Who cares Supply chain managers' perceptions regarding cyber supply chain risk management in the digital transformation era

1. WHO CARES?
SUPPLY CHAIN MANAGERS’ PERCEPTIONS REGARDING
CYBER SUPPLY CHAIN RISK MANAGEMENT
IN THE DIGITAL TRANSFORMATION ERA
109578401 HOANG TO NHU
109578403 DO THI TRANG
109678402 NGUYEN THI HONG NHUNG

2. Perceptions of supply chain managers for cyber supply chain risk management (CSCRM)
How can organizations deploy a CSCRM strategy?
ABSTRACT

3. Digital transformation
Cyber supply chain
Cyber security
1. INTRODUCTION

4. 1. INTRODUCTION

5. CYBER SECURITY
CYBER RISKS COMPANIES CSCRM
in a supply chain are
seen as the top threats
tend to adopt security
measures to protect
themselves
is necessary for a better
level of resilience
through the cyber supply
chain
ORGANIZATIONS LITERATURE
involved in a supply chain
do not make the same
decisions
gives technical aspects
rather than organization
aspects across the
supply chain
as top threats

6. THIS RESEARCH
helps organizations to understand how they can deploy a
cyber security strategy
RQ1.
How relevant are the elements of CSCRM perceived by
companies in a supply chain?
RQ2.
How aligned are the perceptions about CSCRM of companies
in a supply chain?

7. Manufacturers Logistics Providers Retailers
Survey of the perceptions of supply chain managers regarding 3 main stages:
Section 2: Overview of the literature of CSCRM
Section 3: Research methodology
Section 4: Investigation results
Section 5: Findings of the analysis
Section 6: Conclusion

8. 2. THEORETICAL BACKGROUND
Cyber supply chain
risk management
(CSCRM)

9. CSCRM
PURPOSE
is to extend control on cyber risks which enables a
continuously adaptive capacity.
Supply chain resilience
relates to a fit between riskiness and related level of
preparedness to manage the risks.
Humans
are limited to make objective estimations.

10. INDIVIDUALS
seem to rely on their perception of risks on their own
confidence and belief.
Decisions
are subjective for what might happen and how they think
it might affect.
Different approaches
by different people make different effects.

11. Cyber risks
Sources of risks
Responsibility and ownership of the CSCRM
Information exchanged
Countermeasures to manage cyber risks.
CSCRM process includes

12. Initiatives and
countermeasures to
manage cyber risks
Sources of cyber risks
Cyber risks
in supply chain
Responsibility
of CSCRM process
34%
25%
34%
2%
ELEMENTS OF CSCRM PROCESS
Information exchanged
in the supply chain 5%

13. 2.1 CYBER RISKS in supply chain
• Type 1 includes incidents of phishing and theft or data manipulation.
• Type 2 covers cyberstalking and harassment, stock market manipulation, blackmailing and corporate espionage.

14. BACKBONE RISKS
• ERP system malfunction
• Crash of company’s website
• Lack of network connectivity
• Malware
• Data breach
• Damage of records
• Theft of credentials

15. 2.2 SOURCES of cyber risks
INTERNAL EXTERNAL
MALICIOUS
NON-INTENTIONAL
Suppliers/contractors
Current
employees
Former
employees
Suppliers/
contractors
Customers
Competitors
Hackers/
Hacktivists
Current employees
Former employees
Technical problems
Customers
Natural disasters
Technical problems
Colicchia (2019)

16. 2.2 SOURCES of cyber risks
• Employees
• Physical objects
• Technical assets
Ghade (2020)

17. 2.3 RESPONSIBILITY AND OWNERSHIP
of CSCRM process
• Entire company should
engage in the CSCRM
process with strong
commitment.
• Cyber security should be a
department in the company.

18. 2.4 INFORMATION EXCHANGED
in the supply chain
Inventory Sales data Invoices Discounts
Order status Production plan Performance Master data

19. 2.5 INITIATIVES AND COUNTERMEASURES
to manage cyber risks
Pre-attack
Actions at the technical
level and those directed
at or carried out by
human factors
Trans-attack
Data consistency checks
and task forces
Post-attack
Forensics, incident
documentation,
insurance and recovery
and backup procedures
Companies seem to respond with pre-attacker phase rather than the others.
However, all phases should have a varied set of actions to cover different attacks and
different risk environments.

20. 3. METHOD

21. 3.1 SAMPLE
Focus on a specific sector, specifically the FMCG
industry in Italy
The Italian FMCG industry is placed among the top four
markets in Europe for logistics flows and generated
turnover, and it is one of the fastest-growing sectors
across Europe, after Spain in 2016
The Italian FMCG supply chain has gone through a deep
transformation, leading to the adoption of the principles
of efficient consumer response (ECR) and IT
technologies

22. 3.1 SAMPLE AND DATABASE
The questionnaire was distributed to 524 companies,
with the following representation: 321 manufacturers,
134 logistics service providers and 69 retailers.
Managers in charge of supply chain management or logistics
are chosen as potential respondents for this survey (with
minimum 5 years experience)
112 full questionnaires returned.

