双边道德风险下软件供应链信息安全责任协调契约设计

doi:10.16381/j.cnki.issn1003-207x.2021.2656

Abstract

Abstract:

Information security is the foundation for the high-quality development of the software supply chain. In the software supply chain， information security risks are inherited， and the input of upstream and downstream information security jointly determines the degree of software operation security. Information security risks in any link will directly or indirectly affect the security of end software users. Due to the complexity of information security， neither software vendors nor users can observe each other's efforts in information security. When a safety accident occurs， the responsibility for the accident cannot be clearly defined， thus generating bilateral moral hazard. The supply chain studied in this paper consists of software suppliers and users. By constructing an ideal control model under centralized decision-making （without moral hazard） and an information security vulnerability loss sharing model under decentralized decision-making （bilateral moral hazard）， a reasonable software supply chain information security responsibility coordination contract is designed and the numerical simulation of the model is carried out.The research results show that the ratio of vulnerability loss sharing between software suppliers and users is related to the cost coefficient of the other party， not its own cost coefficient. The level of cooperative R&D determined by the synergy coefficient and cost coefficient has not changed， and when both parties in the software supply chain have certain negotiating power， under the condition of bilateral moral hazard， there is an optimal loophole loss sharing contract and the optimal benefit ratio of both parties is equal to the ratio of their respective negotiating factors. When both parties in the software supply chain share information security risks， they can change the linear distribution ratio according to their respective cost structures to seek the optimal sharing of vulnerability loss costs for both parties. At last， based on the perspective of information security management， relevant management implications are given for software suppliers and its users.

Key words: software supply chain, bilateral morality, information security responsibility, coordination contract

CLC Number:

F224

Qiang Xiong,Shuai Lian,Zhiwen Li,Shuai Jin. Design of Information Security Responsibility Coordination Contract in Software Supply Chain under Bilateral Moral Hazard[J]. Chinese Journal of Management Science, 2024, 32(10): 265-274.

Figures/Tables 10

符号	含义
$V$	软件的功能价值
$q s$	软件安全质量水平
$C (q s, V)$	软件供应商所付出的研发成本
$φ s$	软件供应商的成本系数
$C p$	软件供应商的补丁研发成本
$m$	补丁研发成本系数
$p$	软件供应商的产品定价
$A$	软件用户的信息资产价值
$q c$	软件用户的信息安全管理水平
$C (q c)$	软件用户的安全防护成本
$φ c$	软件用户的信息安全成本系数
$c$	软件用户在补丁修复过程中的成本
$γ$	软件用户和软件供应商在信息安全管理方面的协同度
$δ$	外部信息安全环境因素
$L (q c, q s)$	软件安全管理失效，外部黑客成功入侵软件漏洞，则会给企业信息资产、企业声誉等方面带来的损失

组别	$p$	$c$	$m$	$A$	$V$	$δ$	$γ$
组1	0.412	0.017	0.06	0.897	1.463	0.6	0.4
组2	0.532	0.028	0.072	0.917	1.398	0.55	0.45

组别	$p$	$c$	$A$	$V$	$φ s$	$φ c$
组1	0.32	0.017	0.897	1.663	0.976	0.421
组2	0.42	0.028	0.917	1.981	1.226	0.542

