In Time and Material model the client pays only for the time and resources spent on the project. This is more suited for the long-term projects with dynamically changing security requirements, undefined scope of work and varying workloads of development team. In such case, client has a greater control over the project, any task or enhancement implementation on demand.
Fixed price model is preferable for the information security projects with clear and well-documented requirements. It requires precise scope of the project, predefined timelines and fixed budget. Cost and timeframe are specified before the beginning of the work on project. Minimal supervision is required from the client.
Under an outcome based model, the client pays for outcomes delivered. The contract focuses on the desired outcome of the work and the measurable performance standards that are tied to the outcome. This model includes risks and rewards.