Factors Influencing the Organizational Decision to Outsource IT Security: A Review and Research Agenda

TL;DR

This paper reviews existing research on IT security outsourcing, identifies gaps in understanding managerial and legal factors influencing decisions, and proposes a research agenda to address critical industry challenges.

Contribution

It highlights the immaturity of current research and presents fifteen questions to guide future studies on IT security outsourcing.

Findings

Research in IT security outsourcing is immature.

Key factors influencing decisions include managerial and legal aspects.

A research agenda with fifteen questions is proposed.

Abstract

IT security outsourcing is the process of contracting a third-party security service provider to perform, the full or partial IT security functions of an organization. Little is known about the factors influencing organizational decisions in outsourcing such a critical function. Our review of the research and practice literature identified several managerial factors and legal factors. We found research in IT security outsourcing to be immature and the focus areas not addressing the critical issues facing industry practice. We therefore present a research agenda consisting of fifteen questions to address five key gaps relating to knowledge of IT security outsourcing, specifically effectiveness of the outcome, lived experience of the practice, the temporal dimension, multi-stakeholder perspectives, and the impact on IT security practices, particularly agility in incident response.