Search results
1 – 10 of over 6000Abhijeet Ghadge, Maximilian Weiß, Nigel D. Caldwell and Richard Wilding
In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply…
Abstract
Purpose
In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply chain contexts.
Design/methodology/approach
Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis, were established using data mining techniques to conduct a comprehensive, replicable and transparent review.
Findings
The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between information technology, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention because of a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience.
Research limitations/implications
Different types of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience.
Practical implications
A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions.
Originality/value
To the best of the authors’ knowledge, this is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.
Details
Keywords
Abel Yeboah-Ofori, Cameron Swart, Francisca Afua Opoku-Boateng and Shareeful Islam
Cyber resilience in cyber supply chain (CSC) systems security has become inevitable as attacks, risks and vulnerabilities increase in real-time critical infrastructure systems…
Abstract
Purpose
Cyber resilience in cyber supply chain (CSC) systems security has become inevitable as attacks, risks and vulnerabilities increase in real-time critical infrastructure systems with little time for system failures. Cyber resilience approaches ensure the ability of a supply chain system to prepare, absorb, recover and adapt to adverse effects in the complex CPS environment. However, threats within the CSC context can pose a severe disruption to the overall business continuity. The paper aims to use machine learning (ML) techniques to predict threats on cyber supply chain systems, improve cyber resilience that focuses on critical assets and reduce the attack surface.
Design/methodology/approach
The approach follows two main cyber resilience design principles that focus on common critical assets and reduce the attack surface for this purpose. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles. The critical assets include Cyber Digital, Cyber Physical and physical elements. We consider Logistic Regression, Decision Tree, Naïve Bayes and Random Forest classification algorithms in a Majority Voting to predicate the results. Finally, we mapped the threats with known attacks for inferences to improve resilience on the critical assets.
Findings
The paper contributes to CSC system resilience based on the understanding and prediction of the threats. The result shows a 70% performance accuracy for the threat prediction with cyber resilience design principles that focus on critical assets and controls and reduce the threat.
Research limitations/implications
Therefore, there is a need to understand and predicate the threat so that appropriate control actions can ensure system resilience. However, due to the invincibility and dynamic nature of cyber attacks, there are limited controls and attributions. This poses serious implications for cyber supply chain systems and its cascading impacts.
Practical implications
ML techniques are used on a dataset to analyse and predict the threats based on the CSC resilience design principles.
Social implications
There are no social implications rather it has serious implications for organizations and third-party vendors.
Originality/value
The originality of the paper lies in the fact that cyber resilience design principles that focus on common critical assets are used including Cyber Digital, Cyber Physical and physical elements to determine the attack surface. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles to reduce the attack surface for this purpose.
Details
Keywords
Shipra Pandey, Rajesh Kumar Singh, Angappa Gunasekaran and Anjali Kaushik
The purpose of this study is to examine cyber security risks in globalized supply chains (SCs). It has been seen to have a greater impact on the performance of SCs. The…
Abstract
Purpose
The purpose of this study is to examine cyber security risks in globalized supply chains (SCs). It has been seen to have a greater impact on the performance of SCs. The information and communication technology of a firm, which enhances the efficiency and effectiveness in the SC, could simultaneously be the cause of vulnerabilities and exposure to security threats. Researchers have primarily focussed on the cyber-physical system (CPS) vulnerabilities impacting SC. This paper tries to categorize the cyber security risks occurring because of the SCs operating in CPS.
Design/methodology/approach
Based on the flow of information along the upstream and downstream SC, this paper tries to identify cyber security risks in the global SCs. It has further tried to categorize these cyber security risks from a strategic point of view.
Findings
This paper tries to identify the various cyber security risk and cyber-attacks in globalized SC for improving the performance. The 16 cyber security risks have been categorized into three categories, namely, supply risk, operational risk and demand risk. The paper proposes a framework consisting of different cyber-attacks across the information that flows in global SCs along-with suitable mitigation strategies.
Research limitations/implications
The paper presents the conceptual model of cyber security risks and cyber-attacks in globalized SCs based on literature review and industry experts. Further validation and scale development of these risks can be done through empirical study.
Practical implications
This paper provides significant managerial insights by developing a framework for understanding the cyber security risks in terms of the drivers of these risks and how to deal with them. From a managerial perspective, this framework can be used as a decision-making process while considering different cyber security risks across the stages of globalized SCs.
Originality/value
The major contribution of this study is the identification and categorization of cyber security risks across the global SCs in the digital age. Thus, this paper introduces a new phenomenon to the field of management that has the potential to investigate new areas of future research. Based on the categorization, the paper provides insights on how cyber security risks impact the continuity of SC operations.
