Managing cyber-risk and security in the global supply chain: a systems analysis approach to risk, structure and behaviour

    Research output: Book/ReportPh.D. thesisResearch

    1743 Downloads (Pure)

    Abstract

    The threat of cyber-attacks continues to grow and disrupt global supply chains, exposing companies to disruptions that severely affect or completely halt normal operations. This impacts business performance negatively through the company’s bottom line and reputation, even resulting in long-term legal ramifications. As a result, little information about attacks and their consequences is published. Supply chains continue to prepare for cyber-attacks through a mix of traditional risk and resilience frameworks, protecting their networks through patches, firewalls and antiviruses, or financially through insurance. Yet these approaches are not giving the expected results, as reflected by the steady increase in disruptions from cyber-attacks. This thesis investigates and proposes tools for managing cyberrisks in the supply chain, derived from an analysis that follows three main steps. In step one, existing knowledge about supply chain cyber-resilience is analysed through a systematic literature review, and gaps are identified. Two of the identified gaps are addressed in detail, 1) insufficient understanding of the particular characteristics cyber-risks and how these compare to other supply chain risks for effective risk management, and 2) insufficient address by current methods to aspects of compartmentalization, static focus and history-dependence in the management of supply chain cyber-risk and cyber-resilience. Step two of this thesis explores the first gap by identifying the particular characteristics of cyber-risks from cyber-attack report data. Finally in step three methods based on systems thinking are applied to case studies to evaluate the degree to which these methods address compartmentalization, dynamics and history dependency in their application to the management of cyber-risk and cyber-resilience. The findings of the research are in three main domains. First, the research reveals relevant gaps in the traditional methods available for the management of cyber risks, in areas such as their consideration of dynamic behaviour, inadequate or difficult reporting of events, their dependence on historical data to manage
    unknown or new attacks, and a silo-approach for managing a problem that is cross-disciplinary. Second, relevant differences between cyber-risks and other supply chain risks are identified, in areas such as the capacity of disruptions from cyber risks to go undetected, the high reproduction fidelity of cyber-risks, the capacity of cyber risks to affect different geographical locations simultaneously, and the complexity of cyber-attacks. Finally, the research reveals that the novel use of methods based in systems thinking for managing cyber-risks at the same time address gaps found in traditional methods, and provide a foundation for thinking about cyber-risks not as an outside threat, but rather as the result of incomplete requirements to the supply chain design. This change in focus could allow supply chains to minimize losses by preparing the system for reaction to whatever cyber-risk leads to an operational disruption. The findings of the research have both industrial implications. The industrial implications suggest supply chains can benefit from designing the behaviours they require through cross-disciplinary, simulation-based techniques. The academic implications suggest
    that researchers will benefit from 1) adjusting reporting times to match the quick development cycle of cyber-attacks, 2) consolidating a cross-disciplinary cyber-risk and resilience research community, and 3) expanding existing research methods by integrating dynamic systems thinking into data gathering and analysis.
    Original languageEnglish
    PublisherDTU Management Engineering
    Number of pages620
    Publication statusPublished - 2017

