Managing cyber and information risks in supply chains: insights from an exploratory analysis

Purpose The purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this aim, and to what extent along the supply chain. In fact, the increasing level of connectivity is transforming supply chains, and it creates new opportunities but also new risks in the cyber space. Hence, cyber supply chain risk management (CSCRM) is emerging as a new management construct. The ultimate aim is to help organizations in understanding and improving the CSCRM process and cyber resilience in their supply chains. Design/methodology/approach This research relied on a qualitative approach based on a comparative case study analysis involving five large multinational companies with headquarters, or branches, in the UK. Findings Results highlight the importance for CSCRM to shift the viewpoint from the traditional focus on companies’ internal information technology (IT) infrastructure, able to “firewall themselves” only, to the whole supply chain with a cross-functional approach; initiatives for CSCRM are mainly adopted to “respond” and “recover” without a well-rounded approach to supply chain resilience for a long-term capacity to adapt to changes according to an evolutionary approach. Initiatives are adopted at a firm/dyadic level, and a network perspective is missing. Research limitations/implications This paper extends the current theory on cyber and information risks in supply chains, as a combination of supply chain risk management and resilience, and information risk management. It provides an analysis and classification of cyber and information risks, sources of risks and initiatives to managing them according to a supply chain perspective, along with an investigation of their adoption across the supply chain. It also studies how the concept of resilience has been deployed in the CSCRM process by companies. By laying the first empirical foundations of the subject, this study stimulates further research on the challenges and drivers of initiatives and coordination mechanisms for CSCRM at a supply chain network level. Practical implications Results invite companies to break the “silos” of their activities in CSCRM, embracing the whole supply chain network for better resilience. The adoption of IT security initiatives should be combined with organisational ones and extended beyond the dyad. Where applicable, initiatives should be bi-directional to involve supply chain partners, remove the typical isolation in the CSCRM process and leverage the value of information. Decisions on investments in CSCRM should involve also supply chain managers according to a holistic approach. Originality/value A supply chain perspective in the existing scientific contributions is missing in the management of cyber and information risk. This is one of the first empirical studies dealing with this interdisciplinary subject, focusing on risks that are now very high in the companies’ agenda, but still overlooked. It contributes to theory on information risk because it addresses cyber and information risks in massively connected supply chains through a holistic approach that includes technology, people and processes at an extended level that goes beyond the dyad.

[1]  J. Hanf,et al.  A theoretical framework of chain management , 2006 .

[2]  Samir Chatterjee,et al.  Cyber-risk decision models: To insure IT or not? , 2013, Decis. Support Syst..

[3]  Jean Hartley,et al.  Case study research , 2004 .

[4]  S. Davoudi Applying the Resilience Perspective to Planning: Critical Thoughts from Theory and Practice Edited by Simin Davoudi and Libby Porter Resilience: A Bridging Concept or a Dead End? , 2012 .

[5]  Helder J. Sebastiao,et al.  Supply Chain Strategy in Nascent Markets: The Role of Supply Chain Development in the Commercialization Process , 2011 .

[6]  Martin Eling,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[7]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[8]  M. Fisher What is the Right Supply Chain for Your Product , 1997 .

[9]  Mark Stevenson,et al.  An exploratory analysis of counterfeiting strategies: Towards counterfeit-resilient supply chains , 2015 .

[10]  David Woods,et al.  Situation Awareness: A Critical But Ill-Defined Phenomenon , 1991 .

[11]  Amit Sahai,et al.  Secure Multi-Party Computation , 2013 .

[12]  Vipul Jain,et al.  Measuring supply chain resilience using a deterministic modeling approach , 2014, Comput. Ind. Eng..

[13]  Stefano Secci,et al.  Cloud Networks: Enhancing Performance and Resiliency , 2014, Computer.

[14]  J. March,et al.  Managerial perspectives on risk and risk taking , 1987 .

[15]  Eric Deakins,et al.  Supply chain information sharing: challenges and risk mitigation strategies , 2016 .

[16]  KwangSup Shin,et al.  Evaluation mechanism for structural robustness of supply chain considering disruption propagation , 2016 .

[17]  Thomas Y. Choi,et al.  Toward a Theory of Multi-Tier Supply Chain Management , 2013 .

[18]  K. Pawar,et al.  Business process management and supply chain collaboration: effects on performance and competitiveness , 2017 .

[19]  U. Juettner,et al.  Supply chain resilience in the global financial crisis: an empirical study , 2011 .

