Search results

1 – 10 of over 3000
Content available
Article
Publication date: 17 May 2021

Alessandro Creazza, Claudia Colicchia, Salvatore Spiezia and Fabrizio Dallari

The purpose of this paper is to explore the perceptions of supply chain managers regarding the elements that make up cyber supply chain risk management (CSCRM) and the…

Abstract

Purpose

The purpose of this paper is to explore the perceptions of supply chain managers regarding the elements that make up cyber supply chain risk management (CSCRM) and the related level of alignment, to understand how organizations can deploy a CSCRM strategy that goes beyond the technical, internal functioning of single companies and moves beyond the dyad, to create a better alignment that can ultimately lead to improved cyber supply chain resilience.

Design/methodology/approach

An exploratory survey in the fast-moving consumer goods (FMCG) industry involving over 100 organizations in Italy was conducted. Results were analysed through one-way analysis of variance, to appraise the differences in the perceptions of the various actors of the FMCG supply chain (Manufacturers, Logistics Service Providers, Retailers).

Findings

While a certain degree of alignment of the perceptions across the FMCG supply chain exists, the study found that Logistics Service Providers can play a crucial role as orchestrators of the CSCRM process towards a more “supply chain-oriented” response to cyber threats and risk events. The research also highlights the necessity to see people as key elements for improving cyber resilience in the supply chain.

Research limitations/implications

Through a vertical analysis of a supply chain, the study extends the existing theory on CSCRM, which contains isolated case studies. It also contributes to extending the current theory with the proposal of the paradigm of Logistics Service Providers as orchestrators of the CSCRM process. The study combines different classifications of CSCRM initiatives and embraces theories external to the supply chain literature.

Practical implications

Through the empirical analysis, this study helps practitioners in streamlining the design of cyber security strategies and actions that span across the supply chain for better alignment. This could mean more coordination of efforts and more targeted/accurate investments in CSCRM initiatives. The study invites practitioners to ponder the perceived relevance of the human factor as a source of risk and the perceived importance of countermeasures aimed at mitigating risk events stemming from that source.

Originality/value

By focusing on an entire supply chain, this is one of the first studies on CSCRM that goes beyond the dyad. Its originality also lies in its use of the investigations of perceptions along the supply chain as pillars for the alignment of CSCRM strategies and mitigation initiatives. This original perspective allows for discovering the role of Logistics Service Providers in driving the alignment of the efforts towards better outcomes of the CSCRM process.

Details

Supply Chain Management: An International Journal, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 1359-8546

Keywords

To view the access options for this content please click here
Article
Publication date: 17 January 2020

Shipra Pandey, Rajesh Kumar Singh, Angappa Gunasekaran and Anjali Kaushik

The purpose of this study is to examine cyber security risks in globalized supply chains (SCs). It has been seen to have a greater impact on the performance of SCs. The…

Abstract

Purpose

The purpose of this study is to examine cyber security risks in globalized supply chains (SCs). It has been seen to have a greater impact on the performance of SCs. The information and communication technology of a firm, which enhances the efficiency and effectiveness in the SC, could simultaneously be the cause of vulnerabilities and exposure to security threats. Researchers have primarily focussed on the cyber-physical system (CPS) vulnerabilities impacting SC. This paper tries to categorize the cyber security risks occurring because of the SCs operating in CPS.

Design/methodology/approach

Based on the flow of information along the upstream and downstream SC, this paper tries to identify cyber security risks in the global SCs. It has further tried to categorize these cyber security risks from a strategic point of view.

Findings

This paper tries to identify the various cyber security risk and cyber-attacks in globalized SC for improving the performance. The 16 cyber security risks have been categorized into three categories, namely, supply risk, operational risk and demand risk. The paper proposes a framework consisting of different cyber-attacks across the information that flows in global SCs along-with suitable mitigation strategies.

Research limitations/implications

The paper presents the conceptual model of cyber security risks and cyber-attacks in globalized SCs based on literature review and industry experts. Further validation and scale development of these risks can be done through empirical study.

Practical implications

This paper provides significant managerial insights by developing a framework for understanding the cyber security risks in terms of the drivers of these risks and how to deal with them. From a managerial perspective, this framework can be used as a decision-making process while considering different cyber security risks across the stages of globalized SCs.

