Cyber Risk Management in Supply Chains: Three Essays on Cyber Resilience, Business Continuity, and Information Security

Sadeghi, J. Kiarash

08 1900

This dissertation provides empirical and theoretical support for the antecedents and consequences of cyber resilience via three essays on cyber resilience. Essay 1 comprises 2 studies using a multi-method empirical research effort to determine whether emphasizing suppliers' implementation and use of business continuity management (S-BCM) is actually beneficial to buyers. In Study 1, data from 150 managers was collected via a survey-based questionnaire to determine whether buyers' adoption of monitoring supplier operational performance (MS-OP) and monitoring S-BCM (MS-BCM) enhances S-BCM implementation and use. Evidence from Study 1 suggests that MS-BCM is more effective than MS-OP. Moreover, the results suggest that while buyer power positively augments the effectiveness of MS-BCM, it actually has a diminishing effect on the effectiveness of MS-OP. Study 2 uses the data of 114 managers from a vignette-based experiment to determine whether S-BCM leads to improved buyer operational and financial performance. Study 2 offers evidence that confirms the positive link between S-BCM and buyer operational and financial performance. The results also suggest that the use of reward power further enhances the association between S-BCM and buyer performance. Using two studies, Essay 2 examines how supply chain power and learning can be related to cyber resilience capability. Study 1 indicated that powerful buyers and supply chain learning from new knowledge contribute to visibility to build cyber resilience while dominant suppliers are reluctant to share information. The results of Study-2 show that supply chain and operations managers believe that companies and their suppliers would have better operational performance if they invest in the accuracy of visibility. Moreover, supply chains properly can avoid, maintain, and recover from cyber disruption when real-time information is available. Essay 3 focuses on the role of downstream complexity along with enterprise resource planning (ERP) in building cyber resilience in supply chains. The results reveal that ERP systems help supply chains to mitigate the negative effect of downstream complexity on the impact of information sharing in a secure system needed to build cyber resilience in times of data breaches and cyber-attacks. Although the use of information technology increases cyber risk, supply chain managers should take advantage of ERP systems to mitigate the negative effect of complexity in supply chain cyber resilience.

supply chain cyber resilience

supply chain resilience

Business Administration, Marketing

Cyber resilience for critical infrastructure : A systematic review

Naserinia, Vahid

January 2021

Critical infrastructure is a term to define the network of crucial assets for the functioning of a society and modern economies. The complexity of critical infrastructures and the ability to connect smart devices to these networks make them more vulnerable to cyberattacks. One of the cutting events pointing out gaps and importance of the cyber resilience in the nation's infrastructure systems, including Industrial Control Systems (ICS), was the discovery of Stuxnet in 2010, a malicious computer worm attacking Iranian nuclear facilities. The vulnerability of cyber systems was further revealed by a cyberattack on the SCADA system in Ukraine in 2015. This paper uses both a systematic literature strategy base on the Preferred Reporting Items for Systematic reviews and Meta-Analyses (PRISMA) statement and co-occurrence analysis by VOSviewer, a tool for visualization of similarities, to explore the specific research domains of cyber resilience for critical infrastructures and to understand the current trend of development and future research orientation. Despite the literature's emphasis on essential industries, the results show that, of all exposure parameters, the organization's sector is most consistently connected with the emergence of cyber resilience traits. The sector is also important in terms of the kind of attack and its effect on data. The attacked entities in the sample have a low level of cyber resilience, as evidenced by the surprisingly low intensity of devoted Cyber Security (CS) operational setting, use of CS structures, the resilience of Prevention, Detection, and Recovery controls (PDR), and organizations' reactions to their stakeholders following cyber attacks. The studied countries do not consistently adopt cyber resilience features. The prevalence of resilience traits, on the other hand, seems to have a beneficial influence on the frequency of litigation and sanctions. Furthermore, improved protection, detection, and recovery measures increase the frequency of responsibilities and expectations to stakeholders following cyber assaults.

