Security problems are interdependent when risk faced by one firm is determined in part by the behavior of others, says Professor Kunreuther. More important, the behavior of the other firms affects the incentives of the first firm to reduce its exposure to the risk. Professor Kunreuther studied this challenge in a paper on airline security he cowrote in October 2002 with Professor Heal and Peter Orszag, a senior fellow at the Brookings Institution in Washington, D.C. “Even an airline with an infallible screening system is at risk,” they write, “since only the bags checked by passengers who initiate the trip with that airline are inspected; those bags transferred from another airline are not.” So it is with interdependent computer networks: They note that “once a hacker or virus reaches one computer on a network, the remaining computers can more easily be contaminated.” The potential uncontrolled exposure in this scenario reduces the incentive for an individual computer operator to protect against outside hackers. “Even stringent cybersecurity may not be particularly helpful if a hacker has already entered the network through a ‘weak link,’” they write.
|Outsourcers have begun asking their service providers to incorporate tighter checks and balances to secure data privacy and prevent fraud.|
The BITS offerings include everything from a survey of the key considerations in background screening of employees to recommendations on termination clauses in outsourcing contracts. But even the BITS work can’t cover every eventuality. There isn’t always a right answer for an institution weighing a certain type of risk, says Ms. Boettger. Much depends on the nuances and the risks inherent in the service outsourced. “We have provided considerations organizations can use to manage risk, not measure risk,” she cautions.
Extend the Organization
Many risks can be avoided if outsourcing companies successfully transport their best practices to service providers, says Booz Allen’s Paul Fielding. Doing that is far more than a matter of words on paper; rather, clients and providers need to work closely together on an ongoing basis. “Oftentimes, what I see in contracts is people trying to abdicate their responsibility with contractual language, and often the vendors are left in charge of checking themselves,” says Mr. Fielding. The guiding principle, he says, is “trust, but verify.”
But how? Wharton’s Professor Aron advocates an “extended organization form,” a model that brings together two forms of governance — one imposed by the outsourcing “market” and the other by the in-house management, or “hierarchy.” “The chief discipline of the ‘market’ is efficiency of cost, while the ‘hierarchy’ brings managerial control,” he says. “The extended organization form will give a company the great benefit of contracting with a third party provider for cost control, and also the ability for real-time control of that project’s performance.”