Information Technology and Management

, Volume 11, Issue 1, pp 7–23 | Cite as

Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest

  • Tridib Bandyopadhyay
  • Varghese Jacob
  • Srinivasan RaghunathanEmail author


Recent supply chain reengineering efforts have focused on integrating firms’ production, inventory and replenishment activities with the help of communication networks. While communication networks and supply chain integration facilitate optimization of traditional supply chain functions, they also exacerbate the information security risk: communication networks propagate security breaches from one firm to another, and supply chain integration causes breach on one firm to affect other firms in the supply chain. We study the impact of network security vulnerability and supply chain integration on firms’ incentives to invest in information security. We find that even though an increase in either the degree of network vulnerability or the degree of supply chain integration increases the security risk, they have different impacts on firms’ incentives to invest in security. If the degree of supply chain integration is low, then an increase in network vulnerability induces firms to reduce, rather than increase, their security investments. A sufficiently high degree of supply chain integration alters the impact of network vulnerability into one in which firms have an incentive to increase their investments when the network vulnerability is higher. Though an increase in the degree of supply integration enhances firms’ incentives to invest in security, private provisioning for security always results in a less than socially optimal security level. A liability mechanism that makes the responsible party partially compensate for the other party’s loss induces each firm to invest at the socially optimal level. If firms choose the degree of integration, in addition to security investment, then firms may choose a higher degree of integration when they decide individually than when they decide jointly, suggesting an even greater security risk to the supply chain.


Information security Supply chain management Investment incentives 



We thank the participants of WITS 2004 and UT-Dallas Risk Management Conference 2007 for their helpful comments on earlier versions of this paper.


