Building supply chain resilience to cyber risks: a dynamic capabilities perspective

Supply chain resilience

SCRES is acknowledged as the key ability of SCs to cope with disruptions or changes (Jüttner and Maklan, 2011; Scholten and Schilder, 2015; Wieland and Durach, 2021). Recent examples of such events include the COVID-19 pandemic and the blockage of the Suez-Canal (Ivanov and Das, 2020; Ivanov and Dolgui, 2021; Roh et al., 2022; Wieland et al., 2023). Although resilience was introduced to the context of SCs almost 20 years ago (Rice and Caniato, 2003; Christopher and Peck, 2004), the interpretation of resilience in the SC context is still an ongoing and long-running debate. Various literature reviews have recently examined the variety of SCRES definitions (Tukamuhabwa et al., 2015; Ali et al., 2017; Kochan and Nowicki, 2018; Han et al., 2020).

The literature emphasizes three main types of resilience: engineering, ecological and social-ecological resilience (Holling, 1996; Wieland and Durach, 2021). However, the discussion of these different interpretations of resilience in the SC context has started only recently (Wieland, 2021; Wieland and Durach, 2021). Most scholars have interpreted SCRES as engineering resilience (Richey et al., 2022; Wieland and Durach, 2021), arguing that SCRES relates to the ability of an SC to return to equilibrium after disruption (Holling, 1973; Christopher and Peck, 2004). In contrast, social-ecological resilience is measured by the magnitude of disturbance a system can sustain before an SC changes its control or structure (Holling, 1996; Wieland and Durach, 2021). Furthermore, the SCRES literature primarily focuses on resilience in general, emphasizing mainly natural disasters and the flow of goods. However, it has rarely focused on specific risks or built strategies for addressing risks individually (Tukamuhabwa et al., 2015), such as cyber risks.

Cyber risks in supply chains

Several scholars emphasize the lack of research on managing cyber risks from an SC perspective (Colicchia et al., 2019; Ghadge et al., 2019; Creazza et al., 2022; Melnyk et al., 2022). Despite increasing research addressing cyber risks to SCs, scholars who define the term are relatively scarce. Although it is acknowledged that information risks and cyber risks are not the same, scholars tend to use these terms interchangeably (von Solms and van Niekerk, 2013). A uniform and broadly accepted definition of cyber risks has not yet emerged (Strupczewski, 2021). In a broad sense, cyber risks are associated with malicious events in cyberspace that result in the loss of a business's reputation and financial resources.

Strupczewski (2021), who studied definitions of cyber risks, concluded that these risks are operational risks to the organization’s information, technological assets and resources, with negative consequences to the confidentiality, availability and integrity of these assets. This definition emphasizes the distinction from other risks typically addressed in the SCRES literature, mainly related to material flows, which predominately affect availability. In comparison, cyber risks can additionally and simultaneously harm the confidentiality and integrity of SC assets, information, services and products. Therefore, in this study, SC cyber risks are defined as operational risks associated with executing activities in cyberspace. They adversely impact the integrity, availability and confidentiality of SC assets, information and communication technology resources and technological assets and can damage tangible and intangible SC assets.

Unlike conventional risks, cyber risks have the potential to remain undetectable until their impact on businesses materializes (Renaud et al., 2018). This is why cyber risks are challenging for nonexperts to understand and address (Bravo-Lillo et al., 2011; Jones et al., 2021). Furthermore, the cyber environment allows an attacker to move laterally in entered SC networks, leading to different cascading effects compared to conventional SC risks. By combining two or more cyber attacks, the attackers can potentially harm multiple firms in an SC simultaneously, as numerous SC cyber attacks have demonstrated (ENISA, 2022). Furthermore, it has been argued that the emergence of artificial intelligence, in particular, could lead to an increased risk of cyber attacks (Hendriksen, 2023) that require some form of control to ensure reliable approaches (Taddeo et al., 2019). Daily business in SCs (e.g. highly connected networks with digital infrastructure) depends on SC assets that are at risk of cyber attacks. Building on this understanding of cyber risks in SCs, this research explores how to build SCRES to cyber risks.

Dynamic capabilities

Teece et al. (1997) introduced the theory of DCs, which is rooted in the resource-based view of a firm (Wernerfelt, 1984; Barney, 1991). This theory describes a firm’s ability to sense and adapt to external environmental changes, which is recognized as crucial to competitiveness. However, the positive impact on firm-level performance is often not directly visible (Drnevich and Kriauciunas, 2011). These external environmental changes are frequently caused by force majeure events, whether foreseeable or not, for better or for worse (Winter, 2003). Teece (2007) identified three microfoundations of DC: sensing, seizing and transforming. Sensing includes scanning, creating, learning and interpreting opportunities and threats. Seizing includes the response to sensed opportunities and threats. Transforming entails reconfiguring assets to enhance, combine or protect companies’ capabilities.

While Teece’s (2007) sensing, seizing and transforming framework discusses opportunities and threats, this study focuses only on threats. Therefore, this study represents an exceptional understanding of the framework, as most studies focus on opportunities and threats or only on opportunities. Threats and opportunities are not considered opposite ends of the same continuum but are theoretically distinct, which is consistent with the findings of Pérez-Nordtvedt et al. (2014) and Endres and van Bruggen (2021). Therefore, this study focuses solely on threats and risks, as threat recognition has a greater impact on revenue growth than sensing opportunities, and firms’ common knowledge focuses on opportunities rather than threats (Endres and van Bruggen, 2021).

In the SCM literature, DCs are a competitive necessity in modern business because they help firms respond to environmental challenges and compete in today’s business landscape (Ponomarov, 2012). Specifically, in the SCRES literature, DC theory has repeatedly been taken as a lens to investigate SCRES (Tukamuhabwa et al., 2015; Kochan and Nowicki, 2018; Ali and Gölgeci, 2019; Bahrami and Shokouhyar, 2022). Also, data will be interpreted from a DC perspective using three categories: DC allows to show how participants sense the SC to generate an understanding of cyber threats and risks, seize the sensed cyber risks and transform their SC to become more resilient to cyber risks.

SC capabilities are defined as “attributes that enable an enterprise to anticipate and overcome disruptions” (Pettit et al., 2010, p. 6). SC capabilities are related to vulnerabilities listed as interventions in frameworks (Kochan and Nowicki, 2018) and may take several forms, including preventing and mitigating impact and/or enabling firms to adapt after disruptions. The SCRES framework developed by Pettit et al. (2010) focuses on balancing SC vulnerabilities and capabilities. It is desirable to establish SCRES by balancing vulnerabilities and capabilities through resilience linkages (Pettit et al., 2013).

