Security breaches often stem from business partner failures within the value chain. There have been several recent efforts to develop a common reference for rating the information risk posed by partners. We develop a simple analytical model to examine the impact of such information security ratings on service providers, customers, and social welfare. While some might believe that ratings would benefit high-security providers and hurt those with lower security, we show that this is not always the case. We find that information security ratings can hurt both types of providers or benefit both, depending on the market conditions. Surprisingly, we also find that security ratings do not always benefit the most demanding customers who desire highly secure business partners. Yet, in all cases, we find that social welfare is improved when information security ratings are adopted. This result suggests that information security ratings should be encouraged through public policy initiatives.
Zhou, Zach Z. and Johnson, Eric M., "The Impact of Information Security Rating on Vendor Competition" (2009). AMCIS 2009 Proceedings. 280.