The derivation of a conceptual model for outsourcing IT security

IT security outsourcing is the establishment of a contractual relationship with an outside vendor to assume responsibility for one or more security functions. Outsourcing in IS has had a variable history of success and the complexity of the decision making process leads to a substantial degree of uncertainty. This is especially so in the realm of IS security since the protection of both hardware and software systems in is placed in the hands of an external provider. This is the second paper discussing the improvement of the effectiveness of the decision making process by means of a conceptual model using Soft System Methodology techniques that integrates security benefits, costs and their respective performance measures. In this paper the methodology used to develop the model and its validation are discussed.

Explaining I.T. outsourcing purchasers' dissatisfaction

Outsourcing of IT is a popular strategy, argued by proponents to deliver a range of benefits including cost savings, increased service quality, and strategic advantages. However, empirical evidence of the success of outsourcing is limited, and several recent studies have suggested widespread dissatisfaction exists amongst purchasers. This paper analyses one such study to determine predictors of outsourcing satisfaction (and
dissatisfaction). The analysis reveals that, for purchasers, IT outsourcing satisfaction and perceived value (which are highly correlated) depend on whether strategic benefits are obtained, and on the technical service quality provided by vendors. Both in turn depend on whether expected cost savings are obtained. The implications of these findings for both vendors and purchasers are discussed.

The derivation of a conceptual model for IT security outsourcing

IT security outsourcing is the establishment of a contractual relationship between an organization with an outside vendor which assumes responsibility for the organisation’s security functions. Outsourcing in IS has had a variable history of success and the complexity of the decision making process leads to a substantial degree of uncertainty. This is especially so in the realm of IS security since the protection of both hardware and software systems is placed in the hands of an external provider. This paper is a fuller and more comprehensive paper of a previous paper outlining the effectiveness of the decision making process by means of a conceptual model using Soft System Methodology techniques that integratessecurity benefits, costs and their respective performance measures. In this paper the methodology used to develop the model is discussed in detail.

The Australian Government`s abandoned infrastructure outsourcing program: what can be learned?

Early in 2001, after a damning public report by the Auditor-General, the Australian Federal Government abandoned its highly promoted “whole of government” IT infrastructure outsourcing initiative. This about-face was greeted in the press with reports that the initiative was a “fiasco”. Yet a four-year case study conducted by the authors suggests a more complex picture. Like many other “selective” outsourcers of IT, the Federal Government had been led to believe that it was adopting a relatively low risk strategy that would, if well managed, lead to significant cost savings and operational benefits. Instead, despite having implemented many widely promoted “best practices”, the Federal Government found a substantial discrepancy between what outsourcing promised to deliver, and what was actually achieved. In this respect their experiences were no different from those of many other large IT organizations engaged in selective IT outsourcing, who responded to a substantial contemporaneous survey. This case study examines why the Government’s expectations were not achieved, and arrives at conclusions that have important implications for decision makers confronted with choices about sourcing IT service delivery.

A conceptual model for security outsourcing

This research analyses the current literature on IT security outsourcing and the organisational attitudes towards this approach to determine the applicability of outsourcing IT security in a commercial environment. A conceptual model is developed as the main goal of research which provides guidance in the process of outsourcing IT security functions to a third-party security service provider. The research conducted has established a complete process for outsourcing IT security.

Understanding informations systems outsourcing success and risks through the lens of cognitive biases

Because outsourcing of information systems (IS) is now widespread, it is generally assumed to be successful. It is also often assumed that outsourcing risks are easily managed. In this paper we adopt an “evidence based management” approach to first test these assumptions through a qualitative metaanalysis of academic studies into IS outsourcing outcomes. Our research reveals a shortage of reliable and valid evidence for outsourcing’s benefits, and for the level of risk involved. We then use data from a series of focus groups to explain the paradox of widespread adoption of a strategy with limited empirical support. These focus groups were interpreted through the lens of research on a
range of cognitive mechanisms and biases that are known to affect decision makers. We conclude that cognitive mechanisms that are likely to affect sourcing decisions include framing biases, cognitive dissonance, attribution error, and the “optimism”, “confirmation”, “disconfirmation” and “overconfidence” biases. Given the shortage of supporting evidence, and the potential for these biases to operate, we argue that researchers need to be more critical in their analysis of reports of the success and risks of IS outsourcing.

The Australian Government`s abandoned infrastructure outsourcing program: "fiasco" or relatively typical?

Early in 2001, after a damning public report by the Auditor-General, the Australian Federal Government was forced to abandon its highly promoted “whole of government” infrastructure outsourcing initiative. This about-face was greeted in the press with reports that the initiative was a “fiasco”. Yet a four-year case study of the initiative suggests a more complex picture. The initiative can be viewed in a quite different light on the basis of comparisons with a contemporary survey of 240 Australian organisations engaged in IT outsourcing. This reveals that many of the negative outcomes associated with this “fiasco” are typical of those experienced by large Australian organisations. This has important implications for decision makers confronted with choices about sourcing IT service delivery.

Minimising risks in IT outsourcing: choosing target services

This paper provides a risk-based framework for deciding on which IT services to outsource and which to keep in-house. This framework considers the probabilities both of negative outcomes, and of failing to achieve positive outcomes. The authors examine the major components of outsourcing risk and their drivers, and from this derive a series of questions decision-makers can ask when deciding what sourcing options to adopt for different services. The framework was developed on the basis of five years of qualitative and quantitative research into the experiences of organizations involved in outsourcing IT.

Outsourcing in the Australian health sector : the interplay of economics and politics

Purpose – The paper discusses the reasons and approaches used at three health organisations in introducing outsourcing. It specifically answers the question: why have managers of health organisations outsourced some functions in preference to others?

Design/methodology/approach – This research employs a case study method making use of qualitative analysis. The health organisations were chosen first as representatives of their type, and secondly due to the nature of the outsourcing decisions made. The first health organisation operates in the rural sector; the second is a metropolitan network; and the third is a large metropolitan hospital, which, in contrast to the other two case study organisations, had made only one decision to outsource, producing the largest outsourcing contract in health in Australia. Furthermore, this situation was distinctive as the contract was terminated and re-issued to another private sector organisation.

Findings – The reasons for outsourcing varied within and between health organisations. Although generally they were made on the bases of the characteristics of the labour market, employee skill levels and the nature of industrial relations, the perception of what was core, the level of internal management skills, the ability of internal teams to implement change and the relationship between management and staff. Even though cost savings and a downsized labour force resulted, generally these occurred even when services were not outsourced, through the use of other change processes, such as introducing new technology, changing structures and promoting workforce flexibility. The interplay of political reasons and economic effects was evident along with the political nature of the decision-making and processes used. The paper concludes that the power of managers was a moderating factor between the desire for outsourcing and whether outsourcing actually occurred.

Research limitations/implications – Although this research was conducted solely within the health sector it has implications for other public sector bodies and the private sector.

Practical implications – Managerial decision making can be enhanced with the exploration of the full complement of reasons for the outsourcing decision.

Originality/value – The paper has value to both academics researching in the public sector and public sector managers.