Supply chain resilience sensing activities

Sensing, derived from DC theory, involves actively scanning and monitoring the business environment to identify new threats and opportunities. This entails constructing systems to learn, filter and interpret information that supports identifying threats, both at the core and periphery of the business, including those within the SC (Teece, 2007). In the context of SCM, sensing capabilities refer to the proficiency developed from information-sharing practices. These practices keep partners updated about current and anticipated physical flows (Müller and Gaudig, 2011). Integrating such activities can enhance SC practices if the information exchanged relates to operations (Kulp et al., 2004) or risk-related data (Manuj and Mentzer, 2008). Ideally, this exchange of information should be frequent, reciprocal, informal and noncoercive (Vanpoucke et al., 2009). When each SC partner effectively uses the shared information, they can optimize SC dynamics and enhance decision-making processes. In addition, having access to such information enables a firm to understand what is occurring within the SC and make necessary adaptations (Harland et al., 2007).

Sensing capabilities in SCRES result from situational awareness, visibility and knowledge-creation activities. Situational awareness is the ability to understand SC vulnerabilities and prepare for disruptive events (Datta et al., 2007), which is best achieved through early warning strategies (Sáenz and Revilla, 2014). These practices help map SC vulnerabilities (Melnyk et al., 2010) to prevent or control risks (Manuj and Mentzer, 2008). SC visibility and knowledge management contribute to sensing activities. SC visibility is a crucial aspect of sensing activities, which contributes to SCRES (Scholten and Schilder, 2015; Mubarik et al., 2021) and leads to awareness and knowledge of the current status of SC assets and the surrounding environment (Fiksel et al., 2015) often measured by key performance indicators (Ambulkar et al., 2015). Increased visibility in the SC may be achieved by investing in IT capabilities that facilitate information exchange and communication (Jüttner and Maklan, 2011). In addition, knowledge management and understanding SCs are critical for improving SCRES (Scholten et al., 2014; Umar et al., 2021).

Supply chain resilience seizing activities

While seizing activities support firms in addressing sensed threats and risks (Teece, 2007), SCRES seizing capabilities that are mainly response related (e.g. SC collaboration, agility, flexibility and redundancy) support SCs in addressing sensed threats and risks. Response capabilities enable SCs to react quickly and effectively to SC events, thereby mitigating the impact of disruptions or changes and ensuring a desirable outcome (Ali et al., 2017). SC collaboration increases SCRES (Scholten and Schilder, 2015; Bak et al., 2020) and refers to an SC’s ability to respond to disruptions by collaborating with SC partners (Christopher and Peck, 2004) for sharing risk-related information (Jüttner and Maklan, 2011) and coordinating immediate response (Scholten et al., 2014).

SC agility and flexibility contribute to seizing activities. SC agility refers to rapidly reacting to changes, shortages and disruptions. Although SC agility may differ from SCRES (Gligor et al., 2019), it also improves SCRES (Aslam et al., 2020). As a result, it reduces the time required to mitigate risks and their impact (Blome et al., 2013). An agile SC possesses characteristics such as velocity, which enables quick reactions to unexpected changes (Christopher and Peck, 2004; Jüttner and Maklan, 2011). These practices facilitate reducing disruptions’ impact on SCs, increasing the SC’s ability to respond. SC flexibility and SCRES are positively related (Chunsheng et al., 2020); they allow quick adaptation to disruptions and changes and improve operational efficiency under normal conditions (Pettit et al., 2013). Maintaining an excess capacity to respond to SC disruptions through capital investments requires redundancy (Rice and Caniato, 2003). Building redundancy improves the ability to adapt to disruptions by using excess capacities in production, transportation, inventory and storage facilities (Ali et al., 2017).

Supply chain resilience transforming activities

The third microfoundation of DC theory, transforming, is related to the alignment and realignment of resources and competencies to ensure a strategic fit with sensed and seized risks (Teece, 2007). Essential in dynamic environments, these transformative capabilities induce alterations in existing processes and might be embedded within the parameters of SC reconfiguration and adaptability in SCM. Transforming allows SCs to change their internal processes when needed and continuously improve SC processes, enabling SC partners to learn and co-specialize. By combining integrated sensing and seizing capabilities, firms can identify and exploit emerging short- and medium-term risks. However, transforming requires strategic actions to deal with long-term changes.

Within SCRES, the capabilities that enable SCs to transform may be associated with SC reconfiguration and adaptability. SC reconfiguration relates to adjusting an asset structure and implementing essential internal and external transformations (Teece et al., 1997). SC reconfiguration (Blackhurst et al., 2005; Al Naimi et al., 2021), resource reconfiguration (Ambulkar et al., 2015; Queiroz et al., 2021) and resource mobilization (Pettit et al., 2013) are the main activities that enable resilience in the SC context. While SC agility is concerned with short-term changes and is, therefore, part of seizing, SC adaptability is related to long-term changes through restructuring the SC (Aslam et al., 2018) and is defined as the ability of the firm to change its SC design. This approach is a more radical and long-term strategy compared to changes made to SC agility in response to risks.

In this study, DC theory provides a framework for understanding how SCs can adapt and build resilience in response to rapidly changing business environments (Teece, 2007). This framework is particularly relevant in the context of cyber risks, which are constantly evolving and require businesses to adapt quickly. In addition, this theory provides a lens to examine how SCs manage complexity and uncertainty in their environments, which is particularly relevant in the context of cyber risks (Teece et al., 2016). Furthermore, this theory emphasizes the ability of firms to reconfigure resources in response to environmental changes (Helfat and Peteraf, 2009), which provides a useful perspective on how firms can adjust their resources and strategies to manage SC cyber risks better. These insights allow us to ask the following research question:

RQ1. How can SCs sense and respond to cyber risks to facilitate SCRES?

Case selection

Initially, four manufacturing firms from various industries were chosen for this research, each operating globally, with headquarters in Central Europe. Using different industries with comparable SC structures enables the identification of differences and similarities. Based on theoretical considerations, the authors then chose 24 industry SC partners from these four initial firms (Eisenhardt and Graebner, 2007). However, the interview and company samples were not predetermined. These firms and their SCs are relevant for developing SCRES to cyber risks, as they are global market leaders in their respective industries. They are actively involved in digitizing their businesses and SCs, and they are suppliers to sensitive industries or critical infrastructure, or they operate in an industry that prioritizes the digitalization of key products. In addition, all four focal firms have recently experienced multiple cyber attacks in their SC. Therefore, the cases representing four firms, including their multilevel SCs as four SCs with at least triadic relations (at least three tiers, in one case four tiers), were carefully selected based on the likelihood of SCCR to occur, allowing theory to be improved based on the similarities and differences of the cases (Eisenhardt, 2021). Furthermore, following the work of Flyvbjerg (2006), we argue that the deliberate selection of cases based on their likelihood of exhibiting SCCR allows for a detailed examination of the conditions under which resilience strategies are most effective. This comparative analysis not only enriches our theoretical framework but also provides a direct link between our empirical findings and the study’s research objectives, enhancing the understanding of how different SC configurations influence resilience and risk management practices.