Details
Keywords
Claudia Colicchia, Alessandro Creazza and David A. Menachof
The purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this aim, and to…
Abstract
Purpose
The purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this aim, and to what extent along the supply chain. In fact, the increasing level of connectivity is transforming supply chains, and it creates new opportunities but also new risks in the cyber space. Hence, cyber supply chain risk management (CSCRM) is emerging as a new management construct. The ultimate aim is to help organizations in understanding and improving the CSCRM process and cyber resilience in their supply chains.
Design/methodology/approach
This research relied on a qualitative approach based on a comparative case study analysis involving five large multinational companies with headquarters, or branches, in the UK.
Findings
Results highlight the importance for CSCRM to shift the viewpoint from the traditional focus on companies’ internal information technology (IT) infrastructure, able to “firewall themselves” only, to the whole supply chain with a cross-functional approach; initiatives for CSCRM are mainly adopted to “respond” and “recover” without a well-rounded approach to supply chain resilience for a long-term capacity to adapt to changes according to an evolutionary approach. Initiatives are adopted at a firm/dyadic level, and a network perspective is missing.
Research limitations/implications
This paper extends the current theory on cyber and information risks in supply chains, as a combination of supply chain risk management and resilience, and information risk management. It provides an analysis and classification of cyber and information risks, sources of risks and initiatives to managing them according to a supply chain perspective, along with an investigation of their adoption across the supply chain. It also studies how the concept of resilience has been deployed in the CSCRM process by companies. By laying the first empirical foundations of the subject, this study stimulates further research on the challenges and drivers of initiatives and coordination mechanisms for CSCRM at a supply chain network level.
Practical implications
Results invite companies to break the “silos” of their activities in CSCRM, embracing the whole supply chain network for better resilience. The adoption of IT security initiatives should be combined with organisational ones and extended beyond the dyad. Where applicable, initiatives should be bi-directional to involve supply chain partners, remove the typical isolation in the CSCRM process and leverage the value of information. Decisions on investments in CSCRM should involve also supply chain managers according to a holistic approach.
Originality/value
A supply chain perspective in the existing scientific contributions is missing in the management of cyber and information risk. This is one of the first empirical studies dealing with this interdisciplinary subject, focusing on risks that are now very high in the companies’ agenda, but still overlooked. It contributes to theory on information risk because it addresses cyber and information risks in massively connected supply chains through a holistic approach that includes technology, people and processes at an extended level that goes beyond the dyad.
Details
Keywords
Alessandro Creazza, Claudia Colicchia, Salvatore Spiezia and Fabrizio Dallari
The purpose of this paper is to explore the perceptions of supply chain managers regarding the elements that make up cyber supply chain risk management (CSCRM) and the related…
Abstract
Purpose
The purpose of this paper is to explore the perceptions of supply chain managers regarding the elements that make up cyber supply chain risk management (CSCRM) and the related level of alignment, to understand how organizations can deploy a CSCRM strategy that goes beyond the technical, internal functioning of single companies and moves beyond the dyad, to create a better alignment that can ultimately lead to improved cyber supply chain resilience.
Design/methodology/approach
An exploratory survey in the fast-moving consumer goods (FMCG) industry involving over 100 organizations in Italy was conducted. Results were analysed through one-way analysis of variance, to appraise the differences in the perceptions of the various actors of the FMCG supply chain (Manufacturers, Logistics Service Providers, Retailers).
Findings
While a certain degree of alignment of the perceptions across the FMCG supply chain exists, the study found that Logistics Service Providers can play a crucial role as orchestrators of the CSCRM process towards a more “supply chain-oriented” response to cyber threats and risk events. The research also highlights the necessity to see people as key elements for improving cyber resilience in the supply chain.
Research limitations/implications
Through a vertical analysis of a supply chain, the study extends the existing theory on CSCRM, which contains isolated case studies. It also contributes to extending the current theory with the proposal of the paradigm of Logistics Service Providers as orchestrators of the CSCRM process. The study combines different classifications of CSCRM initiatives and embraces theories external to the supply chain literature.
Practical implications
Through the empirical analysis, this study helps practitioners in streamlining the design of cyber security strategies and actions that span across the supply chain for better alignment. This could mean more coordination of efforts and more targeted/accurate investments in CSCRM initiatives. The study invites practitioners to ponder the perceived relevance of the human factor as a source of risk and the perceived importance of countermeasures aimed at mitigating risk events stemming from that source.
Originality/value
By focusing on an entire supply chain, this is one of the first studies on CSCRM that goes beyond the dyad. Its originality also lies in its use of the investigations of perceptions along the supply chain as pillars for the alignment of CSCRM strategies and mitigation initiatives. This original perspective allows for discovering the role of Logistics Service Providers in driving the alignment of the efforts towards better outcomes of the CSCRM process.
