Return to search

Toward a Decision Support System for Measuring and Managing Cybersecurity Risk in Supply Chains

Much of the confusion about the effectiveness of information security programs concerns not only how to measure, but also what to measure — an issue of equivocality. Thus, to lower uncertainty for improved decision-making, it is first essential to reduce equivocality by defining, expanding, and clarifying risk factors so that metrics, the "necessary measures," can be unambiguously applied. We formulate a system that (1) allows threats to be accurately measured and tracked, (2) enables the impacts and costs of successful threats to be determined, and (3) aids in evaluating the effectiveness and return on investment of countermeasures. We then examine the quality of controls implemented to mitigate cyber risk and study how effectively they reduce the likelihood of security incidents. Improved control quality was shown to reduce the likelihood of security incidents, yet the results indicate that investing in maximum quality is not necessarily the most efficient use of resources. The next manuscript expands the discussion of cyber risk management beyond single organizations by surveying perceptions and experiences of risk factors related to 3rd parties. To validate and these findings, we undertake in an in-depth investigation of nearly 1000 real-world data breaches occurring over a ten-year period. It provides a robust data model and rich database required by a decision support system for cyber risk in the extended enterprise. To our knowledge, it is the most comprehensive field study ever conducted on the subject. Finally, we incorporate these insights, data, and factors into a simulation model that enables us study the transfer of cyber risk across different supply chain configurations and draw important managerial implications. / Ph. D. / This dissertation comprises several manuscripts exploring various topics under the overall theme of cybersecurity risk in supply chains. The first topic presents the difficulties involved in measuring risk in the cybersecurity domain and discusses how this hinders firms in making justified decisions and taking appropriate actions to manage risk. We then examine the quality of controls implemented to mitigate cyber risk and study how effectively they reduce the likelihood of security incidents. Next, we survey firms to explore perspectives and experiences related to security incidents involving their supply chain partners. To validate these perspectives, we then analyze data collected from over 900 forensic investigations of real-world breaches. This provides excellent visibility into how 3rd parties cause and contribute to incidents in supply chains and key risk factors. Finally, we incorporate these insights, data, and factors into a simulation model that enables us study the transfer of cyber risk across different supply chain configurations and draw important managerial implications.

Identiferoai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/85128
Date03 April 2017
CreatorsBaker, Wade Henderson
ContributorsBusiness Information Technology, Rees, Loren P., Cook, Deborah F., Matheson, Lance A., Wallace, Linda G., Ragsdale, Cliff T.
PublisherVirginia Tech
Source SetsVirginia Tech Theses and Dissertation
Detected LanguageEnglish
TypeDissertation
FormatETD, application/pdf
RightsIn Copyright, http://rightsstatements.org/vocab/InC/1.0/

Page generated in 0.0026 seconds