23. 3.1 DESIGN
The resulting questionnaire consisted of six different sections
The questions were measured by five-point Likert scales, ranging from “very relevant” to “not relevant”,
from “low impact” to “very high impact” (according to the assessment scale presented by Hallikas et al.,
2004) or from “very low probability” to “very high probability” (according to the assessment scale
presented by Hallikas et al., 2004)
Use ANOVA with F statistics value with a significance level of 5% to analyse the results.

24. 4. RESULTS
4.3. Perception of the sources
of risk
4.2. Perception of the risk
events
4.1. Profile of the
respondents’ sample
4.4. Involvement of the
organization’s departments in
cyber and information risk
management
4.5. Perception of the criticality
of the information shared
across the supply chain
4.6. Perception of the
countermeasures and actions for
mitigating cyber risks

25. 4.1 PROFILE of the respondents’ sample
64 manufacturers
31 logistics service
providers 17 retailers

26. 4.2 PERCEPTION of the risk events
the whole FMCG supply chain has experienced
the same risk events
an almost unanimous consensus around the
two events considered to be the most
dangerous ones
Malware has been judged to be a high risk,
especially by retailers

27. 4.3 PERCEPTION of the risk events
The Bubble diagram reports the mean values of the three variables for each assessed risk event: impact
(vertical axis), probability (horizontal axis) and occurrence (bubble diameter, i.e. the larger the bubble
diameter, the more recently the risk event has occurred)
Show the occurrence affects the perception of the level of riskness of the evaluated events, especially in
terms of impact

28. 4.4.PERCEPTION of the sources of risk
Retailers have a generally weaker perception of the sources of cyber and information risks in their supply chain
Hackers are seen as the most dangerous source of risk, ranking first in all groups of respondents
The “human factor” and the “enemy within” are common threats to all categories of organizations in the FMCG
supply chain
Logistics Service Providers seem to perceive technical reasons as one of the main causes of risks for their business
continuity

29. 4.4 INVOLVEMENT of the organization’s department in
cyber and information risk management
Most involved

30. 4.5 PERCEPTION of the criticality of the information shared
across the supply chain
Manufacturer on the master data and invoicing side along with data about their sales
Retailers on the discounts and promotional data along with inventory
Logistics Service Providers on transport data

31. 4.6 PERCEPTION of the countermeasures andactions for
mitigating cyber risks
Level of perception regarding the
initiatives and countermeasures for
managing cyber risks
IT technical side is still dominant in
every stage of the FMCG supply chain
No unanimous consensus regarding
some technical measures

32. The perceptions
of risk events
5.1
The sources of
risk
5.2
The ownership
of the CSCRM
process
5.3 5.4
The
countermeasures
to mitigating
cyber risks
5. DISCUSSION

33. 5.1. THE PERCEPTION of risk events
Logistics Service Providers have a broader perception of the risk events compared to
Manufacturers and Retailers

34. • Those risks with higher occurrence are perceived more vividly compared
to other risk with lower values of occurrence
• Little awareness leads to underestimating the importance of risk events
(and the other way around)
5.1. THE PERCEPTION of risk events

35. 5.2. THE SOURCE of risk
• The so-called “human factor” is seen as one of the predominant threats to
cyber security in supply chains and this is in line with previous literature
(Ghadge et al., 2020).
• Logistics Service Providers are more concerned about technical problems
that could undermine the continuity of their business operations

36. 5.3. THE OWNERSHIP of the CRM process
• The medium-high scores assigned to the majority of the business
departments
• The human resources department is at the bottom of the list and this
shows a contradiction in terms of approach to the “human factor” in the
CSCRM process

37. 5.4.THE COUNTERMEASURE to mitigating cyber risks
Table 9 reports an
overall high level of
relevance assigned to
the set of initiatives
but a medium level of
alignment of the
respondents’
perceptions related to
them.

38. Overall, a certain level of alignment of the perception about the elements composing the CSCRM
process among the various actors of the FMCG supply chain exists. In this case, it appears that
Manufacturers and Retailers are more focused on their domain rather than on the supply chain. On
the contrary, it seems that Logistics Service Providers can overcome this limitation and have a
broader perception of the risks, sources of risks and criticality of information and data exchanged
that span across the different stages of the supply chain.
DISCUSSION

39. 6 .1. Theoretical implications
This study provides the scientific community with a vertical analysis of a
supply chain, something that extends the existing theory on CSCRM
It also contributes to extending the current theory with the proposal of
a paradigm that highlights the role of Logistics Service Providers as
“orchestrators” of the CSCRM process.
6. CONCLUSIONS

40. 6 .2. Practical implications
This study provides the industrial community with thought-provoking
insights on the misalignment between the perceived relevance of the human
factor as a source of risk (high) and the perceived importance of
countermeasures to mitigate the risk events stemming from that source
(low)
This study could help organizations devise procedures and policies to report
incidents and create common and shared knowledge about risks that could
help them assess the level of risk in their supply chains more closely

41. 01. 解決甚麼問題 ?
02. 為什麼這個問題很重要 ?
03. 提出的論點或假說是甚麼 ?
6 .2. Practical implications

42. 04. 如何證明他們論點與假說為真 ?
05. 實證研究與結果
06. 學術貢獻與實務貢獻

43. THANKS FOR LISTENING!