Cyber resilience

critical infrastructures

systematic review

Information Systems, Social aspects

Who hacked my toaster? : A study about security management of the Internet of Things. / Vem har hackat min brödrost? : En studie om säkerhetshantering av Internet of Things

Hakkestad, Mårten, Rynningsjö, Simon

January 2019

The Internet of Things is a growing area with growing security concerns, new threat emerge almost everyday. Keeping up to date, monitor the network and devices and responding to compromised devices and networks are a hard and complex matters.  This bachelor’s thesis aims to discover how a IT-company can work with security management within the Internet of Things, this is done by looking into how a IT-company can work with updating, monitoring and responding within the Internet of Things, as well what challenges there are with working with this.  A qualitative research approach was used for this case study along with an interpretative perspective, as well as abductive reasoning. Interviews were performed with employees of a large IT-company based in Sweden, along with extensive document analysis.  Our bachelor’s thesis results in challenges with Security Management within the areas updating, monitoring and responding along with how our Case Company works with these security challenges. Largely these challenges can be summarized that everything is harder with the number of devices there are within the Internet of Things / Internet of Things eller Sakernas internet är ett växande område med en växande hotbild och nya hot uppkommer dagligen. Att hålla sig uppdaterad, övervaka nätverk och enheter samt att reagera på att enheter och nätverk blir hackade är en svår och komplicerad uppgift. Den här uppsatsen ämnar undersöka hur ett IT-företag kan arbeta med säkerhetshantering inom Internet of Things. Detta har gjorts genom att kolla utmaningar och säkerhetslösningar inom de tre områdena uppdatera, övervaka och reagera.  En kvalitativ forskningsmetod har använts i denna fallstudie tillsammans med ett tolkande synsätt och en abduktiv ansats. Vi har utfört intervjuer på ett stort IT-företag baserat i Sverige tillsammans med en utförlig dokumentanalys.  Resultatet av denna uppsats påvisar ett antal utmaningar inom säkerhetshanteringen inom områdena uppdatera, övervaka och reagera tillsammans med hur vårt fallföretag jobbar med att motarbeta dessa utmaningar. I stort sett kan utmaningarna sammanfattas till att allting är svårare när mängden enheten är så hög som den är inom Internet of Things.

Internet of Things

IoT

Updating

Monitoring

Responding

Security Management

Cyber Resilience

Middle of Life

MoL

Sakernas Internet

Internet of Things

IoT

Uppdatera

Övervaka

Reagera

Säkerhetshantering

Cyber Motståndskraft

Cyber Resilience

Mitten av Livet

MaL

Information Systems, Social aspects

Cyber Resilience Act och utveckling av produkter med digitala delar : Är svenska mjukvaruföretag redo för lagkraven?

Carlsson, Anton

January 2023

The number of products with digital elements in the world is increasing rapidly every year followed by a rising number of cyberattacks against them. To address the substantial number of products with digital elements that have inadequate cybersecurity measures the European Commission has proposed the Cyber Resilience Act. The act imposes requirements on the cybersecurity measures of all products with digital elements, this includes all products that have a direct or indirect logical or physical data connection to another device or to a network. This study investigates the awareness of Swedish software companiesregarding the Cyber Resilience Act, as well as their current development processes. The research methodology employed in this study includes a literature review and semi-structured interviews with selected software companies. The study concludes that only a small number of companies are aware of the bill, and many will need to modify or entirely revamp their development processes to comply with the legal requirements. Furthermore,there is also some discussion about the Cyber Resilience Act's position in European legislation and the development principles that can assist companies in fulfilling the legal requirements proposed. / Antalet produkter med digitala delar i världen ökar markant varje år och det gör även cyberattackerna mot dessa. I ett försök att hantera det stora antalet produkter med bristande cybersäkerhetsåtgärder så har europakommissionen kommit med ett lagförslag, Cyber Resilience Act. Cyber Resilience Act ställer krav på cybersäkerhetsåtgärderna hos alla produkter med digitala delar vilket innefattar alla produkter som har en direkt eller indirekt logisk eller fysisk dataanslutning till en annan enhet eller till ett nätverk. I den här uppsatsen undersöks svenska mjukvaruföretags medvetenhet om Cyber Resilience Act samt hur utvecklingsprocesser i dagsläget ser ut påföretagen. Undersökningen har skett i form av litteraturstudie samt semistrukturerade intervjuer med företag. Slutsatserna som dras från uppsatsen är att väldigt få företag är medvetna om lagförslaget och många företag kommer behöva modifiera eller helt ändra sina utvecklingsprocesser för att bemöta lagkraven. Cyber Resilience Acts plats i europeisk lagstiftning samt utvecklingsprinciper som kan hjälpa företag att uppfylla lagkraven diskuteras även i uppsatsen.

