Managing IT and Cyber Risks in Supply Chains

Chapter
First Online:

Abstract

This chapter describes the potential impact of Information Technology (IT) and cyber risks on the continuity and vulnerabilities of the supply chain. We propose a theoretical framework and direction to help organizations to manage these risks. The evidence gleaned from an empirical investigation will illustrate how organizations actually perceive, control, and manage IT and cyber risks within the supply chains. The findings will underline that managers tend to invest in few mitigation strategies; hence, they take risks that are much higher than their declared risk appetites. In addition, managers denounce a general lack of awareness regarding the effects that IT and cyber risks may have on supply operations and relationships.

This is a preview of subscription content, log in to check access.

References

  1. Aon Risk Solutions. (2015). Global Risk Management Survey 2015. Available at: http://www.aon.com/2015GlobalRisk/. Accessed April 04, 2016.
  2. Bailey, T., Miglio, A. D., & Richter, W. (2014). The rising strategic risks of cyberattacks. McKinsey Quarterly, 2(2014), 17–22.Google Scholar
  3. Bandyopadhyay, T., Jacob, V., & Raghunathan, S. (2010). Information security in networked supply chains: Impact of network vulnerability and supply chain integration on incentives to invest. Information Technology and Management, 11(1), 7–23.CrossRefGoogle Scholar
  4. Bartol, N. (2014). Cyber supply chain security practices DNA–filling in the puzzle using a diverse set of disciplines. Technovation, 34(7), 354–361.CrossRefGoogle Scholar
  5. Benlian, A., & Hess, T. (2011). Opportunities and risks of software-as-a-service: Findings from a survey of IT executives. Decision Support Systems, 52(1), 232–246.CrossRefGoogle Scholar
  6. Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance-Issues and Practice, 40(1), 131–158.CrossRefGoogle Scholar
  7. Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34(7), 342–353.CrossRefGoogle Scholar
  8. Brender, N., & Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International Journal of Information Management, 33(5), 726–733.CrossRefGoogle Scholar
  9. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.Google Scholar
  10. D’Amico, A., Buchanan, L., Goodall, J., & Walczak, P. (2010, April). Mission impact of cyber events: Scenarios and ontology to express the relationships between cyber assets, missions and users. In International Conference on Information Warfare and Security (p. 388). Academic Conferences International Limited.Google Scholar
  11. Dewan, S., & Ren, F. (2011). Information technology and firm boundaries: Impact on firm risk and return performance. Information Systems Research, 22(2), 369–388.CrossRefGoogle Scholar
  12. Ellison, R. J., & Woody, C. (2010, January). Supply-chain risk management: Incorporating security into software development. In System Sciences (HICSS), 2010 43rd Hawaii International Conference on (pp. 1–10). IEEE.Google Scholar
  13. Fawcett, S. E., Wallin, C., Allred, C., Fawcett, A. M., & Magnan, G. M. (2011). Information technology as an enabler of supply chain collaboration: A dynamic-capabilities perspective. Journal of Supply Chain Management, 47(1), 38–59.CrossRefGoogle Scholar
  14. Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information Sciences, 256, 57–73.CrossRefGoogle Scholar
  15. Gao, X., & Zhong, W. (2015). Information security investment for competitive firms with hacker behavior and security requirements. Annals of Operations Research, 235(1), 277–300.CrossRefGoogle Scholar
  16. Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438.CrossRefGoogle Scholar
  17. Garfinkel, S. L. (2012). The cybersecurity risk. Communications of the ACM, 55(6), 29–32.CrossRefGoogle Scholar
  18. Gaudenzi, B., & Borghesi, A. (2006). Managing risks in the supply chain using the AHP method. The International Journal of Logistics Management, 17(1), 114–136.CrossRefGoogle Scholar
  19. Gaudenzi, B., & Siciliano, G. (2016). Just do it. Managing IT and cyber risks to create value. In 6th Global Innovation and Knowledge Academy (GIKA) Conference, March 21–23, 2016, Valencia, Spain.Google Scholar
  20. Giannakis, M., & Louis, M. (2011). A multi-agent based framework for supply chain risk management. Journal of Purchasing and Supply Management, 17(1), 23–31.CrossRefGoogle Scholar
  21. Huang, S. M., Hung, W. H., Yen, D. C., Chang, I. C., & Jiang, D. (2011). Building the evaluation model of the IT general control for CPAs under enterprise risk management. Decision Support Systems, 50(4), 692–701.CrossRefGoogle Scholar
  22. Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95.CrossRefGoogle Scholar