[20]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[21]  Patricia J. Daugherty,et al.  Is collaboration paying off for firms , 2006 .

[22]  Danny Samson,et al.  Effective case research in operations management: a process perspective , 2002 .

[23]  Stephan M. Wagner,et al.  The link between supply chain fit and financial performance of the firm , 2012 .

[24]  Jonna Järveläinen,et al.  IT incidents and business impacts: Validating a framework for continuity management in information systems , 2013, Int. J. Inf. Manag..

[25]  B. Gaudenzi,et al.  Just do it: Managing IT and Cyber Risks to Protect the Value Creation , 2017 .

[26]  André Melzer,et al.  Trick with treat - Reciprocity increases the willingness to communicate personal data , 2016, Comput. Hum. Behav..

[27]  E. Hartmann,et al.  Research on the phenomenon of supply chain resilience , 2015 .

[28]  M. Lisa Yeo,et al.  Risk Mitigation Decisions for IT Security , 2014, TMIS.

[29]  Robert E. Spekman,et al.  Risky business: expanding the discussion on risk and the extended enterprise , 2004 .

[30]  S. Nagalingam,et al.  Building resilience in SMEs of perishable product supply chains: enablers, barriers and risks , 2017 .

[31]  M. Kalchschmidt,et al.  Mitigating the effect of risk conditions on supply disruptions: the role of manufacturing postponement enablers , 2015 .

[32]  Wentong Cai,et al.  Trusted Block as a Service: Towards Sensitive Applications on the Cloud , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[33]  Steve Muylle,et al.  Leveraging the impact of supply chain integration through information technology , 2017 .

[34]  Sabrina Boulesnane,et al.  The mediating role of information technology in the decision-making context , 2013, J. Enterp. Inf. Manag..

[35]  João Pires Ribeiro,et al.  Supply Chain Resilience: Definitions and quantitative modelling approaches - A literature review , 2018, Comput. Ind. Eng..

[36]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[37]  Hui Xiong,et al.  Towards controlling virus propagation in information systems with point-to-group information sharing , 2009, Decis. Support Syst..

[38]  Ravi Shankar,et al.  Information risks management in supply chains: an assessment and mitigation framework , 2007, J. Enterp. Inf. Manag..

[39]  Christopher Keegan Cyber security in the supply chain: A perspective from the insurance industry , 2014 .

[40]  E. Hartmann,et al.  SUSTAINABLE GLOBAL SUPPLIER MANAGEMENT: THE ROLE OF DYNAMIC CAPABILITIES IN ACHIEVING COMPETITIVE ADVANTAGE , 2010 .

[41]  Matteo Giacomo Maria Kalchschmidt,et al.  Supply risk management and competitive advantage : a misfit model , 2015 .

[42]  Huaiqing Wang,et al.  On-demand e-supply chain integration: A multi-agent constraint-based approach , 2008, Expert Syst. Appl..

[43]  Cátia Santos-Pereira,et al.  A secure RBAC mobile agent access control model for healthcare institutions , 2013, Proceedings of the 26th IEEE International Symposium on Computer-Based Medical Systems.

[44]  Carl Marcus Wallenburg,et al.  The influence of relational competencies on supply chain resilience: a relational view , 2013 .

[45]  A. Picot,et al.  Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany , 2013 .

[46]  Sandor Boyson,et al.  Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems , 2014 .

[47]  M. Ben-Daya,et al.  Internet of things and supply chain management: a literature review , 2019, Int. J. Prod. Res..

[48]  Eric A. M. Luiijf,et al.  Nineteen national cyber security strategies , 2013, Int. J. Crit. Infrastructures.

[49]  Martin Christopher,et al.  “Supply Chain 2.0”: managing supply chains in the era of turbulence , 2011 .

[50]  L. Ellram THE USE OF THE CASE STUDY METHOD IN LOGISTICS RESEARCH , 1996 .

[51]  Stephan M. Wagner,et al.  Structural drivers of upstream supply chain complexity and the frequency of supply chain disruptions , 2015 .

[52]  Mark Goh,et al.  Decision-making models for supply chain risk mitigation: A review , 2017, Comput. Ind. Eng..

[53]  Jonathan D. Linton,et al.  The challenge of cyber supply chain security to research and practice – An introduction , 2014 .

[54]  Fredrik Karlsson,et al.  Inter-organisational information security: a systematic literature review , 2016, Inf. Comput. Secur..

[55]  Sharad Barkataki,et al.  On achieving secure collaboration in supply chains , 2015, Inf. Syst. Frontiers.