Originality/value

The major contribution of this study is the identification and categorization of cyber security risks across the global SCs in the digital age. Thus, this paper introduces a new phenomenon to the field of management that has the potential to investigate new areas of future research. Based on the categorization, the paper provides insights on how cyber security risks impact the continuity of SC operations.

Details

Journal of Global Operations and Strategic Sourcing, vol. 13 no. 1
Type: Research Article
ISSN: 2398-5364

Keywords

To view the access options for this content please click here
Article
Publication date: 11 December 2018

Claudia Colicchia, Alessandro Creazza and David A. Menachof

The purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this…

Abstract

Purpose

The purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this aim, and to what extent along the supply chain. In fact, the increasing level of connectivity is transforming supply chains, and it creates new opportunities but also new risks in the cyber space. Hence, cyber supply chain risk management (CSCRM) is emerging as a new management construct. The ultimate aim is to help organizations in understanding and improving the CSCRM process and cyber resilience in their supply chains.

Design/methodology/approach

This research relied on a qualitative approach based on a comparative case study analysis involving five large multinational companies with headquarters, or branches, in the UK.

Findings

Results highlight the importance for CSCRM to shift the viewpoint from the traditional focus on companies’ internal information technology (IT) infrastructure, able to “firewall themselves” only, to the whole supply chain with a cross-functional approach; initiatives for CSCRM are mainly adopted to “respond” and “recover” without a well-rounded approach to supply chain resilience for a long-term capacity to adapt to changes according to an evolutionary approach. Initiatives are adopted at a firm/dyadic level, and a network perspective is missing.

Research limitations/implications

This paper extends the current theory on cyber and information risks in supply chains, as a combination of supply chain risk management and resilience, and information risk management. It provides an analysis and classification of cyber and information risks, sources of risks and initiatives to managing them according to a supply chain perspective, along with an investigation of their adoption across the supply chain. It also studies how the concept of resilience has been deployed in the CSCRM process by companies. By laying the first empirical foundations of the subject, this study stimulates further research on the challenges and drivers of initiatives and coordination mechanisms for CSCRM at a supply chain network level.

Practical implications

Results invite companies to break the “silos” of their activities in CSCRM, embracing the whole supply chain network for better resilience. The adoption of IT security initiatives should be combined with organisational ones and extended beyond the dyad. Where applicable, initiatives should be bi-directional to involve supply chain partners, remove the typical isolation in the CSCRM process and leverage the value of information. Decisions on investments in CSCRM should involve also supply chain managers according to a holistic approach.

Originality/value

A supply chain perspective in the existing scientific contributions is missing in the management of cyber and information risk. This is one of the first empirical studies dealing with this interdisciplinary subject, focusing on risks that are now very high in the companies’ agenda, but still overlooked. It contributes to theory on information risk because it addresses cyber and information risks in massively connected supply chains through a holistic approach that includes technology, people and processes at an extended level that goes beyond the dyad.

Details

Supply Chain Management: An International Journal, vol. 24 no. 2
Type: Research Article
ISSN: 1359-8546

Keywords

To view the access options for this content please click here
Article
Publication date: 2 December 2019

Abhijeet Ghadge, Maximilian Weiß, Nigel D. Caldwell and Richard Wilding

In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in…

Abstract

Purpose

In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply chain contexts.

Design/methodology/approach

Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis, were established using data mining techniques to conduct a comprehensive, replicable and transparent review.

Findings

The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between information technology, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention because of a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience.

Research limitations/implications

Different types of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience.

Practical implications

A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions.

Originality/value

To the best of the authors’ knowledge, this is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.

To view the access options for this content please click here
Article
Publication date: 21 November 2016

Martin Eling and Werner Schnell

This paper aims to provide an overview of the main research topics in the emerging fields of cyber risk and cyber risk insurance. The paper also illustrates future…

Abstract

Purpose

This paper aims to provide an overview of the main research topics in the emerging fields of cyber risk and cyber risk insurance. The paper also illustrates future research directions, from both academic and practical points of view.

Design/methodology/approach

The authors conduct a literature review on cyber risk and cyber risk insurance using a standardized search and identification process that has been used in various academic articles. Based upon this selection process, a database of 209 papers is created. The main research results findings are extracted and organized in seven clusters.

