Litcius/Paper detail

Cybersecurity investments in supply chains with two-stage risk propagation

Aishwarya Dash, S.P. Sarmah, Manoj Kumar Tiwari, Sarat Kumar Jena, C. H. Glock

2024Computers & Industrial Engineering12 citationsDOIOpen Access PDF

Abstract

• Supply chains are vulnerable to direct or indirect cyber-attacks. • Interdependence among supply chain members causes third-party cyber risk propagation. • Cyber threats propagate to all nodes through single or multiple stages. • Different types of attacks affect firms differently. • We determine optimal cybersecurity investments for interconnected supply chain. Cyber-attacks present a significant threat to supply chains as their nodes are directly or indirectly vulnerable to risk propagation at various stages. The risk level varies depending on the type of attack. A cybersecurity insurance offers a practical method to mitigate this risk, and it is crucial to determine optimal cybersecurity investments for all supply chain nodes. Previous studies have overlooked the joint impact of the attack type, two-stage risk propagation, and cybersecurity insurance in optimizing cybersecurity investments. This paper addresses this research gap by examining optimal investments under targeted and opportunistic attacks in a two-stage supply chain using game theory. The findings indicate that optimal investments differ based on the type of attack. For instance, retailers should invest more in cybersecurity under opportunistic attacks, while suppliers need to spend more under targeted attacks. Additionally, the results show that under opportunistic attacks, members should reduce their investments. Conversely, under targeted attacks, investments should initially increase and then stabilize. In the case of opportunistic attacks, suppliers and retailers should prioritize reconfiguring their systems over investing heavily in cybersecurity. The model presented in this paper demonstrates that not all cyber risks are worth defending against and that cybersecurity insurance for the entire supply chain can be more cost-effective than addressing cybersecurity risks individually. The paper also explores the impact of joint decisions on cybersecurity insurance when firms are unwilling to invest individually. The insights obtained enable supply chains to identify their optimal cybersecurity investment strategies effectively.

Topics & Concepts

Supply chainStage (stratigraphy)BusinessRisk analysis (engineering)Supply chain risk managementComputer securityOperations managementComputer scienceIndustrial organizationEngineeringSupply chain managementMarketingGeologyService managementPaleontologyInformation and Cyber SecurityBlockchain Technology Applications and SecuritySupply Chain Resilience and Risk Management