Process Theory of Supplier Cyber Risk Assessment

Authors

DOI:

https://doi.org/10.3127/ajis.v29.5323

Keywords:

third-party cyber risk, supplier cyber risk, cyber supply chain risk management, assurance, risk assessment

Abstract

Managing cyber risk in the supply chain represents one of the most significant challenges in cyber risk management. The paper studies how organizations assess supplier cyber risk. We used a mixed-method approach. We conducted 33 semi-structured interviews with cybersecurity experts from various organizations closely involved in supplier cyber risk assessments, as well as consultants. We complemented our qualitative findings by surveying 53 security experts about their supplier cyber risk assessment. Based on the qualitative findings, we formulate a process theory of supplier cyber risk assessment. This theory explains how organizations assess supplier cyber risk and which contextual factors affect the maturity of cyber risk assessment and monitoring. The quantitative analysis supports the qualitative findings and suggests that the process can effectively identify risky suppliers. The paper sheds light on challenges and strategies associated with supply chain cyber risk assessment. The practical implications of our findings offer actionable insights for organizations seeking to enhance their cyber supply chain risk management.

Author Biographies

Sergeja Slapnicar

Sergeja Slapni?ar is Associate Professor of Accounting at University of Queensland (Australia). She researches accountability, performance measurement, internal audit, governance, and cyber security risk management. She is a member of the Editorial Board of Journal of Management Control, and Behavioral Research in Accounting. She has extensive industry experience by serving as a non-executive Director in various organizations. Sergeja is a member of CPA Australia, ISACA and serves on the Education Committee of the Institute of Internal Auditors Australia.

Tim Vidmar

Tim Vidmar completed his Master's degree in Business Informatics at the University of Ljubljana, Slovenia. He has worked as an IT Auditor at Deloitte. His research interests are in cyber risk management, in particular in cloud computing and cloud migration.

Elinor Tsen, The University of Queensland

Dr Elinor Tsen is affiliated with the University of Queensland Business School as a postdoctoral researcher. Her interdisciplinary research focuses on exploring the concept of cyber resilience in organisations to support decision-making.   

References

Adams, M., & Makramalla, M. (2015). Cybersecurity skills training: An attacker-centric gamified approach. Technology Innovation Management Review, 5(5), 5–14. doi.org/10.22215/timreview/861

Akinrolabu, O., Nurse, J., Martin, A., & New, S. (2019). Cyber risk assessment in cloud provider environments: Current models and future needs. Computers & Security, 87. doi.org/10.1016/j.cose.2019.101600

Al-Ansari, A. O., & Alsubait, T. M. (2022). Predicting cyber threats using machine learning for improving cyber supply chain security. In 2022 National Computing Colleges Conference (NCCC) (pp. 123–130). IEEE. doi.org/10.1109/NCCC57165.2022.10067692

Alkhadra, R., Abuzaid, J., AlShammari, M., & Mohammad, N. (2021). SolarWinds Hack: In-depth analysis and countermeasures. In 2021 International Conference on Computing, Networking and Communications (ICCCNT). IEEE. doi.org/10.1109/ICCCNT51525.2021.9579611

Angst, C., Block, E., D’Arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893–916. doi.org/10.25300/MISQ/2017/41.3.10

Bandyopadhyay, T., Jacob, V., & Raghunathan, S. (2010). Information security in networked supply chains: Impact of network vulnerability and supply chain integration on incentives to invest. Information Technology & Management, 11(1), 7–23. doi.org/10.1007/s10799-010-0066-1

Bartol, N. (2014). Cyber supply chain security practices DNA: Filling in the puzzle using a diverse set of disciplines. Technovation, 34(7), 354–361. doi.org/10.1016/j.technovation.2014.01.005

Baskerville, R. (2005). Information warfare: A comparative framework for business information security. Journal of Information System Security, 1(1), 23–50.