    Cite this

    @phdthesis{a9d2c79503c44bb7b36845af469d004a,
    title = "Managing cyber-risk and security in the global supply chain: a systems analysis approach to risk, structure and behaviour",
    abstract = "The threat of cyber-attacks continues to grow and disrupt global supply chains, exposing companies to disruptions that severely affect or completely halt normal operations. This impacts business performance negatively through the company’s bottom line and reputation, even resulting in long-term legal ramifications. As a result, little information about attacks and their consequences is published. Supply chains continue to prepare for cyber-attacks through a mix of traditional risk and resilience frameworks, protecting their networks through patches, firewalls and antiviruses, or financially through insurance. Yet these approaches are not giving the expected results, as reflected by the steady increase in disruptions from cyber-attacks. This thesis investigates and proposes tools for managing cyberrisks in the supply chain, derived from an analysis that follows three main steps. In step one, existing knowledge about supply chain cyber-resilience is analysed through a systematic literature review, and gaps are identified. Two of the identified gaps are addressed in detail, 1) insufficient understanding of the particular characteristics cyber-risks and how these compare to other supply chain risks for effective risk management, and 2) insufficient address by current methods to aspects of compartmentalization, static focus and history-dependence in the management of supply chain cyber-risk and cyber-resilience. Step two of this thesis explores the first gap by identifying the particular characteristics of cyber-risks from cyber-attack report data. Finally in step three methods based on systems thinking are applied to case studies to evaluate the degree to which these methods address compartmentalization, dynamics and history dependency in their application to the management of cyber-risk and cyber-resilience. The findings of the research are in three main domains. First, the research reveals relevant gaps in the traditional methods available for the management of cyber risks, in areas such as their consideration of dynamic behaviour, inadequate or difficult reporting of events, their dependence on historical data to manageunknown or new attacks, and a silo-approach for managing a problem that is cross-disciplinary. Second, relevant differences between cyber-risks and other supply chain risks are identified, in areas such as the capacity of disruptions from cyber risks to go undetected, the high reproduction fidelity of cyber-risks, the capacity of cyber risks to affect different geographical locations simultaneously, and the complexity of cyber-attacks. Finally, the research reveals that the novel use of methods based in systems thinking for managing cyber-risks at the same time address gaps found in traditional methods, and provide a foundation for thinking about cyber-risks not as an outside threat, but rather as the result of incomplete requirements to the supply chain design. This change in focus could allow supply chains to minimize losses by preparing the system for reaction to whatever cyber-risk leads to an operational disruption. The findings of the research have both industrial implications. The industrial implications suggest supply chains can benefit from designing the behaviours they require through cross-disciplinary, simulation-based techniques. The academic implications suggestthat researchers will benefit from 1) adjusting reporting times to match the quick development cycle of cyber-attacks, 2) consolidating a cross-disciplinary cyber-risk and resilience research community, and 3) expanding existing research methods by integrating dynamic systems thinking into data gathering and analysis.",
    author = "{Sep{\'u}lveda Estay}, {Daniel Alberto}",
    year = "2017",
    language = "English",
    publisher = "DTU Management Engineering",

    }

    Managing cyber-risk and security in the global supply chain: a systems analysis approach to risk, structure and behaviour. / Sepúlveda Estay, Daniel Alberto.

    DTU Management Engineering, 2017. 620 p.

    Research output: Book/ReportPh.D. thesisResearch

    TY - BOOK

    T1 - Managing cyber-risk and security in the global supply chain: a systems analysis approach to risk, structure and behaviour

    AU - Sepúlveda Estay, Daniel Alberto

    PY - 2017

    Y1 - 2017

    N2 - The threat of cyber-attacks continues to grow and disrupt global supply chains, exposing companies to disruptions that severely affect or completely halt normal operations. This impacts business performance negatively through the company’s bottom line and reputation, even resulting in long-term legal ramifications. As a result, little information about attacks and their consequences is published. Supply chains continue to prepare for cyber-attacks through a mix of traditional risk and resilience frameworks, protecting their networks through patches, firewalls and antiviruses, or financially through insurance. Yet these approaches are not giving the expected results, as reflected by the steady increase in disruptions from cyber-attacks. This thesis investigates and proposes tools for managing cyberrisks in the supply chain, derived from an analysis that follows three main steps. In step one, existing knowledge about supply chain cyber-resilience is analysed through a systematic literature review, and gaps are identified. Two of the identified gaps are addressed in detail, 1) insufficient understanding of the particular characteristics cyber-risks and how these compare to other supply chain risks for effective risk management, and 2) insufficient address by current methods to aspects of compartmentalization, static focus and history-dependence in the management of supply chain cyber-risk and cyber-resilience. Step two of this thesis explores the first gap by identifying the particular characteristics of cyber-risks from cyber-attack report data. Finally in step three methods based on systems thinking are applied to case studies to evaluate the degree to which these methods address compartmentalization, dynamics and history dependency in their application to the management of cyber-risk and cyber-resilience. The findings of the research are in three main domains. First, the research reveals relevant gaps in the traditional methods available for the management of cyber risks, in areas such as their consideration of dynamic behaviour, inadequate or difficult reporting of events, their dependence on historical data to manageunknown or new attacks, and a silo-approach for managing a problem that is cross-disciplinary. Second, relevant differences between cyber-risks and other supply chain risks are identified, in areas such as the capacity of disruptions from cyber risks to go undetected, the high reproduction fidelity of cyber-risks, the capacity of cyber risks to affect different geographical locations simultaneously, and the complexity of cyber-attacks. Finally, the research reveals that the novel use of methods based in systems thinking for managing cyber-risks at the same time address gaps found in traditional methods, and provide a foundation for thinking about cyber-risks not as an outside threat, but rather as the result of incomplete requirements to the supply chain design. This change in focus could allow supply chains to minimize losses by preparing the system for reaction to whatever cyber-risk leads to an operational disruption. The findings of the research have both industrial implications. The industrial implications suggest supply chains can benefit from designing the behaviours they require through cross-disciplinary, simulation-based techniques. The academic implications suggestthat researchers will benefit from 1) adjusting reporting times to match the quick development cycle of cyber-attacks, 2) consolidating a cross-disciplinary cyber-risk and resilience research community, and 3) expanding existing research methods by integrating dynamic systems thinking into data gathering and analysis.

