This dissertation studies three incentive issues in information security management. The first essay studies contract issues between a firm that outsources security functions and a managed security service provider (MSSP) that provides security functions to the firm. Since MSSP and firms cannot observe each other's actions, both can suffer from the double moral hazard. The first essay reflects the unique characteristics of security outsourcing: the externality and multi-client nature. A refund serves the dual roles of punishment and reward between MSSP and client firms. We first show that the prevailing contract structure in security outsourcing cannot solve the double moral hazard, and furthermore positive externality can worsen the double moral hazard. We then propose a new contract structure that induces first-best efforts. The second essay studies when and how standards can harm firm security. We consider a setting where a firm has two security controls-one regulated and the other one not-that are either serially or parallelly linked. We also consider strategic attacker and liability issues. Our findings are as follows. First, under a serial configuration, firm security can decrease in the standard when this standard is low. Second, this decrease is more likely to happen when the firm is more concerned with security. Third, under a parallel configuration, firm security can decrease in the standard only when both standard is high and the liability is sufficiently low. Fourth, when the standard is low then strategic attacking behavior can augment the effectiveness of the standard. The third essay deals with security strategy in the cloud. While a standardized cloud service with uniform security is the current practice, security experts argue that differentiated security offerings are required to serve consumers' diverse needs. We uncover the conditions under which the differentiation strategy is optimal. Furthermore, we show that as the service model becomes closer to software-as-a-service then differentiated services become optimal. If joint efforts of the cloud provider and users become less complementary then a differentiation strategy becomes attractive. Finally, an increase in externality encourages cloud providers to adopt a differentiation strategy. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page: http://www.proquest.com/en-US/products/dissertations/individuals.shtml.]