A number of studies have approached disruption risk in different ways ranging from conceptual, empirical, simulation, survey, case study and review or a combination of these (Rao and Goldsby, 2009, Olson and Wu, 2010, Rainer et al., 1991). Rao and Goldsby (2009) conducted an extensive review of supply chain disruption literature and created a typology of disruption types and sources. However, they did not mention IT itself as a source of disruption. Most risk studies have been primarily based on threats other than those from IT and information communication technologies (ICTs) while a few studies have suggested IT security as a potential risk to the supply chain (Schmitt and Singh, 2009, Kim et al., 2011, Rees et al., 2011). Table 2.2 shows a summary of work that has been done on disruption risk assessment at the organizational level as well as the supply chain level and delineates between those that have provided real and objective estimation of impact, I, of certain threats on business operation and those that have looked at specific IT security risks. The third column reveals the approach taken to undertake the study. From the last three columns of the table we see that no single study has covered all three aspects.
26
Authors Subject Approach Impact
study? Y/N IT security incident? Y/N Supply chain study? Y/N Altay and Ramirez, 2010
Impact of disasters on firms in different sectors: implications for supply chains
Fixed effect regression Y N Y
Schmitt and Singh, (2009)
Quantifying supply chain disruption risk Monte Carlo and Discrete-Event Simulation
Y N Y
Deane et al., 2009
Managing supply chain risk and disruption from IT security incidents
Mixed Integer Linear Programming N Y Y
Munoz and
Clements, 2008
Disruptions in information flow: a revenue costing supply chain dilemma
Discrete event simulation of beer distribution game
Y N Y
Rees et al., 2010 Decision support for Cybersecurity risk planning
Genetic algorithm N Y N
Whitman (2003) Profiling threats to information security Interviews and Survey N Y N
Wilson (2007) The impact of transportation disruptions on supply chain performance
Dynamic simulation modelling Y N Y
Bellefeuille, 2005
Quantifying and Managing the Risk of Information Security Breaches to the Supply Chain
Descriptive research N Y Y
Yeh and Chang, 2007
Threats and countermeasures for information system security: A cross-industry study
Questionnaires and Analysis of covariances (ANCOVAs)
N Y N
Goel and
Shawky, 2009
Estimating the market impact of security breach announcements on firm values
Event-study methodology Y N N
Craighead et al., 2007
The Severity of Supply Chain Disruptions Multiple-method, multiple-source empirical research design
N N Y
Kim et al., 2011 The dark side of the Internet: Attacks, costs and responses
Explorative research N Y N
Loch et al., 1992 Threats to information systems: Today's reality, yesterday's understanding
Questionnaires N Y N
27
A few studies have examined the impact of disruption on supply chain operations. While some of these studies have examined the effect of physical disruption such as natural disasters (Samir, 2008), interestingly, a few others have examined the effect of IT security incidents (Deane et al., 2009, Kim et al., 2011, Loch et al., 1992, Pisello, 2004). Some approaches have focused primarily on disruption effects (in terms of delay in information flow) on supply chain without any regard to cause (Munoz and Clements, 2008, Schmitt and Singh, 2009) while others have looked more specifically at how specific disruption types (threats) affect the supply chain (Altay and Ramirez, 2010, Craighead et al., 2007). While the former approach gives a more general assessment of the impact of disruption, the latter gives clearer understanding of the dynamics of threats and how they impact the chain. From Altay and Ramirez (2010) it is understood that disasters lead to disruption which affects all sectors of the chain but certain threats have more impact than others. This type of specific-threat impact study is not as common as one would expect in literature, specifically in the area of information security management. It is still not quite understood how the impact of various threats to information security on supply chain performance vary (especially inventory management performance). Although a few qualitative and quantitative studies (Whitman, 2003, Yeh and Chang, 2007, Bellefeuille, 2005, Goel and Shawky, 2009) have looked at this in a rather subjective way requiring managers to rank or score threats according to their perception, there is still a lack of objective measure of these variances. Deane et al. (2009) examined how risks originate from one business, due to poor countermeasures put in place to prevent it, and is being transferred to adjoining firms in the supply chain using mixed integer linear programming (MILP). While they termed the risks they studied IT security incidents, there was no evidence of specific threats to security being addressed and it is not clear how these risks affect the dynamics of the supply chain. In a similar work by Rees et al. (2011), specific threats were addressed and the financial impact for a given countermeasure was estimated. However, it was still unclear how these threats affect the operations of an organization, not to mention the supply chain. This threat-type impact study seems to be lacking in information disruption literature. To know how these threats affect the performance of the network is crucial to appropriate disruption risk planning and management.
28
Having reviewed literature, it was clear that there is a paucity of quantitative research on information security as a potential source of disruption. Out of those that have considered information security, a very few have tried to investigate how threats to information security impact the supply chain: some purely qualitative, others a mix of qualitative and quantitative. Of this few, none has investigated how these affect the operations of the supply chain at an operational and strategic level and how a breach in one organization affects others that are linked to it, although they have not experienced any breach in themselves. For instance it is not yet understood, in real terms, from these studies what the cost implications of security breach in an organization’s procurement process are for supply partners. It is obvious that these breaches can cause delays in transactions between supply chain partners but it not well understood to what extent these delays will impact the operating cost of members further upstream or further downstream of the supply network. There are other key performance indicators that are affected such as ordering pattern which may ultimately affect the shipping strategy of agents in the supply chain, but to what scale are they affected? The understanding of how these impact not just an organization but other members of the network is crucial to successful network management or coordination activities. It has not been evidenced how the complexity or conditions of the supply chain affect the impact of information security breach on its operations.
Most security risk studies have been based on cost to an organization, and have provided ways in which an organization can make economic assessment of countermeasures available to them. While these studies have focused on direct costs, there is yet to be a study that presents real evidence on indirect costs to the organization. This indirect cost is discussed later in section 2.6.