Crime rates go up in a recession and we know that. Peter Allen of TPI blogs about a perceived increase in information security risk in the light of Satyam and the Mumbai attacks. He makes the case that captives might have an advantage here. More perception than reality IMO. The risk itself can be broken up into:

Individual risk: Basically a 'terrorist' getting into your company. The only way you can lessen this risk is background checks. Captives cannot do better background checks that larger local players. You recruit from the same pool and your chance of weeding out the bad boys is actually lesser. At the end of the day, the agencies that actually do the checks are the same and a traditional offshore player would be able to command lower prices on these checks because of scale. To make matters worse, decades of experience of dealing with these agencies would have taught the traditional players the loopholes that they need to watch out for. Higher cost, higher risk. Traditional player wins.

Firm specific risk: With today's technology (virtualization+warp speed access+security) almost any work can happen from offshore without a single byte of sensitive data actually landing on a foreign hard drive or RAM. Add to this the ability to completely control the hardware and software environment from onshore and you have virtually the same level of firm specific risk. Actually terrorists might be more inclined to target an 'Western captive' than a more traditional player for the same reason that the Mumbai attacks were directed at places frequented by westerners. More firm specific risk at a higher price. Traditional player wins.

Country specific risk: Obviously the same for a captive and a traditional player. It's a draw.

Verdict : Don't go the captive way for the sake of risk!