Data collection

A semistructured interview protocol (see Appendix 1) was created to guide the interviews during the data collection process. Between April 2020 and July 2021, the first author conducted 79 interviews from the 28 firms in the four SCs with 59 individuals who worked in roles related to SCM, IT, IT security, purchasing, sales, product management and process management. Participants were selected on the basis of their professional roles, as SCCR is closely linked to their respective roles and experiences. All interviews were recorded, professionally transcribed and then coded by a team of researchers. Due to the COVID-19 pandemic, most interviews (about 95%) took place online using Microsoft Teams. The interview process was repeated until a point of theoretical saturation, based on a diverse range of opinions and in light of the emerging concepts and themes from the data (Gioia et al., 2013). The interviews were open-ended and exploratory, lasting 25–165 min. The authors obtained additional data for the data analysis phase, including material given by the organizations, industry journals and reports and secondary sources of information. Table 1 provides an overview of the SCs, companies and interviewees involved in this study. The information in Table 1, combined with the information in Tables 2, 3 and 4 (which provides details of the interviewee for each quote), allows the reader to identify the chain of evidence. We used specific labels to identify which quotes are attributable to which participant, ensuring a clear link to the respective company and SC.

Data analysis

The data analysis was conducted by a team of researchers, including the authors. For theory elaboration purposes, the case study data were analyzed guided by the theoretical framework (Eisenhardt, 1989; Eisenhardt and Graebner, 2007; Eisenhardt, 2021). MAXQDA, a well-established computer-assisted qualitative data analysis tool, was used to evaluate the interview transcripts. The authors used additional data sources to confirm and explain statements made during the interviews and called all participants again for clarification and feedback. In addition, the transcript, results and analysis were sent, presented to and discussed with the participants to guarantee their accuracy (Lincoln and Guba, 1985; Yin, 2014).

The data analysis process comprises three phases. The researchers began by coding the transcripts in vivo (Miles et al., 2020) to gain a better understanding of the data and uncover emergent patterns. The second phase involved the inductive development of open codes. The next stage used further inductive reasoning to condense the open codes into focused codes. Finally, data collection and analysis were carried out until theoretical saturation was attained. Trustworthiness criteria acceptable for qualitative research approaches were used in this study to ensure data collection and processing quality (Hirschman, 1986; Mollenkopf et al., 2011; Russo et al., 2021). Appendix 2 illustrates the trustworthiness criteria underlying this study.

Additional methodological aspects

Before presenting the findings for the three microfoundations of DC, the nature of cyber risks in SCs should be emphasized. It is crucial for this study and the interviews to first create an understanding of cyber risks and their potential impact on SCs. The majority of SC disruptions caused by cyber risks and experienced by participants affect only the availability of products and services. However, there are examples of cyber incidents compromising the integrity and confidentiality of SC assets, which have received little attention in practice and academia.

In this context, it is crucial to establish a common understanding between the interviewer and the interviewees at the beginning of the interview. The conversation should not only focus on the availability of goods and services, as this would equate cyber risks with the conventional risks mentioned in the literature. In addition, the authors want to emphasize that although most case firms have a high level of cyber security maturity, their understanding of SC cyber risks outside the IT or IT security departments is relatively weak. In all participating companies, almost no executive outside these departments considered or managed cyber threats or risks as part of their job responsibilities. This narrow perspective is mainly due to a lack of awareness, understanding, knowledge, experience and training about cyber risks, as the interviewees reflect. InsCo-SCM-2 expresses the difficulties in understanding cyber risks by stating:

If you do not really deal with it intensively, and I personally am probably missing it somewhere in my education or have never dealt with it or do not know, it could have ‘such and such’ an effect. How does the whole thing happen? What happens behind it? I have to say honestly that I cannot grasp it.

The SC understanding and definition underlying this study are broad; they encompass all key SC partners, not simply IT service providers or the digital SC. This comprehensive view enabled the authors to identify disparities in the maturity of cyber risk-relevant SC operations in different departments. While most case organizations had a high maturity level for handling cyber risks in IT-related SC, the study indicates that operational technology (OT)-related or commodity SCs do not. As SteCo-IT-Security-1 explained, “IT could have a problem with the supplier but not the OT. The more digitalized the OT is, the greater the cyber risks there are.” Although the share of smart products in raw material SCs has increased in recent decades, all cases show a low maturity level for cyber risk-related SC activities. The main reason for this distinction is that most cyber security standards, such as the International Organization for Standardization (ISO) 27001 or the Trusted Information Security Assessment Exchange (TISAX) in the automotive sector, are focused on IT-related aspects of the SC rather than taking a holistic SC view. This study examines 28 companies within four European industrial SCs that have experienced multiple cyber attacks impacting their SC during the project. All cyber attacks had a detrimental impact on the availability of assets, cascading effects on consumers and suppliers, affecting the flow of products, services, information or finance. However, neither the confidentiality nor the integrity of the assets was compromised, as the incidents only affected SC asset availability.

Sensing supply chain cyber threats

Sensing refers to SC activities that include scanning and monitoring the operating environment to identify SC cyber threats and risks and make strategic decisions about them. This study identified three specific SCCR capabilities that facilitate the recognition of SC cyber risks: (1) Creating SC cyber risk knowledge; (2) increasing cyber risk-related SC visibility; and (3) creating SC cyber threat intelligence. The following subsections will comprehensively detail the three microfoundations that constitute the sensing capabilities supporting the detection and understanding of cyber risks in SCs. Table 2 summarizes the key constructs derived from empirical evidence that underlie these identified sensing capabilities. Using these capabilities, organizations can strengthen their cyber resilience against cyber threats by developing an understanding of potential risks. In addition, by increasing SC visibility and improving SC threat intelligence, they can make informed strategic decisions to respond to such risks and threats.