    AB - The threat of cyber-attacks continues to grow and disrupt global supply chains, exposing companies to disruptions that severely affect or completely halt normal operations. This impacts business performance negatively through the company’s bottom line and reputation, even resulting in long-term legal ramifications. As a result, little information about attacks and their consequences is published. Supply chains continue to prepare for cyber-attacks through a mix of traditional risk and resilience frameworks, protecting their networks through patches, firewalls and antiviruses, or financially through insurance. Yet these approaches are not giving the expected results, as reflected by the steady increase in disruptions from cyber-attacks. This thesis investigates and proposes tools for managing cyberrisks in the supply chain, derived from an analysis that follows three main steps. In step one, existing knowledge about supply chain cyber-resilience is analysed through a systematic literature review, and gaps are identified. Two of the identified gaps are addressed in detail, 1) insufficient understanding of the particular characteristics cyber-risks and how these compare to other supply chain risks for effective risk management, and 2) insufficient address by current methods to aspects of compartmentalization, static focus and history-dependence in the management of supply chain cyber-risk and cyber-resilience. Step two of this thesis explores the first gap by identifying the particular characteristics of cyber-risks from cyber-attack report data. Finally in step three methods based on systems thinking are applied to case studies to evaluate the degree to which these methods address compartmentalization, dynamics and history dependency in their application to the management of cyber-risk and cyber-resilience. The findings of the research are in three main domains. First, the research reveals relevant gaps in the traditional methods available for the management of cyber risks, in areas such as their consideration of dynamic behaviour, inadequate or difficult reporting of events, their dependence on historical data to manageunknown or new attacks, and a silo-approach for managing a problem that is cross-disciplinary. Second, relevant differences between cyber-risks and other supply chain risks are identified, in areas such as the capacity of disruptions from cyber risks to go undetected, the high reproduction fidelity of cyber-risks, the capacity of cyber risks to affect different geographical locations simultaneously, and the complexity of cyber-attacks. Finally, the research reveals that the novel use of methods based in systems thinking for managing cyber-risks at the same time address gaps found in traditional methods, and provide a foundation for thinking about cyber-risks not as an outside threat, but rather as the result of incomplete requirements to the supply chain design. This change in focus could allow supply chains to minimize losses by preparing the system for reaction to whatever cyber-risk leads to an operational disruption. The findings of the research have both industrial implications. The industrial implications suggest supply chains can benefit from designing the behaviours they require through cross-disciplinary, simulation-based techniques. The academic implications suggestthat researchers will benefit from 1) adjusting reporting times to match the quick development cycle of cyber-attacks, 2) consolidating a cross-disciplinary cyber-risk and resilience research community, and 3) expanding existing research methods by integrating dynamic systems thinking into data gathering and analysis.

    M3 - Ph.D. thesis

    BT - Managing cyber-risk and security in the global supply chain: a systems analysis approach to risk, structure and behaviour

    PB - DTU Management Engineering

    ER -