Benaroch, M. (2021). Third-party induced cyber incidents—Much ado about nothing? Journal of Cybersecurity, 7(1). doi.org/10.1093/cybsec/tyab020

Benthall, S. (2017). Assessing software supply chain risk using public data. In 2017 IEEE 28th Annual Software Technology Conference (STC) (pp. 1–5). IEEE. doi.org/10.1109/STC.2017.8234461

Bekmeier-Feuerhahn, S. (2009). Mechanisms of teleological change. Management Revue, 20(2), 126–137.

Bode, C., & Wagner, S. M. (2015). Structural drivers of upstream supply chain complexity and the frequency of supply chain disruptions. Journal of Operations Management, 36, 215–228. doi.org/10.1016/j.jom.2014.12.004

Boyens, J., Paulsen, C., Bartol, N., Winkler, K., & Gimbi, J. (2021). Key practices in cyber supply chain risk management: Observations from industry. National Institute of Standards and Technology. doi.org/10.6028/NIST.IR.8276

Boyens, J., Paulsen, C., Bartol, N., Winkler, K., & Gimbi, J. (2020). Case studies in cyber supply chain risk management: Summary of findings and recommendations. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf

Boyens, J., Smith, A., Bartol, N., Winkler, K., Holbrook, A., & Fallon, M. (2021). Cybersecurity supply chain risk management practices for systems and organizations. National Institute of Standards and Technology. doi.org/10.6028/NIST.CSWP.02042020-1

Boyes, H. (2015). Cybersecurity and cyber-resilient supply chains. Technology Innovation Management Review, 5(4), 28–34. doi.org/10.22215/timreview/888

Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34(7), 342–353. doi.org/10.1016/j.technovation.2014.02.001

Boyson, S., Corsi, T., & Paraskevas, J. (2022). Defending digital supply chains: Evidence from a decade-long research program. Technovation, 118. doi.org/10.1016/j.technovation.2021.102380

Boyson, S., Corsi, T., & Rossman, H. (2009). Building a cyber supply chain assurance reference model. Science Applications International Corporation (SAIC).

Boyson, S., Corsi, T., Rossman, H., & Dorin, M. (2011). Assessing SCRM capabilities and perspectives of the IT vendor community: Toward a cyber supply chain code of practice. University of Maryland Robert H. Smith School of Business and National Institute of Standards and Technology.

Caldwell, T. (2015). Securing small businesses – The weakest link in a supply chain? Computer Fraud & Security, 2015(9), 5–10. doi.org/10.1016/S1361-3723(15)30083-X

Chakravarthy, B. S./Lorange, P. (1991): Managing the strategy process. Englewood Cliffs.

Chowdhury, N. H., Adam, M. T., & Skinner, G. (2019). The impact of time pressure on cybersecurity behaviour: A systematic literature review. Behaviour & Information Technology, 38(12), 1290–1308. doi.org/10.1080/0144929X.2019.1583769

Colicchia, C., Creazza, A., & Menachof, D. A. (2018). Managing cyber and information risks in supply chains: Insights from an exploratory analysis. Supply Chain Management: An International Journal, 24(2), 215–240. doi.org/10.1108/SCM-09-2017-0289

Corbin, J. M., & Strauss, A. (1990). Grounded theory research: Procedures, canons, and evaluative criteria. Qualitative Sociology, 13(1), 3–21. doi.org/10.1007/BF00988593

Creazza, A., Colicchia, C., Spiezia, S., & Dallari, F. (2021). Who cares? Supply chain managers’ perceptions regarding cyber supply chain risk management in the digital transformation era. Supply Chain Management: An International Journal, 27(1), 30–53. doi.org/10.1108/SCM-02-2020-0073

Crosignani, M., Macchiavelli, M., & Silva, A. (2023). Pirates without borders: The propagation of cyberattacks through firms’ supply chains. Journal of Financial Economics, 147(2), 432–448. doi.org/10.1016/j.jfineco.2022.12.002

Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19–27.

