Information security outsourcing is a critical strategy for organizations facing challenges such as security skills shortages, constrained budgets and frequent technology updates. While it is well established that general IT outsourcing is due to human resource scarcity, this relationship has not been explicitly theorized or empirically tested for information security. This oversight is notable given the specialized nature of security functions, which require distinct expertise and carry unique risks. These risks are especially salient for information-intensive firms. The purpose of this study is to theorize and perform an empirical analysis of how human resource scarcity and information intensity of firms affect their security outsourcing decision.
Analysis of firm-level data spanning nine years.
Firms facing IT human resource scarcity are more likely to outsource information security, whereas information-intensive firms are significantly less likely to do so. The interaction effect was not significant.
The finding contrasts with general IT outsourcing, where information-intensive firms are more likely to outsource non-security IT functions. The theory and empirical findings highlight the need for firms to carefully negotiate the balancing act between managing risks and benefiting from security outsourcing.