Details
Keywords
Luca Urciuoli, Sangeeta Mohanty, Juha Hintsa and Else Gerine Boekesteijn
The purpose of this paper is to enhance the understanding about how energy supply chains work to build resilience against exogenous security threats and thereafter what support…
Abstract
Purpose
The purpose of this paper is to enhance the understanding about how energy supply chains work to build resilience against exogenous security threats and thereafter what support mechanisms should be introduced or improved by the European Union.
Design/methodology/approach
Five case studies and data collection from multiple sources is used to understand what exogenous security threats could lead to the disruption of oil and gas flows to Europe, how energy companies, from a supply chain perspective, are working to manage these threats and finally, how the EU may coordinate the security of the energy sector in collaboration with supply chain companies.
Findings
Results show that today, oil and gas supply chains have in place a good combination of disruption strategies, including portfolio diversification, flexible contracts, transport capacity planning and safety stocks. The most relevant security threats the companies fear, include hijacking of vessels (sea piracy), but also terrorism, and wars. Finally, the study highlights that the European Union has built a comprehensive portfolio of strategies to deal with scarcity of oil and gas resources. However, these approaches are not often synchronized with supply chain strategies.
Practical implications
The paper provides guidance for supply chain managers dealing with critical suppliers located in conflict environments. The paper recommends that supply chain managers fine tune their strategies in coordination with governmental actions in foreign politics, dependence reduction and crisis management. This may be achieved by closer communication with governments and potentially through the creation of a pan-European sector alliance.
Originality/value
Previous research discusses the topic of supply chain resilience and supply chain risk management. However, none of these studies report on exogenous security threats and disruption strategies of oil and gas supply chains. At the same time, previous research lacks detailed studies describing the interaction between governments and energy supply chains.
Details
Keywords
Abel Yeboah-Ofori and Francisca Afua Opoku-Boateng
Various organizational landscapes have evolved to improve their business processes, increase production speed and reduce the cost of distribution and have integrated their…
Abstract
Purpose
Various organizational landscapes have evolved to improve their business processes, increase production speed and reduce the cost of distribution and have integrated their Internet with small and medium scale enterprises (SMEs) and third-party vendors to improve business growth and increase global market share, including changing organizational requirements and business process collaborations. Benefits include a reduction in the cost of production, online services, online payments, product distribution channels and delivery in a supply chain environment. However, the integration has led to an exponential increase in cybercrimes, with adversaries using various attack methods to penetrate and exploit the organizational network. Thus, identifying the attack vectors in the event of cyberattacks is very important in mitigating cybercrimes effectively and has become inevitable. However, the invincibility nature of cybercrimes makes it challenging to detect and predict the threat probabilities and the cascading impact in an evolving organization landscape leading to malware, ransomware, data theft and denial of service attacks, among others. The paper explores the cybercrime threat landscape, considers the impact of the attacks and identifies mitigating circumstances to improve security controls in an evolving organizational landscape.
Design/methodology/approach
The approach follows two main cybercrime framework design principles that focus on existing attack detection phases and proposes a cybercrime mitigation framework (CCMF) that uses detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface. The methods and implementation processes were derived by identifying an organizational goal, attack vectors, threat landscape, identification of attacks and models and validation of framework standards to improve security. The novelty contribution of this paper is threefold: first, the authors explore the existing threat landscapes, various cybercrimes, models and the methods that adversaries are deploying on organizations. Second, the authors propose a threat model required for mitigating the risk factors. Finally, the authors recommend control mechanisms in line with security standards to improve security.
Findings
The results show that cybercrimes can be mitigated using a CCMF to detect, assess, analyze, evaluate and respond to cybercrimes to improve security in an evolving organizational threat landscape.
Research limitations/implications
The paper does not consider the organizational size between large organizations and SMEs. The challenges facing the evolving organizational threat landscape include vulnerabilities brought about by the integrations of various network nodes. Factor influencing these vulnerabilities includes inadequate threat intelligence gathering, a lack of third-party auditing and inadequate control mechanisms leading to various manipulations, exploitations, exfiltration and obfuscations.
Practical implications
Attack methods are applied to a case study for the implementation to evaluate the model based on the design principles. Inadequate cyber threat intelligence (CTI) gathering, inadequate attack modeling and security misconfigurations are some of the key factors leading to practical implications in mitigating cybercrimes.
Social implications
There are no social implications; however, cybercrimes have severe consequences for organizations and third-party vendors that integrate their network systems, leading to legal and reputational damage.
Originality/value
The paper’s originality considers mitigating cybercrimes in an evolving organization landscape that requires strategic, tactical and operational management imperative using the proposed framework phases, including detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface, which is currently inadequate.
Details
Keywords
Andreas Wieland, Mark Stevenson, Steven A. Melnyk, Simin Davoudi and Lisen Schultz
This article seeks to broaden how researchers in supply chain management view supply chain resilience by drawing on and integrating insights from other disciplines – in…
Abstract
Purpose
This article seeks to broaden how researchers in supply chain management view supply chain resilience by drawing on and integrating insights from other disciplines – in particular, the literature on the resilience of social-ecological systems.
