr. Filipe de Sá-Soares is a professor at Universidade do Minho, Braga, Portugal. His research interests are in management of information security and risk management. His research has been published and presented in several academic journals and mainstream conferences, respectively. Dr. Sá-Soares also serves as the managing editor of the Journal of Information System Security.