  1. 1.
    Bourland KE, Powell SG et al (1996) Exploiting timely demand information to reduce inventories. Eur J Operate Res 92:239–253CrossRefGoogle Scholar
  2. 2.
    Cachon PG, Fisher M (2000) Supply chain inventory management and the value of shared information. Manag Sci 46:1032–1048CrossRefGoogle Scholar
  3. 3.
    Camp LJ, Wolfram C (2004) Pricing security. In: Camp LJ, Lewis S (eds) Economics of information security. Kluwer Academic Publishers, MA, pp 17–34Google Scholar
  4. 4.
    Chen F, Drezner Z, Ryan JK, Simchi Levi D (2000) Quantifying the bullwhip effect in a supply chain: the impact of forecasting, lead times, and information. Manag Sci 46:436–443CrossRefGoogle Scholar
  5. 5.
    Clark TH, Hammond J (1997) Reengineering channel reordering processes to improve total supply-chain performance. Prod Oper Manag 6(6):248–264Google Scholar
  6. 6.
    Coase RH (1960) The problem of social cost. J Law Econ 3:1–44CrossRefGoogle Scholar
  7. 7.
  8. 8.
    Forrester Research (2001) When to share supply chain secrets. SeptemberGoogle Scholar
  9. 9.
    Gal-Or E, Ghose A (2005) The economic incentive of sharing information. Inform Syst Res 16(2):186–208CrossRefGoogle Scholar
  10. 10.
    Gavirneni S (2005) Price fluctuations, information sharing, and supply chain performance. Eur J Operat Res 174(3):1651–1663CrossRefGoogle Scholar
  11. 11.
    Gavirneni S, Kapuscinski R, Tayur S (1999) Value of information sharing in a capacitated supply chain. Manag Sci 45:16–24CrossRefGoogle Scholar
  12. 12.
    Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inform Syst Secur 5(4):438–457CrossRefGoogle Scholar
  13. 13.
    Gordon LA, Loeb PM, William L (2003) Sharing information on computer system security. J Account Public Policy 22Google Scholar
  14. 14.
    Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security guide for interconnecting information technology systems. NIST Special Publication, August 800–847Google Scholar
  15. 15.
    Hausken K (2006) Income, interdependence, and substitution effects affecting incentives for security investment. J Account Public Policy 25(6):629–665CrossRefGoogle Scholar
  16. 16.
    Hausken K (2007) Information sharing among firms and cyber attacks. J Account Public Policy 26(6):639–688CrossRefGoogle Scholar
  17. 17.
    Holmstrom B (1982) Moral hazard in teams. Bell J Econ 13(2):324–340CrossRefGoogle Scholar
  18. 18.
    Kunreuther H, Heal G (2003) Interdependent security. J Risk Uncertain 26(2/3):231–249CrossRefGoogle Scholar
  19. 19.
    Lee HL (2004) The Triple-A Supply Chain. Harvard Bus Rev October 2004:2–11Google Scholar
  20. 20.
    Lee HG, Clark T, Tam KY (1999) Research report. Can EDI benefit adopters? Inform Syst Res 10(2):186–195Google Scholar
  21. 21.
    Lee HL, So KC, Tang CS (2000) The value of information sharing in a two-level supply chain. Manag Sci 46(5):626–643CrossRefGoogle Scholar
  22. 22.
    Li L (2002) Information sharing in a supply chain with horizontal competition. Manag Sci 48(9):1196–1212CrossRefGoogle Scholar
  23. 23.
    Li L, Zhang H (2005) Confidentiality and information sharing in supply chain coordination.
  24. 24.
    Metters R (1997) Quantifying the bullwhip effect in supply chains. J Operat Manag 15:89–100CrossRefGoogle Scholar
  25. 25.
    Mishra B, Raghunathan S, Yue X (2007) Credible exchange of information in supply chains: incentives for information distortion. IIE Trans 39(9):863–877CrossRefGoogle Scholar
  26. 26.
    Mukhopadhyay T, Kekre S, Kalathur S (1995) Business value of information technology: a study of electronic data interchange. MIS Q 19(2):137–155CrossRefGoogle Scholar
  27. 27.
    Niederman F (1998) The diffusion of electronic data interchange technology. In: Larsen TJ, McGuire E (eds) Information systems innovation and diffusion: issues and directions. Idea Group Publishing, Hershey, pp 141–160Google Scholar
  28. 28.
    Ogut H, Raghunathan S, Menon N (2005) Cyber insurance and IT security investment: impact of interdependent risk. In: Proceedings of the workshop on the economics of information security, Cambridge, MA, 2–3 JuneGoogle Scholar
  29. 29.
    Pigou AC (1920) The economics of welfare. Macmillan, LondonGoogle Scholar
  30. 30.
    Raghunathan S (2001) Information sharing in a supply chain: a note on its value when the demand is non-stationary. Manag Sci 47:605–610CrossRefGoogle Scholar
  31. 31.
    Raghunathan S, Yeh A (2001) Beyond EDI: impact of continuous replenishment program (CRP) networks between a manufacturer and its retailers. Inform Syst Res 12:406–419CrossRefGoogle Scholar
  32. 32.
    Schoeniger E (2006) The new reality of supply chain security.
  33. 33.
    Srinivasan K, Kekre S, Mukhopadhyay T (1994) Impact of electronic data interchange technology on JIT shipments. Manag Sci 40(10):1291–1304CrossRefGoogle Scholar
  34. 34.
    Susarla A, Barua A, Whinston AB (2007) An empirical analysis of complementarity in information integration and inter-organizational coordination. Working Paper, The University Of Texas At AustinGoogle Scholar
  35. 35.
    Tanaka H, Matsuura K, Sudoh O (2005) Vulnerability and information security investment: an empirical analysis of e-local government in Japan. J Account Public Policy 24(1):37–59CrossRefGoogle Scholar
  36. 36.
    Varian H (2002) System reliability and free riding. Working Paper, The University of California at BerkeleyGoogle Scholar
  37. 37.
    Varian H (2004) System reliability and free riding. In: Camp LJ, Lewis S (eds) Economics of information security. Kluwer Academic Publishers, MA, pp 1–16Google Scholar
  38. 38.
    Zhang H (2002) Vertical information exchange in a supply chain with duopoly retailers. Prod Operat Manag 11:531–546CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Tridib Bandyopadhyay
    • 1
  • Varghese Jacob
    • 2
  • Srinivasan Raghunathan
    • 2
    Email author
  1. 1.Kennesaw State UniversityKennesawUSA
  2. 2.School of ManagementThe University of Texas at DallasRichardsonUSA

Personalised recommendations