Findings

The results illustrate the immense difficulties to insure cyber risk, especially due to a lack of data and modelling approaches, the risk of change and incalculable accumulation risks. The authors discuss various ways to overcome these insurability limitations, such as mandatory reporting requirements, pooling of data or public–private partnerships in which the government covers parts of the risk.

Originality/value

Despite its increasing relevance for businesses at present, research on cyber risk is limited. Many papers can be found in the IT domain, but relatively little research has been done in the business and economics literature. The authors illustrate where research stands currently and outline directions for future research.

Details

The Journal of Risk Finance, vol. 17 no. 5
Type: Research Article
ISSN: 1526-5943

Keywords

To view the access options for this content please click here
Article
Publication date: 23 May 2018

Sezer Bozkus Kahyaoglu and Kiymet Caliyurt

The purpose of this study is to analyze the cybersecurity assurance approaches to determine the key issues and weaknesses within the internal audit and risk management

Abstract

Purpose

The purpose of this study is to analyze the cybersecurity assurance approaches to determine the key issues and weaknesses within the internal audit and risk management perspective. Organizations increasingly rely on digital data to drive their growth and they are interconnected in a complex web to a multitude of stakeholders.

Design/methodology/approach

In this paper, cybersecurity is defined, and cybersecurity assurance model is explained based on the relevant literature. In addition, the role of internal auditing is introduced within this new business landscape. Finally, recommendations are made to provide best practices for stakeholders.

Findings

There are four major cyber-focused standards and frameworks in the current literature, namely, Control Objectives for Information and Related Technology, International Organization for Standardization, The American Institute of Certified Public Accountants and National Institute of Standards and Technology. In addition, there are many mechanisms in existence and operation currently which support cybersecurity assurance to prevent major threats. These include risk assessment, risk treatment, risk management, security assurance and auditing.

Research limitations/implications

Cyber risk is not something that can be avoided; instead, it must be managed. Hence, it is very important to maintain formal documentation on related cyber controls. Internal audit should be an integral part of cybersecurity assurance process, as internal audit have a unique position to look across organizations. The contribution of internal audit also provides comfort to the Board and Audit Committee.

Practical implications

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

Social implications

Considering cybersecurity threats grow with speed, complexity, and impact, organizations are no longer satisfied with an answer to a question like “are we secure?” instead, they need the answer for such a question like “how to give a reasonable assurance that our business will be secure enough?”. In that respect, the role of internal audit is discussed based on the relevant literature and the current condition of the business environment.

Originality/value

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

Details

Managerial Auditing Journal, vol. 33 no. 4
Type: Research Article
ISSN: 0268-6902

Keywords

To view the access options for this content please click here
Article
Publication date: 17 June 2020

Rajni Goel, Anupam Kumar and James Haddow

This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The…

Abstract

Purpose

This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The framework can be systematically used to assess the strategic orientation of a firm with respect to its cybersecurity posture. The goal is to assist top-management-team with tailoring their decision-making about security investments while managing cyber risk at their organization.

Design/methodology/approach

A thematic analysis of existing publications using content analysis techniques generates the initial set of keywords of significance. Additional factor analysis using the keywords provides us with a framework comprising of five pillars comprising prioritize, resource, implement, standardize and monitor (PRISM) for assessing a firm’s strategic cybersecurity orientation.

Findings

The primary contribution is the development of a novel PRISM framework, which enables cyber decision-makers to identify and operationalize a tailored approach to address risk management and cybersecurity problems. PRISM framework evaluation will help organizations identify and implement the most tailored risk management and cybersecurity approach applicable to their problem(s).

Originality/value

The new norm is for companies to realize that data stratification in cyberspace extends throughout their organizations, intertwining their need for cybersecurity within business operations. This paper fulfills an identified need improve the ability of company leaders, as CIOs and others, to address the growing problem of how organizations can better handle cyber threats by using an approach that is a methodology for cross-organization cybersecurity risk management.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 13 July 2015

Randy Borum, John Felker, Sean Kern, Kristen Dennesen and Tonya Feyes

This paper aims to highlight the importance and role of strategic cyber intelligence to support risk-informed decision-making, ultimately leading to improved objectives…

Abstract

Purpose

This paper aims to highlight the importance and role of strategic cyber intelligence to support risk-informed decision-making, ultimately leading to improved objectives, policies, architectures and investments to advance a nation or organization’s interests in the cyber domain.