Creating supply chain cyber risk knowledge

Improving SCCR first requires broadening the awareness and understanding of cyber risks within the SC to enable a nuanced understanding of SC operations in this specific context. For the companies studied, cyber risks currently represent only a marginal component of SC operations, indicating a lack of deep-rooted cyber risk awareness and knowledge across multiple entities. Consequently, integrating cyber risk considerations into SC operations is key. This integration will make it easier for companies to learn more about their SC partners, focusing on areas such as self-assessing suppliers through surveys, conducting supplier audits or using third-party monitoring services. SteCo, CriCo and InsCo could take advantage of existing strategies already implemented by their IT departments. These case firms combine various approaches, but Customer-CriSC1-IT Security also sees the use of audits as demanding:

So, the self-assessment is the basis. And then, we will go on-site if necessary. Depending on the criticality, we are talking about thousands of service providers. If you take them all together, we will certainly not be able to audit them all every year or at very short intervals. But, of course, that is the basis, and then it will be audited on-site; then there will also be another telephone call perhaps to clarify some questions.

Conversely, ComCo needs to develop strategies to address the lack of IT capacity and cyber risk awareness among its SC partners. Currently, audits and self-assessment surveys are only used for a selected group of suppliers, with little consideration given to cyber risks, again indicating a lack of cyber risk awareness and knowledge. Such an approach could be expanded to ensure a comprehensive and effective cyber risk strategy.

The strategic use of these tactics is crucial for current and future suppliers and the corresponding SC at all stages of the product life cycle. The level of SC visibility determines this alignment. Central to this process is the cybersecurity posture of critical SC partners and the flow of products, information and finances to and from all SC partners. An effective scanning and monitoring program for these flows is critical to identifying potential cyber risks. Understanding the unique nuances and inherent cyber threats associated with different SC partners will increase knowledge of the associated risks. Cyber risk considerations should be integrated into product testing procedures and contribute to the knowledge base of cyber risks associated with goods and commodities circulating within SCs.

This integration into the whole product lifecycle is particularly important for CriSC, InsSC and ComSC as they are large-scale producers of smart products. Therefore, it is imperative for SC personnel to proactively monitor potential cyber threats and risks from both supplier and customer perspectives. This includes focusing on potential cascading effects and cross-movement risks. Consequently, fostering capabilities within the SC that facilitate regular identification and assessment of cyber threats and risks is beneficial. By incorporating cyber risk considerations into all SC processes, a more comprehensive understanding and effective management of SC can be achieved. Improved knowledge of cyber threats and risks in the SC enhances context-specific knowledge and helps to identify potential disruptions, as cyber threats can originate from any point within a given SC.

Increasing cyber risk-related supply chain visibility

Improving knowledge about cyber risks among SC partners requires a nuanced perspective on SC visibility that differs from traditional SC risks. Unlike localized threats such as natural disasters, cyber risks have the potential to affect all partners within an end-to-end SC, regardless of geographic location. This widespread vulnerability is due to the complex interplay of the digital network and its vulnerabilities. In addition, the availability, integrity and confidentiality of SC resources can be compromised by combining multiple attacks simultaneously. Given this ubiquity of cyber risks, no partner within an end-to-end SC is exempt. Therefore, comprehensive visibility across the SC may be required to develop an accurate understanding of the current state of the SC.

Given the limited level of visibility in all four SC studied, it is essential to identify key SC partners and expand visibility in response to the identified risks. The cross-case analysis of the SCs studied revealed patterns that underline the need for iterative and continuous assessment. As the CriCo manager from the product management department explained, “If you now look at the topic of cyber security in detail, you have to define the system and which SC partners are part of it. Who is relevant from the cyber risks point of view?” Therefore, the initial steps of detection activities need to be iterative and continuous. In addition, the potential for cascading effects and lateral movement must be considered while increasing visibility beyond first-tier SC partners. This increased visibility facilitates the identification of relevant SCs and the assessment of their current state, which is the basis for identifying the weakest SC links. These may represent SC vulnerabilities in one area that could lead to systemic weaknesses, especially if key partners are not adequately secured. IT capabilities can further extend this visibility and deepen the SC’s knowledge of cyber risks.

Creating supply chain cyber threat intelligence

While the first two sensing microfoundations focus mainly on the internal aspects of SCs, the third sensing capability focuses on the integration of external information and activities, which is vital for creating a holistic understanding. For instance, the IT security departments in all four SCs studied typically pursue a strategy of consolidating and disseminating information about cyber risks and vulnerabilities from various sources. These sources include commercial services, computer emergency response teams (CERTs), communities and conferences. Rather than limiting the dissemination of this valuable information to a single company, it is critical to proactively disseminate it throughout the SC or share it with specific SC partners. The first two sensing activities can form the basis for identifying the relevant partners who are critical to effectively sharing cyber threat information in the SC.

Although most SC managers interviewed in the study emphasized the importance of knowledge creation and improved visibility, sharing cyber threat information with SC partners is significantly prevalent, especially in CriSCs. Furthermore, a sophisticated approach to cyber risk activities facilitates the smooth sharing of important information. This is likely due to the fact that this SC has the highest level of maturity in managing cyber risk activities. As the IT security manager of the client CriSC2 explained, the goal is to build SC-focused cyber threat intelligence:

What we are, of course, already trying to do … is to focus more on threat intelligence, also attack surface management, so that we can find out what is planned against our SC. And we can then react accordingly before an attack occurs. Quite simply, but only on the roadmap for the future.

SC cyber threat intelligence is an additional sensing activity that complements the previous two sensing activities by using external threat-related information. In addition, this third capability can be used to share data collected from all seizing activities with SC partners to promote a more unified approach toward SCRES against cyber threats.

Seizing: Activate supply chain resources to address sensed supply chain cyber risks

To address sensed cyber threats and risks, SCs should develop capabilities related to seizing activities. In this study, these capabilities are: (1) prioritizing short-term cyber risk-related SC collaboration; (2) building cyber risk-related SC flexibility; and (3) building SC cyber risk culture. Table 3 summarizes the key constructs from the empirical evidence that serve as the foundation of the identified seizing capabilities.

Prioritizing short-term cyber risk-related supply chain collaboration

After sensing cyber threats and risks in the SC, the key response of the case companies was to work with their SC partners to address these perceived threats and risks. The main difference between SC collaboration in seizing and transforming lies in the time horizons. The former is a short-term strategic response, while the latter is a long-term approach that involves discourse and structural change. A collaborative approach to SC risk management becomes the first process of assistance after a threat is detected. As CriCo’s product manager notes:

We do this via all components that are inside our products, such as hardware and software components. We have such a process. Some of the information channels are the Internet, some are mailing lists where we get the information. Some are agreements with suppliers where they inform us, and they write into the system, where they inform us about vulnerabilities. And we have a ready-made process, who takes care of it, who does the risk assessment, and who then decides, we integrate that into the product.

