Abstract
This chapter describes the potential impact of Information Technology (IT) and cyber risks on the continuity and vulnerabilities of the supply chain. We propose a theoretical framework and direction to help organizations to manage these risks. The evidence gleaned from an empirical investigation will illustrate how organizations actually perceive, control, and manage IT and cyber risks within the supply chains. The findings will underline that managers tend to invest in few mitigation strategies; hence, they take risks that are much higher than their declared risk appetites. In addition, managers denounce a general lack of awareness regarding the effects that IT and cyber risks may have on supply operations and relationships.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aon Risk Solutions. (2015). Global Risk Management Survey 2015. Available at: http://www.aon.com/2015GlobalRisk/. Accessed April 04, 2016.
Bailey, T., Miglio, A. D., & Richter, W. (2014). The rising strategic risks of cyberattacks. McKinsey Quarterly, 2(2014), 17–22.
Bandyopadhyay, T., Jacob, V., & Raghunathan, S. (2010). Information security in networked supply chains: Impact of network vulnerability and supply chain integration on incentives to invest. Information Technology and Management, 11(1), 7–23.
Bartol, N. (2014). Cyber supply chain security practices DNA–filling in the puzzle using a diverse set of disciplines. Technovation, 34(7), 354–361.
Benlian, A., & Hess, T. (2011). Opportunities and risks of software-as-a-service: Findings from a survey of IT executives. Decision Support Systems, 52(1), 232–246.
Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance-Issues and Practice, 40(1), 131–158.
Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34(7), 342–353.
Brender, N., & Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International Journal of Information Management, 33(5), 726–733.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
D’Amico, A., Buchanan, L., Goodall, J., & Walczak, P. (2010, April). Mission impact of cyber events: Scenarios and ontology to express the relationships between cyber assets, missions and users. In International Conference on Information Warfare and Security (p. 388). Academic Conferences International Limited.
Dewan, S., & Ren, F. (2011). Information technology and firm boundaries: Impact on firm risk and return performance. Information Systems Research, 22(2), 369–388.
Ellison, R. J., & Woody, C. (2010, January). Supply-chain risk management: Incorporating security into software development. In System Sciences (HICSS), 2010 43rd Hawaii International Conference on (pp. 1–10). IEEE.
Fawcett, S. E., Wallin, C., Allred, C., Fawcett, A. M., & Magnan, G. M. (2011). Information technology as an enabler of supply chain collaboration: A dynamic-capabilities perspective. Journal of Supply Chain Management, 47(1), 38–59.
Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information Sciences, 256, 57–73.
Gao, X., & Zhong, W. (2015). Information security investment for competitive firms with hacker behavior and security requirements. Annals of Operations Research, 235(1), 277–300.
Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438.
Garfinkel, S. L. (2012). The cybersecurity risk. Communications of the ACM, 55(6), 29–32.
Gaudenzi, B., & Borghesi, A. (2006). Managing risks in the supply chain using the AHP method. The International Journal of Logistics Management, 17(1), 114–136.
Gaudenzi, B., & Siciliano, G. (2016). Just do it. Managing IT and cyber risks to create value. In 6th Global Innovation and Knowledge Academy (GIKA) Conference, March 21–23, 2016, Valencia, Spain.
Giannakis, M., & Louis, M. (2011). A multi-agent based framework for supply chain risk management. Journal of Purchasing and Supply Management, 17(1), 23–31.
Huang, S. M., Hung, W. H., Yen, D. C., Chang, I. C., & Jiang, D. (2011). Building the evaluation model of the IT general control for CPAs under enterprise risk management. Decision Support Systems, 50(4), 692–701.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95.
ISO/IEC 27001:2013. Information technology-security techniques-information security management systems-requirements. Available at: http://www.iso.org/iso/catalogue_detail?csnumber=54534. Accessed April 04, 2016.
