Professional Documents
Culture Documents
1. Introduction
all activities into a single seamless process. According to Lummus and Vokurka
(1999), to improve competitive position, managers must consider:
all the activities involved in delivering a product from raw material through to
the customer including sourcing raw materials and parts, manufacturing and
assembly, warehousing and inventory tracking, order entry and order manage-
ment, distribution across all channels, delivery to the customer, and the
information systems necessary to monitor all of these activities. (p. 11)
and practitioners agree collaboration and integration benefit SCM, its effect on IT
incidents and risk in the supply chain is unknown. Understanding these relationships
will be critical in the future as SCM continues to leverage IT for increased
competitiveness.
To address the identified deficiency in the literature, we have undertaken a
research program intended to define the nature of information security risk in the
context of supply chain management. First, we will examine the role of information
in supply chain management. Next, we examine the nature of risk as it relates
to supply chains and information security, respectively. Following the identification
of IT-specific threats, we conclude with a discussion of potential risks to the supply
chain and the management implications of disruption in the information flow.
The central principle in creating flexible supply chains is collaboration (Narus and
Anderson 1996), a mutual decision-making process directed toward achieving
common objectives across departments and/or organizations. Collaborative relation-
ships allow supply chain partners to jointly gain a clearer understanding of future
demand, develop realistic plans to satisfy that demand, and coordinate activities to
do so in the most efficient manner (Sahay 2003). Cachon and Fisher (2000) estimate
collaboration can reduce supply chain cost by as much as 12 percent; however, non-
financial improvements such as greater customer service, faster speed to market, and
better utilization of resources are also incentives to increase collaboration (Lee et al.
1997, Metters 1997, Mentzer et al. 2000a, Frohlich and Westbrook 2001, Li 2002,
Simatupang and Sridharan 2005). The extent of the financial and competitive
positioning benefits are such that Ashayeri and Kampstra (2005), state that
collaboration may be the single most pressing need in optimizing supply chain
performance.
To guide collaborative undertakings, a number of authors have attempted to
define levels of integration and identify prerequisites for collaboration (Mentzer et al.
2000a, 2000b, Barratt and Oliveira 2001, Simatupang and Sridharan 2005). Typical
of these endeavors is a framework to assess collaboration and information sharing
between supply chain participants developed by Kolluru and Meredith (2001). At the
lowest level of integration, supply chain participants engage in minimal arms-length
relationships typified by asynchronous one-way data push communication mechan-
isms. Information sharing at this level of integration is limited to the seven
rudimentary information types identified by Lee et al. (1997) as necessary for
operation of a supply chain: inventory level, sales data, order status for tracking and
tracing, sales forecasts, production and delivery schedules, performance metrics, and
capacity. In contrast, supply chains exhibiting the highest level of integration operate
at a strategic level of collaboration across the extended enterprise facilitated by peer-
to-peer client server communication. The types of information shared in these highly
integrated supply chains exceeds rudimentary requirements, expanding to include
product, customer, supplier, process, competitive, and marketing information
(Handfield and Nichols 1999). Based on this model, it is apparent the degree of
integration among supply chain participants dictates the type of information shared
and the means by which it is transmitted.
2598 G. E. Smith et al.
The definition of risk is a non-trivial matter; Christopher and Peck (2004) speak of
the difficulty in defining risk, identifying two schools of thought: variance-based
definitions from classical decision theory and hazard-focused definitions common
to risk management. Defining the nature of and quantifying exposure to risk is often
seen as the first step toward improving decision-making. The Royal Society (1992)
addresses this problem by defining risk in terms of an expected value measurement, a
‘combination of probability, or frequency, of occurrence of a defined hazard and the
magnitude of the consequences of the occurrence’. However, risk measurements may
also be performed qualitatively, instead of numerically, to arrive at a pragmatic
solution. In either case, identification of the sources of risk and measuring the
consequences of that risk are fundamental to decision-making.
organizational risks are process and control risks. Process risk includes disruption to
the execution activities that add value to the organization such as production,
sourcing, warehousing, transportation, planning and scheduling. Control risk
captures the cost of misapplication of assumptions, rules, systems and procedures
that govern how organizations exert control over processes. Cooperation between an
organization’s process and control mechanisms is essential to effect an optimal
supply chain strategy (Christopher et al. 2002).