It is imperative to understand that when a cyber risk is discovered that affects an SC asset such as a product or service, it is of utmost importance to obtain comprehensive information about all elements within the SC that are potentially affected by this vulnerability. Ideally, an SC tracking and tracing process would be quickly initiated to identify these elements throughout the end-to-end SC. However, the focus of this process should not be exclusively on the company’s products. CriCo’s product manager illustrates the importance of this broader view:

But in any case, I need a process that says when parts of purchasing or SCM are determined, the supplier has been hacked and in turn. Specifically in my area, so in the product area there are people who are then responsible, who can evaluate whether there are now risks in the delivered products. They can examine the product, test it, and then evaluate whether there is a significant risk or not.

When such vulnerabilities are discovered, it is important to implement an appropriate SC complaint management process, both upstream and downstream, to enable a quick response to these vulnerabilities. The SC complaint management process, thus, complements the SC tracking and tracing process. This iterative approach ensures constant alignment between emerging risks and established structures, streamlining responses. This process is of great importance for managing the flow of products in the SC, especially for dealing with products that do not meet consumer expectations. Cyber attacks have the potential to undermine the integrity of products, with vulnerability potentially emanating from any point within the SC to take advantage of them. On this topic, the quality manager of the supplier CriSC1 shared the following insights:

The most sensitive thing that can happen is that the customer has a complaint in the process of being resolved, that he says he has some kind of problem, and that we then have to start an analysis with the subcontractor.

To extend this example, a computer chip manufactured in the fourth tier of an SC may result in consumer vulnerability and enable an SC cyber attack that affects thousands of firms and different SC tiers simultaneously.

In the event of an SC disruption due to a cyber attack, it is essential to quickly assemble a task force within the affected company that includes the relevant SC partners. This measure underlines the replication logic in practice, which treats each incident as a unique observation to adjust responses effectively. Speaking about the process of putting together a task force, ComCo’s quality manager revealed:

There is a task force that is always put together depending on the problem. For example, someone from our IT specialists would be asked to come down to the table if it were a cyber issue. That works quite well for us because everything is concentrated at the site. We do have all the departments there. And communication is good. We do not have a lot of siloed work.

Given the potential chaos immediately following a cyber attack, the SC response should be supported by jointly developed and pretested SC recovery plans. While all four SCs agree on these procedures, it is essential to underline the theoretical argument that these SC strategies need to evolve as most of them are currently focused primarily on the focal company only.

Building cyber risk-related supply chain flexibility

SC flexibility in the context of cyber risk has two critical dimensions. The first is SC agility, which is critical to facilitating rapid responses. Swift action is critical once cyber risks or incidents are detected, as it allows for timely mitigation of potential impacts. This requires constant comparison, a rapid iteration between risk detection and response. In addition, rapid information sharing and cyber risk assessment are equally important for assessing the potential impact of disruptions. The sooner an impact assessment is conducted, the sooner decision-makers can take corrective action to mitigate the consequences. Due to the latent nature of cyber risks, which can remain hidden until they impact the SC, SC visibility, supported by cross-case analysis, is paramount to enable a rapid response. In this context, InsCo’s SC manager said:

And then quick decisions are found. Whom do you need, what is the problem, what are the options? And then all the alarm bells start ringing, and within one or two days, it quickly happens that you have a team. One that has a flat hierarchy. One that has also discussed the possibility with the executive committee directly.

The second critical dimension of SC flexibility in relation to cyber risks concerns redundancy and diversity. Redundancy has particular importance in this context. Traditional redundancy in the SC is not necessarily beneficial in the event of cyber incidents. For example, if a supplier operates from multiple locations, this usually increases resilience against disruptions due to natural disasters. However, if a supplier experiences a cyber attack, all of its global locations will probably be impacted simultaneously due to their digital connectivity. Consequently, it is essential to have redundant procedures in place that allow the supplier to maintain production and delivery of products and services even in the event of a cyber attack, as confirmed by the supplier’s sales manager InsSC3:

And then, very quickly, there is another way in which we can continue to work, and that is the most important thing about it. In the first moment, you only notice that something is not working. Then, all the offline work has largely worked. I got no emails and could not send any. Nevertheless, our enterprise resource planning system, which runs differently, continued to work. So, SC-wise, we were okay. It was just that the communication did not work right away. And I think, within half an hour, we had the bypass, completely set up across all the capabilities.

In the event of a cyber attack that disables everyday means of communication, the immediate establishment of an alternative route for SC communication and information exchange becomes paramount. Therefore, it is necessary to re-evaluate the concepts of redundancy and diversity to recognize each SC entity as a unique observation with its own vulnerabilities. For example, if a company relies on two suppliers for redundancy, but both depend on the same critical IT service provider, the security of the company is at risk. Identifying such cases is central to improving flexibility and highlights the critical role of creating SC knowledge. Assessing SC flexibility in the context of cyber risks is, therefore, essential, as cyber risks have unique characteristics that require special considerations and preparation measures. Furthermore, this approach ensures a comprehensive understanding and not just a description of cyber risk scenarios in the SC.

Building supply chain cyber risk culture

Establishing a cyber risk culture in the SC increases collaboration and flexibility and equips it with the necessary tools to address cyber risks effectively. This study demonstrates that focusing on SC disruption and building a cyber risk management culture can enhance a company’s resilience to SC cyber disruptions. The ability to learn lessons from past disruptions is closely linked to the SC’s ability to manage future disruptions. Throughout the study period, several participating companies faced cyber attacks. Participants confirmed that the lessons learned and experiences gained during the COVID-19 pandemic were invaluable resources in managing the impact of cyber incidents in their SCs. Conversely, their experiences with the pandemic informed their handling of cyber incidents, emphasizing the universality of foundational crisis management principles across various types of disruptions. CriCo’s sales manager shared her experience of using her COVID-19 pandemic response expertise to quickly manage the impact of a cyber attack on her client, SteSC4, despite having no previous experience of dealing with such situations:

COVID-19 was such a disturbance that I could refer to. There were similar situations. We were not able to estimate exactly when things would continue or when the customers would need material again. It was similar, I must say. That is why COVID-19 was a good exercise to know what my next steps are.

It is critical that staff in all departments involved in the SC, especially those directly involved in cyber risks, are trained to develop awareness of the cyber risks relevant to their respective departments. This need for awareness and training is underlined by the persistent misconception that cyber security is the exclusive domain of the IT department, while other departments remain largely uninformed about the potential cyber risks within their SC activities. Therefore, an all-encompassing, cross-departmental approach to cyber security is of utmost importance. As a result, investing in education, training, simulation exercises and awareness campaigns is critical to creating a robust cyber risk culture. Such a change needs to be supported by top management, as ComCo’s IT Security Officer pointed out:

But you can see that awareness of the issue of security has risen sharply in recent years, even among top management. And also, the awareness that, as a company, you tend to work in a partner network with many, many partners. Rather than still doing everything on your own and only relying on yourself.