Deane, J., Baker, W., & Rees, L. (2023). Cybersecurity in supply chains: Quantifying risk. Journal of Computer Information Systems, 63(3), 507–521. doi.org/10.1080/08874417.2022.2081882

do Amaral, T. M. S., & Gondim, J. J. C. (2021, November). Integrating Zero Trust in the cyber supply chain security. In 2021 Workshop on communication networks and power systems (WCNPS) (pp. 1-6). IEEE.

European Banking Authority (EBA). (2019). Guidelines on outsourcing arrangements. Retrieved October 3, 2023, from https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20 outsourcing%20arrangements.pdf

Gale, M., Bongiovanni, I., & Slapničar, S. (2022). Governing cybersecurity from the boardroom: Challenges, drivers, and ways ahead. Computers & Security, 121, 102840. doi.org/10.1016/j.cose.2022.102840

Gani, A., Fernando, Y., Lan, S., Lim, M., & Tseng, M. (2023). Interplay between cyber supply chain risk management practices and cybersecurity performance. Industrial Management & Data Systems, 123(3), 843–861. doi.org/10.1108/IMDS-05-2022-0313

Gaudenzi, B., & Siciliano, G. (2017). Just do it: Managing IT and cyber risks to protect the value creation. Journal of Promotion Management, 23(3), 372–385. doi.org/10.1080/10496491.2017.1294875

Gaudenzi, B., & Siciliano, G. (2018). Managing IT and cyber risks in supply chains. In Y. Khojasteh (Ed.), Supply Chain Risk Management: Advanced Tools, Models, and Developments (pp. 85–96). Springer. doi.org/10.1007/978-981-10-4106-8_5

Ghadge, A., Weiß, M., Caldwell, N. D., & Wilding, R. (2019). Managing cyber risk in supply chains: A review and research agenda. Supply Chain Management: An International Journal, 25(2), 223–240. doi.org/10.1108/SCM-10-2018-0357

Gioia, D. A., Corley, K. G., & Hamilton, A. L. (2013). Seeking qualitative rigor in inductive research: Notes on the Gioia methodology. Organizational Research Methods, 16(1), 15–31. doi.org/10.1177/1094428112452151

Giunipero, L., & Eltantawy, R. (2004). Securing the upstream supply chain: A risk management approach. International Journal of Physical Distribution & Logistics Management, 34, 698–713. doi.org/10.1108/09600030410567478

Glaser, B., & Strauss, A. (2017). Discovery of grounded theory: Strategies for qualitative research. Routledge.

Gregor, S. (2006). The nature of theory in information systems. MIS Quarterly, 30(3), 611–642. doi.org/10.2307/25148742

Hao, J., & Cai, W. (2011). Trusted Block as a Service: Towards sensitive applications on the cloud. In 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (pp. 73–82). IEEE. doi.org/10.1109/TrustCom.2011.13

Healthcare & Public Health Sector Coordinating Councils. (2019, October). Healthcare industry cybersecurity supply chain risk management guide. Private Public Partnership. Retrieved from https://healthsectorcouncil.org/hic-scrim-v2/

International Organization for Standardization & International Electrotechnical Commission. (2021). ISO/IEC 27036-1: Cybersecurity — Supplier relationships Part 1: Overview and concepts.

International Organization for Standardization & International Electrotechnical Commission. (2022). ISO/IEC 27036-2: Cybersecurity — Supplier relationships Part 2: Requirements.

International Organization for Standardization & International Electrotechnical Commission. (2023). ISO/IEC 27036-3: Cybersecurity — Supplier relationships Part 3: Guidelines for information and communication technology supply chain security.

Iovan, Ş., & Iovan, A. A. (2016). Cloud computing security. Fiability & Durability/Fiabilitate si Durabilitate, (1), 1(Suppl.1), 206-212.