  23. ISO/IEC 27001:2013. Information technology-security techniques-information security management systems-requirements. Available at: http://www.iso.org/iso/catalogue_detail?csnumber=54534. Accessed April 04, 2016.
  24. Järveläinen, J. (2013). IT incidents and business impacts: Validating a framework for continuity management in information systems. International Journal of Information Management, 33(3), 583–590.CrossRefGoogle Scholar
  25. Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS quarterly, 549–566.Google Scholar
  26. Khan, O., & Estay, D. A. S. (2015). Supply chain cyber-resilience: Creating an agenda for future research. Technology Innovation Management Review, 5(4), 6–12.Google Scholar
  27. Kong, H. K., Kim, T. S., & Kim, J. (2012). An analysis on effects of information security investments: A BSC perspective. Journal of Intelligent Manufacturing, 23(4), 941–953.CrossRefGoogle Scholar
  28. Markmann, C., Darkow, I. L., & von der Gracht, H. (2013). A Delphi-based risk analysis—identifying and assessing future challenges for supply chain security in a multi-stakeholder environment. Technological Forecasting and Social Change, 80(9), 1815–1833.CrossRefGoogle Scholar
  29. Martin, J. A., & Eisenhardt, K. M. (2010). Rewiring: Cross-business-unit collaborations in multibusiness organizations. Academy of Management Journal, 53(2), 265–301.CrossRefGoogle Scholar
  30. Melville, N. P. (2010). Information systems innovation for environmental sustainability. MIS Quarterly, 34(1), 1–21.Google Scholar
  31. Mithas, S., Ramasubbu, N., & Sambamurthy, V. (2011). How information management capability influences firm performance. MIS Quarterly, 35(1), 237–256.Google Scholar
  32. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: To insure IT or not? Decision Support Systems, 56, 11–26.CrossRefGoogle Scholar
  33. Olson, D. L., & Dash Wu, D. (2010). A review of enterprise risk management in supply chain. Kybernetes, 39(5), 694–706.Google Scholar
  34. Ozkan, S., & Karabacak, B. (2010). Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management, 30(6), 567–572.CrossRefGoogle Scholar
  35. Pezderka, N., & Sinkovics, R. R. (2011). A conceptualization of e-risk perceptions and implications for small firm active online internationalization. International Business Review, 20(4), 409–422.CrossRefGoogle Scholar
  36. Prajogo, D., & Olhager, J. (2012). Supply chain integration and performance: The effects of long-term relationships, information technology and sharing, and logistics integration. International Journal of Production Economics, 135(1), 514–522.CrossRefGoogle Scholar
  37. PWC Report (2014). Information security breaches survey 2014 technical report. Available at: http://www.pwc.co.uk/services/audit-assurance/insights/2014-information-security-breaches-survey.html. Accessed April 04, 2016.
  38. PWC Report. (2015a). Managing cyber risks in an interconnected world. In Key findings from The Global State of from The Global State of Information Security ® Survey 2015. Available at: www.pwc.com/gsiss2015. Accessed April 04, 2016.
  39. PWC Report. (2015b). Reinventing information technology in the digital enterprise. In PwC’s New IT Platform: Achieve High Velocity IT in a Digital World. Available at: http://www.pwc.com/us/en/increasing-it-effectiveness/publications/new-it-platform.html. Accessed April 04, 2016.
  40. Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A multidimensional approach to information security risk management using FMEA and fuzzy theory. International Journal of Information Management, 34(6), 733–740.Google Scholar
  41. Tallon, P. P., & Pinsonneault, A. (2011). Competing perspectives on the link between strategic information technology alignment and organizational agility: Insights from a mediation model. MIS Quarterly, 35(2), 463–486.Google Scholar
  42. Trkman, P., McCormack, K., De Oliveira, M. P. V., & Ladeira, M. B. (2010). The impact of business analytics on supply chain performance. Decision Support Systems, 49(3), 318–327.CrossRefGoogle Scholar
  43. Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102.CrossRefGoogle Scholar
  44. Yang, Y. P. O., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, 482–500.CrossRefGoogle Scholar
  45. Yildirim, E. Y., Akalp, G., Aytac, S., & Bayram, N. (2011). Factors influencing information security management in small-and medium-sized enterprises: A case study from Turkey. International Journal of Information Management, 31(4), 360–365.CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.Department of Business AdministrationUniversity of VeronaVeronaItaly

Personalised recommendations