In broadening the scope, this study revealed a discrepancy in awareness: While cybersecurity managers generally recognize the importance of considering the SC, many SC managers largely overlook the cyber risks associated with their operations. This lack of awareness is not limited to SC managers but extends to all departments involved in SC operations and includes areas such as sales and product development. This research described three key microfoundations for effectively seizing identified cyber risks in SCs: (1) Prioritizing short-term cyber risk-related SC collaboration; (2) building cyber risk-related SC flexibility; and (3) building SC cyber risk culture. These elements complement each other and form the structural and practical basis for SCs that are equipped to deal with identified cyber risks. Taken together, these aspects, when harmoniously integrated, form a robust framework that enables SCs to navigate the turbulent seas of cyber threats with resilience.

Transforming: Aligning supply chain resources and capabilities

SCs need to proactively and strategically manage their internal and external competencies, routines and resources to renew existing routines and address cyber risks. The essential capabilities required to transform and reconfigure are: (1) Prioritizing long-term cyber risk-related SC collaboration and (2) enhancing cyber risk-related SC reconfiguration. The first capability aims at long-term improvements by leveraging identified and captured cyber risks within existing SC partnerships. In contrast, the second capability aims to change SC design and substitute existing SC partners. Table 4 summarizes the key constructs from the empirical evidence that form the basis for the identified transforming capabilities.

Prioritizing long-term cyber risk-related supply chain collaboration

The dichotomy of SC collaboration between seizing and transforming microfoundations lies in their temporal focuses. While the former is primarily concerned with immediate adjustments, the latter is oriented toward long-term aspects. Although cyber risks are a significant concern for most case companies, the severity of these risks experienced by the case companies did not require SC reconfiguration across all companies due to limited impacts, mainly on the availability of SC assets. The study’s findings suggest that companies need to cultivate a strategic, long-term collaboration with SC partners to initiate transformative change. Such change requires extensive coordination and realignment of various processes, resources and capabilities to address cyber risks and build SCCR comprehensively. An example of this strategy was provided by the sales manager of Supplier-InsSC1, who reported on the changes initiated after a cyber attack:

SC data, such as communication, we have newly established a whole department, we also had one person taking care of it before, but now there is a whole staff attached to it. This means, of course, that professionalism has now been raised to another level. Before that, we had one person who was responsible. A team expanded this person. We have worked a lot with external people who also advised us. But now we have a permanent department, a small group, which has the whole store in view, as far as the topic is concerned. They always need to be notified when something happens around us. They certainly have a concept that addresses the environment and our partners.

Establishing dedicated units or teams indicates a proactive stance to cyber risks. Such forward-looking approaches underscore the recognition that cyber threats are an ongoing, evolving challenge that warrants consistent attention rather than sporadic responses. It also signals the company’s commitment to protecting its SC from potential cyber disruptions, fostering trust among partners and demonstrating a willingness to adapt and evolve in an increasingly digital landscape.

Enhancing cyber risk-related supply chain reconfiguration

While SC collaboration emerges as the preferred capability for transforming, the current study emphasizes the need for SC reconfiguration when existing arrangements prove insufficient to strengthen SCCR. This perspective is evident in the comments of CriCo’s IT security manager, who states:

If the supplier does not adhere to the IT security specifications, for example. So, if we have agreed on certain rules, how he must keep or protect his data, or how he must perform services as we do, he does not adhere to them. And we communicate that with him, and he still does not do that. So, as I said, we were on the verge of kicking someone out anyway.

Such a determined stance underscores the centrality of cyber risk management in today’s digitalized business landscape.

Given the specialized nature of cyber risk-related activities, they often require expertise that SC managers may lack but can easily be provided by other internal departments, such as IT, IT security or CERT. By merging SCM and cybersecurity expertise, companies can develop a holistic approach that effectively combats potential cyber vulnerabilities and threats. Therefore, organizing cyber risk-related SC activities in collaboration with internal and external cyber security experts is crucial for building SCCR.

In this study, we find that procurement strategies may need to be reconfigured when cyber risk considerations take a key position alongside other established criteria such as price and quality. This shift underscores the growing importance of cybersecurity in contemporary SCM. It suggests that price competitiveness and product quality alone can no longer be the only determinants of SC partnerships. Therefore, it is critical to implement a recurring process to reconfigure SC processes identified in sensing and seizing to manage cyber risks effectively. In light of these findings, there is a need to establish a cyclical process whereby the SC processes identified in the detection and capture phase are periodically reviewed and, if necessary, reconfigured. Such recurring assessments will ensure that the SC remains agile, adaptable and adequately equipped to proactively address the ever-changing cyber risk landscape.

Supply chain cyber risk-related sensing capabilities

The present research emphasizes that the foundation of building SCCR lies in fostering awareness and generating extensive knowledge regarding the specific nature and potential implications of cyber risks in the SC. Given the inherent complexity and far-reaching implications of cyber risks, which may potentially impact all partners and assets across the SC, this knowledge creation process presents unique challenges that stand apart from the acquisition of information pertaining to conventional SC risks, as delineated in the existing literature (Ali et al., 2023, Scholten et al., 2019).

This study, therefore, not only substantiates the existing body of SCRES research, that knowledge creation serves as a cornerstone of strengthening SCRES (Scholten and Schilder, 2015; Umar et al., 2021), but further elucidates the necessity of acquiring specialized knowledge about SC cyber risks. This is a novel contribution as this specific facet of knowledge creation is seldom addressed in the existing literature. The research findings emphasize the importance of including specific information about cyber threats and risks and their potential impacts in SC knowledge creation to enhance SCCR. The empirical findings allow the introduction of the following proposition:

The research underscores that, as SC visibility enhances SCRES in general (Scholten and Schilder, 2015; Mubarik et al., 2021), it becomes crucial to increase SC visibility to generate knowledge about SC cyber risks. This is particularly important considering the widespread cascading effects and lateral movement characteristic of cyber risks. Colicchia et al. (2019) highlighted visibility’s role in managing cyber risks, and it is a necessary condition for responding to risks, which is thereby critical for SCRES (Pettit et al., 2010). Moreover, the potential of SC visibility in mitigating cascading effects and lateral movements that characterize cyber risks extends the traditional scope of visibility’s contribution, as identified by Melnyk et al. (2022).