ISACA. (2018). Control objectives for information and related technologies COBIT 2019. Retrieved from https://netmarket.oss.aliyuncs.com/df5c71cb-f91a-4bf8-85a6-991e1c2c0a3e.pdf

Khan O, Estay S. D. (2015). Supply chain cyber-resilience: Creating an agenda for future research. Technology Innovation Management Review. 5,6–12. doi.org/10.22215/timreview/885

Keskin, O. F., Caramancion, K. M., Tatar, I., Raza, O., & Tatar, U. (2021). Cyber third-party risk management: A comparison of non-intrusive risk scoring reports. Electronics, 10(10), 1168. doi.org/10.3390/electronics10101168

Kweon, E., Lee, H., Chai, S., & Yoo, K. (2021). The utility of information security training and education on cybersecurity incidents: An empirical evidence. Information Systems Frontiers, 23, 1–13. doi.org/10.1007/s10796-019-09977-z

Langley, A. (1999). Strategies for theorizing from process data. Academy of Management Review, 24(4), 691–710. doi.org/10.5465/amr.1999.2553248

Lewis, R., Louvieris, P., Abbott, P., Clewley, N., & Jones, K. (2014). Cybersecurity information sharing: A framework for information security management in UK SME supply chains.

Li, F. (2024, July 24). Microsoft-CrowdStrike outage: How a single software update was able to cause IT chaos across the globe. The Conversation. Retrieved from https://theconversation.com/microsoft-crowdstrike-outage-how-a-single-software-update-was-able-to-cause-it-chaos-across-the-globe-235165

Lin, W. C., and Saebeler, D. (2019). Risk-based v. compliance-based utility cybersecurity - A false dichotomy? Energy Law Journal, 40(2), 243–282.

Linton, J. D., Boyson, S., & Aje, J. (2014). The challenge of cyber supply chain security to research and practice – An introduction. Technovation, 34(7), 339–341. doi.org/10.1016/j.technovation.2014.05.001

Liu, C. W., Huang, P., & Lucas, H. (2020). Centralized IT decision making and cybersecurity breaches: Evidence from U.S. higher education institutions. Journal of Management Information Systems, 37, 758–787. doi.org/10.1080/07421222.2020.1790190

Markus, M. L., & Robey, D. (1988). Information technology and organizational change: Causal structure in theory and research. Management Science, 34(5), 583–598.

Miller, A. R., & Tucker, C. E. (2011). Encryption and the loss of patient data. Journal of Policy Analysis and Management, 30(3), 534–556. doi.org/10.1002/pam.20590

Mohr, L. B. (1982). Explaining organizational behavior. San Francisco, CA: Jossey-Bass.

Monev, V. (2021). The ‘self-assessment’ method within a mature third-party risk management process in the context of information security. 2021 IEEE XX International Scientific and Technical Conference (InfoTech). doi.org/10.1109/InfoTech52438.2021.9548373

National Institute of Standards and Technology. (2020). SP-800-53r5: Security and privacy controls for information systems and organizations. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Nutt, P. C. (2002). Why decisions fail: Avoiding the blunders and traps that lead to debacles. San Francisco, CA: Berrett-Koehler Publishers.

Pandey, S., Singh, R., Gunasekaran, A., & Kaushik, A. (2020). Cybersecurity risks in globalized supply chains: Conceptual framework. Journal of Global Operations and Strategic Sourcing, 13(1), 103–128. doi.org/10.1108/JGOSS-05-2019-0042

Pollmeier, S., Bongiovanni, I., & Slapničar, S. (2023). Designing a financial quantification model for cyber risk: A case study in a bank. Safety Science, 159, 106022. doi.org/10.1016/j.ssci.2022.106022

Ponemon Institute. (2022). The 2022 Data Risk in the Third-Party Ecosystem Study. Retrieved from https://ponemonsullivanreport.com/2022/10/the-2022-data-risk-in-the-third-party-ecosystem-study/

Siciliano, G., & Gaudenzi, B. (2018). The role of supply chain resilience on IT and cyber-disruptions. In Lamboglia, R., Cardoni, A., Dameri, R., & Mancini, D. (Eds.), Reshaping Accounting and Management Control Systems (pp. 57–69). doi.org/10.1007/978-3-319-62636-9_4

Simon, J., & Omar, A. (2020). Cybersecurity investments in the supply chain: Coordination and a strategic attacker. European Journal of Operational Research, 282(1), 161–171. doi.org/10.1016/j.ejor.2019.09.017