Järveläinen, J. (2013). IT incidents and business impacts: Validating a framework for continuity management in information systems. International Journal of Information Management, 33(3), 583–590.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS quarterly, 549–566.
Khan, O., & Estay, D. A. S. (2015). Supply chain cyber-resilience: Creating an agenda for future research. Technology Innovation Management Review, 5(4), 6–12.
Kong, H. K., Kim, T. S., & Kim, J. (2012). An analysis on effects of information security investments: A BSC perspective. Journal of Intelligent Manufacturing, 23(4), 941–953.
Markmann, C., Darkow, I. L., & von der Gracht, H. (2013). A Delphi-based risk analysis—identifying and assessing future challenges for supply chain security in a multi-stakeholder environment. Technological Forecasting and Social Change, 80(9), 1815–1833.
Martin, J. A., & Eisenhardt, K. M. (2010). Rewiring: Cross-business-unit collaborations in multibusiness organizations. Academy of Management Journal, 53(2), 265–301.
Melville, N. P. (2010). Information systems innovation for environmental sustainability. MIS Quarterly, 34(1), 1–21.
Mithas, S., Ramasubbu, N., & Sambamurthy, V. (2011). How information management capability influences firm performance. MIS Quarterly, 35(1), 237–256.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: To insure IT or not? Decision Support Systems, 56, 11–26.
Olson, D. L., & Dash Wu, D. (2010). A review of enterprise risk management in supply chain. Kybernetes, 39(5), 694–706.
Ozkan, S., & Karabacak, B. (2010). Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management, 30(6), 567–572.
Pezderka, N., & Sinkovics, R. R. (2011). A conceptualization of e-risk perceptions and implications for small firm active online internationalization. International Business Review, 20(4), 409–422.
Prajogo, D., & Olhager, J. (2012). Supply chain integration and performance: The effects of long-term relationships, information technology and sharing, and logistics integration. International Journal of Production Economics, 135(1), 514–522.
PWC Report (2014). Information security breaches survey 2014 technical report. Available at: http://www.pwc.co.uk/services/audit-assurance/insights/2014-information-security-breaches-survey.html. Accessed April 04, 2016.
PWC Report. (2015a). Managing cyber risks in an interconnected world. In Key findings from The Global State of from The Global State of Information Security ® Survey 2015. Available at: www.pwc.com/gsiss2015. Accessed April 04, 2016.
PWC Report. (2015b). Reinventing information technology in the digital enterprise. In PwC’s New IT Platform: Achieve High Velocity IT in a Digital World. Available at: http://www.pwc.com/us/en/increasing-it-effectiveness/publications/new-it-platform.html. Accessed April 04, 2016.
Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A multidimensional approach to information security risk management using FMEA and fuzzy theory. International Journal of Information Management, 34(6), 733–740.
Tallon, P. P., & Pinsonneault, A. (2011). Competing perspectives on the link between strategic information technology alignment and organizational agility: Insights from a mediation model. MIS Quarterly, 35(2), 463–486.
Trkman, P., McCormack, K., De Oliveira, M. P. V., & Ladeira, M. B. (2010). The impact of business analytics on supply chain performance. Decision Support Systems, 49(3), 318–327.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102.
Yang, Y. P. O., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, 482–500.
Yildirim, E. Y., Akalp, G., Aytac, S., & Bayram, N. (2011). Factors influencing information security management in small-and medium-sized enterprises: A case study from Turkey. International Journal of Information Management, 31(4), 360–365.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Gaudenzi, B., Siciliano, G. (2018). Managing IT and Cyber Risks in Supply Chains. In: Khojasteh, Y. (eds) Supply Chain Risk Management. Springer, Singapore. https://doi.org/10.1007/978-981-10-4106-8_5
Download citation
DOI: https://doi.org/10.1007/978-981-10-4106-8_5
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-4105-1
Online ISBN: 978-981-10-4106-8
eBook Packages: Business and ManagementBusiness and Management (R0)