Defending digital supply chains: Evidence from a decade-long research program

Abstract

Digital Supply Chains (DSCs) are highly integrated global internet communities of customers, distributors, producers, and suppliers. DSCs have increasingly incorporated Internet of Things (IoT) innovations such as field sensors and real time condition monitoring; and have served as effective platforms for IoT technology diffusion. However, as IoT has become more pervasive, pushing the edges of networks further out, new cyber threat windows have opened everywhere. More recently, Cyber-Supply Chain Risk Management (C-SCRM) has emerged as a critical discipline combining expertise from cybersecurity, supply chain management and enterprise risk management; and designed to stem the proliferation of digital supply chain attacks seeking illicit access to corporate networks for competitive espionage, financial and intellectual property theft, and disruption of operations. Yet to date, there has been little evidence that C-SCRM practices are actually effective in containing all or even some types of breaches. Our decade-long research provides the first statistical analysis of the effects on an organization’s breach profile based on the extent of its adoption of policies and practices defined within the U.S. National Institute of Standards and Technology (NIST) ‘s Cybersecurity Framework, increasingly the de-facto global C-SCRM standard. Our analysis determined that there were specific Framework activity areas and sets of policies/practices within those activity areas that strongly correlated with more effective control of specific breach types. Our findings lay the foundation for an evidence-based approach to mastering IT network vulnerabilities and defending global digital supply chains.