Managing cyber-risk and security in the global supply chain: a systems analysis approach to risk, structure and behaviour

The threat of cyber-attacks continues to grow and disrupt global supply chains, exposing companies to disruptions that severely affect or completely halt normal operations. This impacts business performance negatively through the company’s bottom line and reputation, even resulting in long-term legal ramifications.

As a result, little information about attacks and their consequences is published. Supply chains continue to prepare for cyber-attacks through a mix of traditional risk and resilience frameworks, protecting their networks through patches, firewalls and antiviruses, or financially through insurance. Yet these approaches are not giving the expected results, as reflected by the steady increase in disruptions from cyber-attacks.

This thesis investigates and proposes tools for managing cyberrisks in the supply chain, derived from an analysis that follows three main steps. In step one, existing knowledge about supply chain cyber-resilience is analysed through a systematic literature review, and gaps are identified. Two of the identified gaps are addressed in detail, 1) insufficient understanding of the particular characteristics cyber-risks and how these compare to other supply chain risks for effective risk management, and 2) insufficient address by current methods to aspects of compartmentalization, static focus and history-dependence in the management of supply chain cyber-risk and cyber-resilience.

Step two of this thesis explores the first gap by identifying the particular characteristics of cyber-risks from cyber-attack report data. Finally in step three methods based on systems thinking are applied to case studies to evaluate the degree to which these methods address compartmentalization, dynamics and history dependency in their application to the management of cyber-risk and cyber-resilience.

The findings of the research are in three main domains. First, the research reveals relevant gaps in the traditional methods available for the management of cyber risks, in areas such as their consideration of dynamic behaviour, inadequate or difficult reporting of events, their dependence on historical data to manage unknown or new attacks, and a silo-approach for managing a problem that is cross-disciplinary.

Second, relevant differences between cyber-risks and other supply chain risks are identified, in areas such as the capacity of disruptions from cyber risks to go undetected, the high reproduction fidelity of cyber-risks, the capacity of cyber risks to affect different geographical locations simultaneously, and the complexity of cyber-attacks.

Finally, the research reveals that the novel use of methods based in systems thinking for managing cyber-risks at the same time address gaps found in traditional methods, and provide a foundation for thinking about cyber-risks not as an outside threat, but rather as the result of incomplete requirements to the supply chain design.

This change in focus could allow supply chains to minimize losses by preparing the system for reaction to whatever cyber-risk leads to an operational disruption. The findings of the research have both industrial implications. The industrial implications suggest supply chains can benefit from designing the behaviours they require through cross-disciplinary, simulation-based techniques.

The academic implications suggest that researchers will benefit from 1) adjusting reporting times to match the quick development cycle of cyber-attacks, 2) consolidating a cross-disciplinary cyber-risk and resilience research community, and 3) expanding existing research methods by integrating dynamic systems thinking into data gathering and analysis.