[56]  Satyendra Sharma,et al.  Modeling information risk in supply chain using Bayesian networks , 2016, J. Enterp. Inf. Manag..

[57]  Yossi Sheffi,et al.  The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage , 2005 .

[58]  William Ho,et al.  Supply chain risk management: a literature review , 2015 .

[59]  M. Quaddus,et al.  Supply chain readiness, response and recovery for resilience , 2016 .

[60]  Sungjune Park,et al.  Understanding the Value of Countermeasure Portfolios in Information Systems Security , 2008, J. Manag. Inf. Syst..

[61]  R. Henry,et al.  MAKING SENSE OF SUPPLY DISRUPTION RISK RESEARCH: A CONCEPTUAL FRAMEWORK GROUNDED IN ENACTMENT THEORY , 2011 .

[62]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[63]  Carl Marcus Wallenburg,et al.  Accounting for external turbulence of logistics organizations via performance measurement systems , 2016 .

[64]  Loo Hay Lee,et al.  Quantifying the Effect of Sharing Information in a Supply Chain Facing Supply Disruptions , 2016, Asia Pac. J. Oper. Res..

[65]  Lech J. Janczewski,et al.  Cloud supply chain resilience , 2015, 2015 Information Security for South Africa (ISSA).

[66]  R. K. Garg,et al.  Supply chain collaboration: A state-of-the-art literature review , 2018 .

[67]  Sue Trombley Managing your information risk , 2015 .

[68]  Ching-Chiao Yang,et al.  The effect of supply chain security management on security performance in container shipping operations , 2013 .

[69]  Maria Caridi,et al.  The benefits of supply chain visibility: A value assessment model , 2014 .

[70]  Keely L. Croxton,et al.  Ensuring Supply Chain Resilience: Development and Implementation of an Assessment Tool , 2013 .

[71]  Anselm L. Strauss,et al.  Qualitative Analysis For Social Scientists , 1987 .

[72]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[73]  Hugh Wilson,et al.  The governance of supply networks: a systematic literature review , 2012 .

[74]  O. Robinson Sampling in Interview-Based Qualitative Research: A Theoretical and Practical Guide , 2014 .

[75]  K. Scholten,et al.  The role of collaboration in supply chain resilience , 2015 .

[76]  Christopher S. Tang Perspectives in supply chain risk management , 2006 .

[77]  Scott J. Grawe,et al.  Firm's resilience to supply chain disruptions: Scale development and empirical examination , 2015 .

[78]  Jan Hendrik Wirfs,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[79]  Nadya Bartol,et al.  Cyber supply chain security practices DNA – Filling in the puzzle using a diverse set of disciplines , 2014 .

[80]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[81]  M. Warren,et al.  Cyber attacks against supply chain management systems: A short note , 2000 .

[82]  M. Christopher,et al.  Supply chain risk management: outlining an agenda for future research , 2003 .

[83]  Markus Eurich,et al.  The impact of perceived privacy risks on organizations’ willingness to share item-level event data across the supply chain , 2010, Electron. Commer. Res..

[84]  Angappa Gunasekaran,et al.  Antecedents of Resilient Supply Chains: An Empirical Study , 2019, IEEE Transactions on Engineering Management.

[85]  Somasundaram Kumanan,et al.  Supply chain risk prioritisation using a hybrid AHP and PROMETHEE approach , 2012 .

[86]  Charles H. Fine CLOCKSPEED‐BASED STRATEGIES FOR SUPPLY CHAIN DESIGN1 , 2009 .

[87]  Il Im,et al.  Research letter: Issues of cyber supply chain security in Korea , 2014 .

[88]  Yuh-Min Chen,et al.  Secure resource sharing on cross-organization collaboration using a novel trust method , 2007 .

[89]  Mary Ellen O'Connell Cyber Security Without Cyber War , 2012 .

[90]  Yanjun Zuo,et al.  Trust-Based Information Risk Management in a Supply Chain Network , 2009, Int. J. Inf. Syst. Supply Chain Manag..

[91]  Marjorie Windelberg,et al.  Objectives for managing cyber supply chain risk , 2016, Int. J. Crit. Infrastructure Prot..

[92]  F. Strozzi,et al.  Supply chain risk management: a new methodology for a systematic literature review , 2012 .

[93]  J. Busby,et al.  Supply chain resilience in a developing country context: a case study on the interconnectedness of threats, strategies and outcomes , 2017 .

[94]  J. Kembro,et al.  Exploring information sharing in the extended supply chain: an interdependence perspective , 2015 .