Design/methodology/approach

Integration of professional research literature from the fields of intelligence studies, strategy and information/computer security.

Findings

Investing in technology, firewalls and intrusion detection systems is appropriate but, by itself, insufficient. Intelligence is a key component. Cyber intelligence emphasizes prevention and anticipation, to focus cybersecurity efforts before an attack occurs (“left of the hack”). Strategic cyber intelligence can substantially reduce risk to the organization’s mission and valued assets and support its due diligence.

Originality/value

This paper describes how strategic cyber intelligence can be implemented and used within an enterprise to enhance its cyber defense, and create a more proactive and adaptive security posture. It not only describes strategic cyber intelligence as a distinct discipline, but also demonstrates how the key intelligence functions articulate with existing cybersecurity risk management standards.

Details

Information & Computer Security, vol. 23 no. 3
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 3 May 2016

V. Gerard Comizio, Behnam Dayanim and Laura Bain

To provide financial institutions an overview of the developments in cybersecurity regulation of financial institutions during 2015 by the United States, the United…

Abstract

Purpose

To provide financial institutions an overview of the developments in cybersecurity regulation of financial institutions during 2015 by the United States, the United Kingdom, and the European Union, as well as guidance for developing effective cyber-risk management programs in light of evolving cyber-threats and cyber-regulatory expectations.

Design/methodology/approach

Reviews US, UK and EU regulatory developments in the cybersecurity area and provides several best practice tips financial institutions should consider and implement to improve their cybersecurity compliance programs.

Findings

While cyber-threats and financial regulators’ expectations for cyber-security are constantly evolving, recent guidance and enforcement efforts by the US, UK and EU illustrate the need for financial institutions to develop effective cybersecurity programs that address current regulatory compliance requirements and prepare for emergency cyber responses.

Practical implications

Financial institutions should utilize the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to assess their cyber-risk profile and cyber-preparedness.

Originality/value

Practical guidance from experienced financial regulatory and privacy lawyers that provides a survey of the current regulatory environment and recommendations for cyber-security compliance.

Details

Journal of Investment Compliance, vol. 17 no. 1
Type: Research Article
ISSN: 1528-5812

Keywords

To view the access options for this content please click here
Article
Publication date: 29 April 2020

Abhilash Panda and Andrew Bower

The purpose of this paper is to concentrate on the place of cyber security risk in the framework of global commitments adopted in 2015 to reduce disaster risks in an…

Abstract

Purpose

The purpose of this paper is to concentrate on the place of cyber security risk in the framework of global commitments adopted in 2015 to reduce disaster risks in an all-hazards approach. It explores the correlations between traditional risks associated with critical infrastructures – as understood by the Sendai framework – cyber security risks and the cascading effects characteristic of today’s complex and interrelated shocks and stresses. It takes a step further, expanding the focus of traditionally understood technological risks to explore cyber security risks, at the heart of our societies’ digital transformations,and showcase opportunities from the European context.

Design/methodology/approach

By reviewing existing literature on cyber security, disaster resilience and cascading disasters, this paper highlights current challenges and good practices undertaken by various governments.

Findings

Understanding disaster risks is a precondition to improving the mitigation of impacts of existing risks and preventing new risks. Effective risk reduction relies on a solid understanding of losses resulting from events to inform future actions, and on the assessment of risks relying on a robust evidence base and state-of-the-art scientific capacity to model and simulate potential hazards. In this context, embedding cyber security risks, and the complexity of cascading impacts in improving the understanding of disaster risks, calls for appropriate methods and tools allowing for a multi-risk and holistic focus to the assessment of risks and the planning of risk management capacities that follow.

Research limitations/implications

Globally and in Europe, focus on interconnected risk and their impacts is steadily increasing. Risk assessments are still conservative; incorporation of cyber resilience into national and local level DRR plans is yet not visible.

Originality/value

Existing research is restricted to cyber security and disaster resilience, as separated subjects. This paper, for the first time, brings together the interconnection between the two topic options to address them.

Details

International Journal of Disaster Resilience in the Built Environment, vol. 11 no. 4
Type: Research Article
ISSN: 1759-5908

Keywords

1 – 10 of over 3000