Design/methodology/approach
Before the authors import new notions of resilience from outside the discipline, the current state of the art in supply chain resilience research is first briefly reviewed and summarized. Drawing on five practical examples of disruptive events and challenges to supply chain practice, the authors assess how these examples expose gaps in the current theoretical lenses. These examples are used to motivate and justify the need to expand our theoretical frameworks by drawing on insights from the literature on social-ecological systems.
Findings
The supply chain resilience literature has predominantly focused on minimizing the consequences of a disruption and on returning to some form of steady state (often assumed to be identical to the state that existed prior to the disruption) implicitly assuming the supply chain behaves like an engineered system. This article broadens the debate around supply chain resilience using literature on social-ecological systems that puts forward three manifestations of resilience: (1) persistence, which is akin to an engineering-based view, (2) adaptation and (3) transformation. Furthermore, it introduces seven principles of resilience thinking that can be readily applied to supply chains.
Research limitations/implications
A social-ecological interpretation of supply chains presents many new avenues of research, which may rely on the use of innovative research methods to further our understanding of supply chain resilience.
Practical implications
The article encourages managers to think differently about supply chains and to consider what this means for their resilience. The three manifestations of resilience are not mutually exclusive. For example, while persistence may be needed in the initial aftermath of a disruption, adaptation and transformation may be required in the longer term.
Originality/value
The article challenges traditional assumptions about supply chains behaving like engineered systems and puts forward an alternative perspective of supply chains as being dynamic and complex social-ecological systems that are impossible to entirely control.
Details
Keywords
Muhammad Naveed Khan, Pervaiz Akhtar and Yasmin Merali
The purpose of this paper is to investigate the knowledge gaps in the published research on terrorism-related risk in supply chains, and to develop a framework of strategies and…
Abstract
Purpose
The purpose of this paper is to investigate the knowledge gaps in the published research on terrorism-related risk in supply chains, and to develop a framework of strategies and effective decision-making to enable practitioners to address terrorism-related risks in supply chain risk management (SCRM) and security.
Design/methodology/approach
The study adopts a novel combination of triangulated methods comprising a systematic literature review (SLR), text mining and network analysis. These methods have not been jointly utilized in past studies, and the approach constitutes a rigorous methodology that cross-validates results and ensures the reliability and validity of qualitative data.
Findings
The study reveals a number of key themes in the field of SCRM and security linked with terrorism. The authors identify relevant mitigation strategies and practices for effective strategic decision making. This subsequently leads us to develop a strategic framework of strategies and effective decision-making practices to address terrorism-related risk, affecting SCRM and security. The authors also identify key knowledge gaps in the literature and explore the main contributions by disciplines (e.g. business schools, engineering and maritime institutions) and countries.
Practical implications
The authors provide a strategic framework of strategies and effective decision-making practices that managers can use to minimize terrorism-related risk in the context of SCRM and security.
Originality/value
This paper introduces a novel methodological combination for improving the quality of SLRs. It uses the approach to systematically review the strategies and effective decision-making practices interlinked with terrorism risk, affecting SCRM and security. It identifies significant knowledge gaps and defines directions for future research.
Details
Keywords
Hui Shan Loh, Vinh Van Thai, Yiik Diew Wong, Kum Fai Yuen and Qingji Zhou
The purpose of this paper is to provide a risk assessment of port-centric threats that may have adverse effects on supply chain continuity from the perspectives of port operators…
Abstract
Purpose
The purpose of this paper is to provide a risk assessment of port-centric threats that may have adverse effects on supply chain continuity from the perspectives of port operators and port users, thereby determining the significance of these threats to supply chain disruptions.
Design/methodology/approach
Drawing on literature review and reported cases, 19 port-centric disruptive events were identified. Subsequently, surveys were conducted to collect data from 102 port operators and 123 port users worldwide on the frequencies and consequences of the identified port-centric disruptive events. Risk matrices were then generated to compare the perspectives of port operators and port users.
Findings
The results show that threats related to the planning of port resources require the highest level of attention. This highlights important areas for port managers seeking to improve port resilience and supply chain continuity through a more prudent management of risks.
Research limitations/implications
The results help port managers understand where they should establish strategic capability to increase port resilience and enhance sustainability to benefit port users. However, the study could be further enhanced by evaluating the threats based on different regions of ports and port users and making recommendations for port operators to undertake.
Originality/value
The findings of this paper are significant as they provide an analysis of data gathered from international port operators and port users. Risk matrices have been widely applied in many industries, yet no studies have been conducted to develop a portfolio of port-centric risks at a scale as large as this paper.
Details