References 27

1	Sonatype. 2020 state of the software supply chain［EB/OL］.（2020-8-12）.［2020-8-12］.
2	何熙巽，张玉清，刘奇旭. 软件供应链安全综述［J］. 信息安全学报， 2020， 5（1）：57-73.
	He X X， Zhang Y Q， Liu Q X. Overview of software supply chain security［J］. Journal of Information Security，2020， 5（1）：57-73.
3	Younis A， Malaiya Y K， Ray I. Assessing vulnerability exploitability risk using software properties［J］. Software Quality Journal， 2016， 24（1）：159-202.
4	Kunreuther H， Heal G. Interdependent security［J］. The Journal of Risk and Uncertainty， 2003，26（2）：231-249.
5	田波，吴倩，甄浩. 航空公司信息安全管理系统的构建与安全保障体系研究［J］. 情报科学， 2011， 29（9）：1392-1395.
	Tian B， Wu Q， Zhen H. Construction of airline information security management system and research on security guarantee system［J］. Information Science， 2011， 29 （9）：1392-1395.
6	林润辉，谢宗晓，王兴起，等. 制度压力、信息安全合法化与组织绩效——基于中国企业的实证研究［J］. 管理世界， 2016（2）：112-127.
	Lin R H， Xie Z X， Wang X Q， et al. Institutional pressure， legalization of information security and organizational performance： An empirical Study based on Chinese firms［J］. Journal of Management World， 2016（2）：112-127.
7	董坤祥，谢宗晓，甄杰. 网络空间安全视阈下恶意软件攻防策略研究［J］. 科研管理，2019， 40（11）：164-174.
	Dong K X， Xie Z X， Zhen J. Research on attack and defense strategy of malware from the perspective of cyberspace security［J］. Science Research Management， 2019， 40（11）：164-174.
8	Ellison R C， Woody C. Supply-chain risk management： Incorporating security into software development［C］//Proceedings of System Sciences （HICSS）， 43rd Hawaii International Conference on， Honolulu， Hawaii， USA， February 8，2010.
9	Barabanov A V， Markov A S， Tsirlov V L. Information security systematics of software supply chains［J］. Bezopasnost Informacionnyh Tehnology，2019，26（3）：68-79.
10	Sabbagh B A， Kowalski S. A socio-technical framework for threat modeling a software supply chain［J］. IEEE Security and Privacy Magazine， 2015， 13（4）：30-39.
11	Ohm M， Plate H， Sykosch A， et al. Backstabber's knife collection： A review of open source software supply chain attacks［C］//Proceedings of 17th International Conference on Detection of Intrusions and Malware and Vulnerability Assessment， Cornell University， State of New York， May 19，2020.
12	Mitra S， Ransbotham S. Information disclosure and the diffusion of information security attacks［J］. Information Systems Research， 2015， 26（3）：565-584.
13	于振华，谢文军，马志强，等. 信息物理融合系统中恶意软件传播与分岔控制策略［J］. 系统工程理论与实践， 2017， 37（10）：2744-2752.
	Yu Z H， Xie W J， Ma Z Q， et al. Malicious software propagation and bifurcation control strategy in information physical fusion system［J］. Systems Engineering-Theory & Practice， 2017， 37（10）：2744-2752.
14	祝国邦，陈洁. 软件供应链安全现状与对策建议［J］. 中国信息安全， 2018（11）：44-47.
	Zhu G B， Chen J. Current situation and countermeasures of software supply chain security［J］. China Information Security， 2018（11）：44-47.
15	王健，盛积良，庄新田. 基金销售市场双边道德风险，理财经理过度自信与投资者利益保护［J］. 管理工程学报， 2016， 30（2）：133-141.
	Wang J， Sheng J L， Zhuang X T. Financial managers' overconfidence and investor interest protection［J］. Journal of Industrial Engineering and Engineering Management， 2016， 30（2）：133-141.
16	张红霞. 双边道德风险下食品供应链质量安全协调契约研究［J］. 软科学， 2019，33（9）：99-107.
	Zhang H X.Research on coordination contract of food supply chain quality safety under bilateral moral hazard［J］. Soft Science， 2019，33（9）：99-107.
17	Lee C H， Geng X， Raghunathan S. Contracting information security in the presence of double moral hazard［J］. Information Systems Research， 2013， 24（2）：295-311.
18	Eloranta V， Turunen T. Platforms in service-driven manufacturing： Leveraging complexity by connecting， sharing， and integrating［J］. Industrial Marketing Management， 2016， 55：178-186.
19	Corbett C J， DeCroix G A， Ha A Y. Optimal shared-savings contracts in supply chains： Linear contracts and double moral hazard［J］. European Journal of Operational Research， 2005， 163（3）：653-667.
20	Balachandran K R， Radhakrishnan S. Quality implications of warranties in a supply chain［J］. Management Science， 2005， 51（8）：1266-1277.
21	严建援，甄杰，张甄妮. 双边道德风险下SaaS供应链质量担保契约设计［J］.软科学，2015，29（7）：118-124.
	Yan J Y， Zhen J， Zhang Z N. Design of quality assurance contract for SaaS supply chain under bilateral moral hazard ［J］. Soft Science， 2015，29（7）：118-124.
22	申强，侯云先，杨为民. 双边道德风险下供应链质量协调契约研究［J］.中国管理科学， 2014， 22（3）：90-95.
	Shen Q， Hou Y X， Yang W M. Supply chain quality coordination contract under bilateral moral hazard［J］. Chinese Journal of Management Science， 2014， 22（3）：90-95.
23	马金鑫. 防范软件供应链安全风险维护网络空间安全［J］. 中国信息安全， 2018， 107（11）：57-59.
	Ma J X. Prevention of software supply chain security risk and maintenance of cyberspace security［J］. China Information Security， 2018， 107（11）：57-59.
24	范波，孟卫东，代建生.具有协同效应的合作研发利益分配模型［J］.系统工程学报，2015，30（1）：34-43.
	Fan B， Meng W D， Dai J S. A model of collaborative R&D profit distribution with synergistic effect［J］. Journal of Systems Engineering，2015，30（1）：34-43.
25	谭春桥，吴欣，崔春生.促销模式下基于纳什谈判的线上旅行商与线下旅行社定价策略研究［J］.中国管理科学，2021，29（3）：143-152.
	Tan C Q， Wu X， Cui C S. Pricing strategies of tour operator and online travel agency based on nash bargaining in promotion model［J］. Chinese Journal of Management Science， 2021，29（3）：143-152.
26	郑本荣，杨超，刘丛.成本分摊对制造商回收闭环供应链的影响［J］.系统工程理论与实践，2017，37（9）：2344-2354.
	Zheng B R， Yang C， Liu C. The effect of cost sharing on manufacturer collecting closed loop supply chain［J］. Systems Engineering-Theory & Practice， 2017，37（9）：2344-2354.
27	Bhattacharyya S， Lafontaine F. Double-sided hazard and the nature of share contracts［J］. The Rand Journal of Economics， 1995， 26（4）：761-781.

[1]	SU Ju-ning, YANG Ze-jun, WANG Yi-ting, HOU Lin-na. The Multi-stage Joint Optimization and Coordination of R & D and Maintenance in Smart Connected Product Service Supply Chain [J]. Chinese Journal of Management Science, 2022, 30(9): 162-171.
[2]	YE Xin, ZHOU Yan-ju. Dynamic Pricing and Joint Emission Reduction Strategies in a Dual-channel Supply Chain Considering Goodwill [J]. Chinese Journal of Management Science, 2021, 29(2): 117-128.
[3]	HUANG Shou-jun, YANG Jun. Optimization and Coordination Decisions for V2G Reserve Contract Based on CVaR Risk Measurement [J]. Chinese Journal of Management Science, 2018, 26(6): 167-177.

Design of Information Security Responsibility Coordination Contract in Software Supply Chain under Bilateral Moral Hazard

RichHTML

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 27

Related Articles 3

Metrics

Comments

Recommended 0