The need to procure materials from upstream suppliers and sell finished goods
through a network of distributors exposes an organization to network risk.
Interactions between organizations linked in a supply chain increases exposure to
unexpected events that may occur during acquisition, transportation, and employ-
ment of goods and services resulting in an inability to serve a firm’s customers.
Supply risk and demand risk, which comprise network-related risks, are defined by
their role relative to the organization. Supply risk is associated with unexpected
events occurring upstream in the supply chain resulting in a negative consequence
to the organization obtaining the goods and services. Similarly, Christopher and
Peck (2004) define demand risk as the potential for or actual disruption of product or
information flows that exist between an organization and its customers. Exposure to
both supply and demand risk is dependent on the level of process and control risk
experienced by other supply chain participants.
Environmental risk results from uncertainties that occur because of interactions
between supply chain participants and the environment. Environmental risk results
from socio-political actions, accidents, or acts of God (Christopher and Peck 2004),
affecting process, control, supply, and demand risk at both the organizational and
network level. While the point of origin for environmental risk may be far removed
from an organization, the effects can be passed directly from the environment to an
organization or as a cascading failure from one organization to another within a
supply chain.
An appropriate line of inquiry at this juncture concerns the classification of IT
security within the above supply chain risk categories. Unfortunately, due to the
pervasive nature of IT in the supply chain, the literature provides a muddled
picture of IT risk in the context of supply chain management. IT system failures,
which are often caused by security incidents, are considered to be an
organizational risk (Juttner et al. 2003). Yet disruptions to information flows
are certainly within the domain of IT security which Christopher and Peck (2004)
identify as a type of network risk. Further, many IT security threats originate
outside an organization and its network of partners and should therefore be
classified as an environmental risk. Alternatively, others have classified the
security of a firm’s IT systems as its own dimension of supply chain risk
(Spekman and Davis 2004).
These uncertainties and conflicts exist because little has been done in the way of a
unifying framework between IT security and supply chain risk. Given the growing
importance of IT in SCM and the rise in IT security incidents in recent years,
resolving this dilemma is critical to a resilient modern supply chain. In pursuit
of such a framework, a fundamental understanding of IT security risk is
essential. To that end, we provide a discussion of IT-related risk factors in the
following section.
2600 G. E. Smith et al.
Information
Confidentiality
3rd party
IT system A IT system B
Integrity
IT system A IT system B
0110.. ...0101
Availability
IT system A IT system B
As the intended audience for this research spans both the IT and supply chain
communities, it is beneficial to define a rational categorization of IT threats to
facilitate understanding and establish the scope of IT risk in the context of supply
chain management. In identifying threat categories for the purpose of this study, we
draw from professional experience and the numerous taxonomies that have been
proposed by academic, industry and government sources to classify and systematize
common IT security threats. As our chief purpose is to discuss IT security risk in the
context of the supply chain, we include threats identified in SCM literature (Warren
and Hutchinson 2000, Kolluru and Meredith 2001, Spekman and Davis 2004) as well
as from traditional IT sources (Smith 1989, Loch and Carr 1992, Cheswick and
Bellovin 1994, Icove et al. 1995, Cohen 1997, NIST 1997, Whitman 2003, Gordon
et al. 2004).
These efforts result in the selection of six general IT security threat
categories. Table 1 displays these categories and provides examples from the
literature as to potential threats contained within each. We do not claim this list
to be exhaustive or descriptive, rather it is a high-level categorical representation
of a large spectrum of specific threats to IT systems and interconnections;
nonetheless, it does have one advantage over many of the existing taxonomies in
that it separates threats from impacts. Many of the taxonomies we reviewed
failed to make this distinction, treating causes (threats) and effects (impacts)
interchangeably; however, separating threats and impacts is a prerequisite for
measuring risk.
2602 G. E. Smith et al.
To assess the level of risk each of our threat categories pose to the operation of a
supply chain, not only must we understand the characteristics of the potential
threats, but we must also grasp the frequency with which they affect organizations.
According to the 2005 FBI Computer Crime Survey, 87 percent of 2 066 respondents
reported at least one security incident in the preceding 12 months with nearly 20
percent experiencing more than 20 such incidents. In a separate survey conducted in
conjunction with an industry leader in IT security (see table 2), a significant
percentage of companies reported at least one security incident in each of our six
threat categories (Baker et al. 2005). