Process Theory of Supplier Cyber Risk Assessment

43 Pages Posted: 16 Jan 2024

See all articles by Sergeja Slapničar

Sergeja Slapničar

University of Queensland

Tim Vidmar

University of Ljubljana

Elinor Tsen

University of Queensland - Business School

Abstract

Managing cyber risk in the supply chain represents one of the most significant challenges in cyber risk management. On the one hand, organizations struggle to evaluate the security risk posture of hundreds of suppliers competently; on the other hand, suppliers often find it challenging to communicate their security risk posture to prospective customers. The paper aims to analyze what process organizations employ to assess a supplier's cyber risk, how contextual factors impact this process, and how effective it is in identifying a risky supplier. We use a mixed-method approach. We conducted 25 semi-structured interviews with cybersecurity experts and consultants from various organizations and industries. We complemented our qualitative findings by surveying 53 security experts about their supplier cyber risk assessment. Based on the qualitative findings, we formulate the process theory of supplier cyber risk assessment describing the elements of a sequential process, how organizations use it given their resource constraints, and the contextual factors that affect its maturity. The survey findings provide empirical support that the assessment process can effectively identify riskier suppliers. Both interview and survey respondents suggest that secure technology is the most important differentiating characteristic of supplier cyber security posture. This study is an original contribution to the process theory of supplier cyber risk assessment. It sheds light on challenges and strategies associated with supply chain cyber risk management. The practical implications of our findings offer actionable insights for organizations seeking to enhance their supply chain cyber risk management.

Keywords: third-party cyber risk, supplier cyber risk, cyber supply chain risk management, assessment, monitoring

Suggested Citation

Slapničar, Sergeja and Vidmar, Tim and Tsen, Elinor, Process Theory of Supplier Cyber Risk Assessment. Available at SSRN: https://ssrn.com/abstract=4695815 or http://dx.doi.org/10.2139/ssrn.4695815

Sergeja Slapničar (Contact Author)

University of Queensland ( email )

St Lucia
Brisbane, Queensland 4072
Australia

Tim Vidmar

University of Ljubljana ( email )

Dunajska 104
Ljubljana, 1000
Slovenia

Elinor Tsen

University of Queensland - Business School ( email )

Brisbane, Queensland 4072
Australia

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
28
Abstract Views
120
PlumX Metrics