Emerging research regarding the economics of outsourcing information security recommends that firms utilize full outsourcing due to its cost advantages but ignore the risk of information leakage. In our model, we take the information leakage into account, and show that it is necessary for firm to assess the risk before outsourcing. Next, we divide a firm’s business operations into core business and non-core business operations and introduce a partial outsourcing strategy. We find that the security quality of partial outsourcing is always lower. Subsequently, we demonstrate the conditions for selecting from among three security strategies, i.e., in-house development, partial outsourcing and full outsourcing. Based on our results, in high-risk information leakage environments, we do not recommend outsourcing. We further demonstrate that outsourcing security of non-core business is an alternative strategy when the risk of information leakage is not high. A firm should shift from outsourcing to developing security protection in-house as the percentage of information assets utilized for core business increases. In addition, our results show that outsourcing information security of only core business is a strictly dominated strategy.