Sindhuja, P. N., & Kunnathur, A. S. (2015). Information security in supply chains: A management control perspective. Information & Computer Security, 23(5), 476-496. doi.org/10.1108/ICS-07-2014-0050

Slapničar, S., Vuko, T., Čular, M., & Drašček, M. (2022). Effectiveness of cybersecurity audit. International Journal of Accounting Information Systems, 44, 100548. doi.org/10.1016/j.accinf.2021.100548

Slapničar, S., Axelsen, M., Bongiovanni, I., & Stockdale, D. (2023). A pathway model to five lines of accountability in cybersecurity governance. International Journal of Accounting Information Systems, 51, 100642. doi.org/10.1016/j.accinf.2023.100642

Tender, I. (2023). Top 5 security threats from 3rd parties. Network World. Retrieved from https://www.networkworld.com/article/2991914/top-5-security-threats-from-3rd-parties.html

The European Union Digital Operational Resilience Act (DORA), Articles 28–30. (2023). Retrieved from https://www.digital-operational-resilience act.com/DORA_Articles_(Proposal).html

The Ponemon Institute. (2022). The 2022 data risk in the third-party ecosystem study. Retrieved from https://ponemonsullivanreport.com/2022/10/the-2022-data-risk-in-the-third-party-ecosystem-study/

Topping, C., Dwyer, A., Michalec, O., Craggs, B., & Rashid, A. (2021). Beware suppliers bearing gifts: Analyzing coverage of supply chain cybersecurity in critical national infrastructure sectorial and cross-sectorial frameworks. Computers & Security, 108, 102324. doi.org/10.1016/j.cose.2021.102324

Urciuoli, L., Männistö, T., Hintsa, J., & Khan, T. (2013). Supply chain cybersecurity – Potential threats. Information & Security: An International Journal, 29, 51–68. doi.org/10.11610/isij.2904

Urciuoli, L., Mohanty, S., Hintsa, J., & Boekesteijn, E. (2014). The resilience of energy supply chains: A multiple case study approach on oil and gas supply chains to Europe. Supply Chain Management: An International Journal, 19. doi.org/10.1108/SCM-09-2012-0307

Vanajakumari, M., Mittal, S., Stoker, G., Clark, U., & Miller, K. (2021). Towards a leader-driven supply chain cybersecurity framework. Computers & Security, 14, 42–52.

Van de Ven, A. H., & Poole, M. S. (1995). Explaining development and change in organizations. Academy of Management Review, 20(3), 510–540. doi.org/10.5465/amr.1995.9508080329

Wolden, M., Valverde, R., & Talla, M. (2015). The effectiveness of COBIT 5 Information Security Framework for reducing cyberattacks on supply chain management systems. IFAC-PapersOnLine, 48(3), 1846–1852. doi.org/10.1016/j.ifacol.2015.06.355

Wolf, J. (2021). How the NotPetya attack is reshaping cyber insurance. Brookings. Retrieved from https://www.brookings.edu/articles/how-the-notpetya-attack-is-reshaping-cyber-insurance/

Yeo, M., Rolland, E., Ulmer, J., & Patterson, R. (2014). Risk mitigation decisions for IT security. ACM Transactions on Management Information Systems (TMIS), 5. doi.org/10.1145/2576757

Downloads

Published

2025-07-23

How to Cite

Slapnicar, S., Vidmar, T., & Tsen, E. (2025). Process Theory of Supplier Cyber Risk Assessment. Australasian Journal of Information Systems, 29. https://doi.org/10.3127/ajis.v29.5323

Issue

Vol. 29 (2025)

Section

Research Articles

License

Copyright (c) 2025 Sergeja Slapnicar, Tim Vidmar, Elinor Tsen

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

AJIS publishes open-access articles distributed under the terms of a Creative Commons Non-Commercial and Attribution License which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited. All other rights including granting permissions beyond those in the above license remain the property of the author(s).