Cyber Resilience Act

Cybersäkerhet

EU Cyberlagar

Produkter med digitala delar

Uppkopplade produkter

Engineering and Technology

Teknik och teknologier

Law

Juridik

Mieux vaut prévenir et guérir : la réaction du public envers la posture de cyber-résilience des entreprises après un vol de données

Toma, Traian

08 1900

Les recherches montrent que les clients ne prennent guère de mesures pour se protéger des crimes qui peuvent découler d’une brèche de renseignements confidentiels au sein d’une entreprise. Plutôt, ils considèrent que la firme — hébergeuse de leurs informations personnelles — a la responsabilité absolue en matière de la confidentialité continue de leurs données. Les commerces qui manquent de protéger adéquatement les informations clients risquent en contrepartie de subir des torts réputationnels ruineux. Cela dit, peu de travaux explicatifs sont effectués sur la résilience des entreprises face à la réaction négative du public après un vol de données. Ainsi, une étude expérimentale basée sur des vignettes de cas a été menée à l’aide du modèle de la victime « idéale ». Les mises en situation illustrent : (1) une entreprise victime décrite comme ayant une forte posture de cyber-résilience ; (2) une entreprise victime décrite comme ayant une faible posture de cyber-résilience. Un échantillon final de 664 participants a été aléatoirement affecté à l’une des deux conditions expérimentales principales. Les résultats révèlent que, comparativement à une faible posture de cyber-résilience, une bonne posture de cyber-résilience minimise les attitudes négatives des clients et favorise leurs intentions comportementales positives vis-à-vis la firme victime. À la lumière de ces résultats, la cyber-résilience, qui a principalement fait l’objet d’une attention conceptuelle, acquiert un fondement empirique. Par ailleurs, ce projet de recherche contribue plus généralement au développement de la victimologie des entreprises. / Research shows that customers take few measures to protect themselves from crimes that may follow data theft at a business. They rather consider that the firm—the host of their personal information—holds exclusive responsibility over the continued confidentiality of their data. Companies that fail to properly secure customer information may, in return, risk experiencing ruinous reputational harm. That said, little explanatory research is done on the resilience of businesses to negative public reaction after data theft. Consequently, a vignette-based experimental study was conducted using the “ideal” victim model. The scenarios feature: (1) a breached business described as having a strong cyber-resilience posture; (2) a breached business described as having a weak cyber-resilience posture. A final sample of 664 participants was randomly assigned to one of the two main experimental conditions. Results reveal that compared to a weak cyber-resilience posture, a good cyber-resilience posture minimizes negative customer attitudes and promotes positive customer behavioural intentions towards the company. Considering these results, cyber-resilience, which has mainly received conceptual attention, gains empirical support. Furthermore, this research project contributes more broadly to the evolution of the victimology of businesses.

Cybersécurité

Cyber-résilience

Brèche de données

Réputation

Réaction sociale

Gestion des risques

Communication de crise

Faute de la victime

Victime idéale

Vignettes de cas

Cybersecurity

Cyber-resilience

Data breach

Social reaction

Risk management

Crisis communication

Victim blaming

Ideal victim

Vignettes