[HIB]Forcing security pros to disclose breaches

A group of academia contends that typical service level agreements (SLAs) for managed security services — which state the provider has to compensate the client for security lapses — may deter providers from reporting security breaches, a claim that managed security services providers (MSSPs) have rejected.Titled "Outsourcing Information Security: Contracting Issues and Security Implications", the research paper (PDF) was presented at the Workshop on the Economics of Information Security (WEIS) 2010 earlier this month. Using mathematical analysis, the authors concluded that under the traditional model, MSSPs face the challenge of performing both prevention and detection efforts equally well, with no incentive to reveal lapses.The trio proposed two alternative models that they believe would rectify the situation. The first was to penalise the MSSP if the customer is the one that uncovers the breach, but reward the provider if it detects the breach first. Another model is for the client to adopt a 2-MSSP approach, where one is responsible for providing the security services and another dedicated to monitoring and breach detection.

**Hidden Content: To see this hidden content your post count must be 1 or greater.**