These findings extend the existing understanding of SC visibility in SCRES building by elucidating its amplified importance in the context of SC cyber risks. While previous literature underscored visibility’s role in enhancing general SCRES, this study reveals its more pronounced role in managing cyber risks. Moreover, visibility’s potential in mitigating the characteristic cascading effects and lateral movements of cyber risks extends the traditional scope of visibility’s contribution. Thus, the study deepens the discourse on SC visibility, highlighting its significant role in sensing capabilities for building SCCR, a novel contribution to the existing body of knowledge, which leads to the following proposition:

The study underlines that while mutual understanding and knowledge generation along the SC is essential, the unique challenges posed by cyber risks demand more proactive measures. Namely, it is crucial to integrate and distribute external cyber risk-related information and to share it proactively with SC partners. The necessity for this level of information sharing is underscored by the fact that a wealth of publicly accessible information regarding cyber risks exists, and any of these risks could pose a potential threat anywhere along the SC.

This finding not only reinforces but further expands the discussion of Colicchia et al. (2019) regarding sharing knowledge through threat intelligence. It moves the conversation from a broad consideration of knowledge sharing to a more focused exploration of sharing cyber risk-related information specifically. Furthermore, the study aligns with previous work, recognizing that resilience to cyber risks in the SC improves through knowledge sharing across the SC (Radanliev et al., 2020). This is especially true for cooperation with small- and medium-sized enterprises (Bak et al., 2020). However, what sets this study apart is its emphasis on integrating external cyber threat information and its proactive dissemination amongst SC partners. This notion is relatively unexplored in the current literature. Therefore, this research offers a unique insight into the nuances of information sharing in building SCCR. This leads to the introduction of the following proposition:

Supply chain cyber risk-related seizing capabilities

Our research uncovers that proactive SC collaboration is fundamental in building seizing capabilities, indicating that firms should collaboratively manage detected cyber risks within the SC. Our findings, built on previous resilience research that identified SC collaboration as a key strategy for addressing SC risks (Scholten and Schilder, 2015; Scholten et al., 2019; Tran et al., 2016), bring new emphasis to its role, specifically in addressing cyber risks. We further propose integrating track-and-trace processes and complaint procedures concerning upstream and downstream SC partners throughout the product lifecycle. Our work aligns with recent insights from Colicchia et al. (2019) and Ghadge et al. (2019) on the effectiveness of SC risk management in bolstering SCRES to cyber risks. In addition, we emphasize the efficiency of task forces and recovery plans, particularly during the postdisruption phase (Creazza et al., 2022). These unique additions to the existing body of knowledge create a compelling new perspective in understanding the complexities of building seizing capabilities for SCCR. Therefore, we propose that proactive SC collaboration to address sensed cyber threats and risks improves seizing capabilities for building SCCR. This discussion leads to the following proposition:

Building on the existing body of work (Gligor et al., 2019; Aslam et al., 2020; Chunsheng et al., 2020), our research further accentuates the criticality of SC flexibility, agility and redundancy, specifically in the realm of cyber risks. We posit that, in the face of cyber threats, these capabilities need to be fine-tuned and implemented to enhance SCCR effectively. Our findings elucidate how response diversity and functional diversity emerge as key strategies for addressing sensed cyber risks, mainly due to the pervasive disruptions they can inflict. While the previous work by Ghadge et al. (2019) and Melnyk et al. (2022) underscored the role of SC flexibility in managing cyber risks, the specific context of cyber risks was not elaborately discussed. By placing these capabilities within the unique context of cyber risk, we contribute a novel perspective to the discourse. Based on this, the following proposition is suggested:

This study accentuates the importance of fostering a culture that perceives cyber risks as a holistic SC issue rather than a standalone departmental responsibility. Our findings converge with previous research emphasizing the role of SC orientation and SC risk management culture (Chowdhury and Quaddus, 2016) and the significance of shared norms and common culture in mitigating cyber risks (Colicchia et al., 2019). In addition, acknowledging cyber security as an overarching SC issue (Melnyk et al., 2022) resonates with our findings. Despite SC awareness being widely recognized in SCRES literature as a sensing activity (Datta et al., 2007; Sáenz and Revilla, 2014), our study underscores that cyber risk awareness is more pivotal as a seizing activity. We argue that this stems from the observation that while managers are generally aware of cyber risks, these threats are not always integrated into their work environment. Consequently, cultivating an SC cyber risk culture can support practitioners. This leads to the following proposition:

Supply chain cyber risk-related transforming capabilities

The empirical evidence from this study underscores the pivotal role of sustained SC collaboration in tackling immediate and long-term cyber risks. This observation is consistent with the previous literature that emphasized the necessity of resource transformation for improving SCRES against various threats (Blackhurst et al., 2005; Ambulkar et al., 2015; Al Naimi et al., 2021). The proactive alignment and transformation of SC resources and capabilities through sustained collaboration heralds a strategic shift from merely responding to risks toward anticipating, and, thus, more effectively mitigating, potential cyber threats in the SC. While Ghadge et al. (2019), Creazza et al. (2022) and Melnyk et al. (2022) have focused on managing cyber risks in SCs, our work delves into the details of resource transformation within the specific context of cyber risks. Therefore, the insights yielded from this study add new dimensions to our understanding of SCCR, emphasizing the importance of long-term collaboration and strategic resource transformation in enhancing it. Based on this discussion, the following proposition is suggested:

The empirical findings of this study underscore the inherent role of trust and collaboration in today’s SC dynamics, emphasizing the need for strategic SC reconfiguration rather than just reactionary changes to enhance SCCR. This perspective complements existing literature on SCRES, which traditionally focuses on adjusting existing resources and capabilities to respond to risks (Ambulkar et al., 2015; Pettit et al., 2010). The reality of contemporary SCs, with complex and evolving cyber risks, necessitates a more proactive, transformative approach to managing such threats. SC managers often lack specific knowledge about cyber risks. Therefore, it is essential to incorporate external expertise into the SC and forge novel resource combinations. This entails the necessity of a long-term vision for SC cyber risk culture that supports innovative resource reconfigurations and integrates the criterion of cyber risk into the decision-making process. Moreover, to fulfill the requirements of sensed and seized SC cyber risks, there is a need to rethink the SC design itself. This includes integrating new SC partners that align with the imperative of cyber risk management and, where necessary, replacing existing partners who may not fit this new paradigm. Consequently, the findings of this study expand upon previous literature by highlighting the importance of a holistic reconfiguration of the SC in the face of cyber threats and risks. This leads to the following proposition:

Based on this discussion, we developed a conceptual model (see Figure 2) demonstrating the relationship between DC and SCCR. There are several conceptual models on SCRES in general (Christopher and Peck, 2004; Pettit et al., 2010; Chowdhury and Quaddus, 2016), but to the extent of our knowledge, our conceptualization of the relationship between DC and SCCR provides a new direction for research and scholarship on a better understanding of improving SCCR.

