Emerging studies advocate that firms shall completely outsource their information security for cost and technical advantages. However, the risk of information leakage in outsourcing to managed security service providers (MSSPs) is overlooked and poses a confidentiality threat. We develop analytical models to describe several strategies for firms to consider when they decide to outsource to MSSPs. Based on our results, we suggest partial outsourcing as an alternative strategy when the firm faces information leakage risk. Besides, we suggest that in-house information security strategy is the optimal solution when the risk of being attacked is low regardless of the risk of information leakage. We then extend scenarios to the competitive environment where firms that are in the same market are highly likely to choose the same strategy.