Theoretical implications

This research enriches the academic discourse on SCRES by incorporating DC theory, thereby producing notable theoretical advancements. First, by contextualizing DC theory within the framework of SCRES, we provide nuanced interpretations of conventional DCs – sensing, seizing and transforming. Specifically, we adapt these interpretations to the challenges posed by cyber risk in the SC and shed light on their nuanced role in this particular context. Second, the study goes beyond the traditional understanding of DC by unveiling innovative capabilities specifically designed for cyber risk management. These capabilities address the subtleties and complexities unique to cyber threats and represent a significant theoretical extension of the general DC framework. Third, the temporal dimension of our study is emphasized by examining SC collaboration. We emphasize its role as a long-term mechanism that plays a central role across the SC. Rather than viewing SC collaboration merely as a static capability, we present it as an evolving and dynamic process within SCRES. This highlights the importance of time and progress in DC theory and also shows how SC collaboration evolves and adapts over time in response to the ever-changing landscape of cyber threats. Fourth, this research introduces a temporal view of SCRES by detailing the consecutive processes associated with sensing, seizing and transforming capabilities, suggesting resilience as a dynamic property of SCs that evolves, matures and strengthens over time in response to cyber threats. Finally, the study underscores the importance of integrating cyber security expertise in building SCCR, marking a pivotal advancement in both SCRES and DC theory by recognizing the necessity of cross-disciplinary expertise. Collectively, these theoretical implications provide a refined understanding of SCRES through the lens of DC theory while opening avenues for future research.

In addition, this study contributes to discussions about SCRES in general and specifically emphasizing the rising prevalence of cyber risks. First, we revealed that cyber risks, differing from traditional SC threats, demand agile and different responses by leveraging and sharpening sensing and seizing capabilities. Sensing involves activities to identify and assess the relevant SC cyber risks and complement externally available cyber risk-related information. This aligns and contextualizes the sensing approach in Teece’s (2007) conceptual model. Second, the seizing capabilities to address cyber risks in SCs involves short-term SC collaboration and flexibility supported by a cyber risk culture. This definition complements Teece’s (2007) concept of seizing and positions it in the context of SCCR. Third, transforming capabilities support long-term changes for addressing sensed and seized SC cyber risks. After addressing cyber risks in the short-term, favorable circumstances that stimulate long-term changes typically vanish once the SC risk is addressed. To stimulate transformation in the DC framework, it is proposed that SCs develop the capacity to maintain long-term changes using SC collaboration and reconfiguration.

DC theory is often criticized for its ambiguity (Ambrosini and Bowman, 2009) and lack of empirical practices (Wang and Ahmed, 2007), which is countered by Sunder et al. (2019). However, this empirical research demonstrates overcoming these limitations and increasing DC’s explanatory capacity for SCCR. This approach also encourages further theoretical elaboration in SCRES. Furthermore, this study demonstrates that the DC framework suits deploying SCRES and addressing specific SC risks. Finally, combined with SCRES to particular SC risks, the DC framework can also be applied to other SC contexts.

Managerial implications

The results of this research have practical insights for managers both within the case studies and across other SCs. The DCs detailed in this study serve as pivotal elements for establishing SCCR, providing managers with targeted focal points to confront cyber risks. By using the DC framework, practitioners can effectively identify, prioritize and sequence practices, leveraging the interdependencies of the microfoundations. Importantly, this study underscores the need for the co-evolution of resources and capabilities amongst SC partners to foster SCCR, thus, emphasizing the role of inter-organizational collaboration.

Practically, the study underscores the unique characteristics of managing cyber risks, distinguishing it from conventional SC risks. In the face of cyber threats, reliance on IT security expertise becomes crucial, necessitating internal resources or external collaboration. To reduce the reliance on IT security, managers could consider establishing dedicated cyber threat teams to monitor emerging risks and work closely with all SC partners. Simultaneously, it highlights the significance of ongoing education and training for all managerial personnel to enhance comprehension and responsiveness to SC cyber risks. This could translate into quarterly cyber training that is updated based on the latest threats and vulnerabilities, ensuring that executives stay ahead of the curve in their defense strategies. Ultimately, these findings confirm that SC cyber risks require a mix of general SCRES capabilities and specialized competencies to address cyber threats. Consequently, SCM should be willing to explore innovative paths and restructure processes for building SCCR (see Oke and Nair, 2023).

In addition, the unique nature of cybersecurity implies that traditional collaboration and integration strategies may need to be adapted or expanded. For instance, information sharing between SC partners becomes even more critical due to the potential for cyber threats to impact multiple areas simultaneously. Enhanced trust and transparency, along with specific agreements on cyber security standards, could also become important factors in successful collaborations. For example, Woelfl et al. (2023) report on a supplier who, during negotiations, promised machinery delivery but concealed a cyber attack affecting their construction plans. Such behavior can permanently damage the collaboration between suppliers and buyers. Similarly, technological integration might require additional attention to secure connectivity, using solutions such as advanced encryption and secure access controls. Thus, in the cybersecurity context, collaboration and integration, which are central to SCRES, take on new dimensions and requirements for building SCCR. Based on this, managers can use proven cybersecurity solutions for encryption and access control features to ensure that their SC is protected from cyber threats.

Limitations and future research

In addition to its implications, this study has limitations that provide opportunities for future research. First, SC cyber risks offer an exciting research avenue due to their characteristics and the potential for a massive and distinct effect on SCs compared to the conventional risks discussed in the literature. Second, it would be interesting to study further SCs that experienced a cyber incident impacting SC assets’ availability, confidentiality and integrity, such as the SolarWinds cyber attack in 2021.

The rising reliance on digital SC assets and the dynamic environment certainly creates new opportunities for cybercriminals. Therefore, it is unclear what the future might hold, especially regarding the long-term impacts. In addition, the temporal characteristics of the dynamic environment surrounding cyber risks allow for longitudinal analysis of cyber risks in SCs. Therefore, scholars are invited to study trends related to cyber risks in SCs. This will help examine novel DCs so that SCRES practices to address cyber risks can inspire SC transformation. Finally, this study discusses the SCRES of European industrial SCs in the face of cyber risks. Although the proposed taxonomy has value for the SCRES discourse, future research is needed to elaborate on the performance of an SC with resilience to cyber risks.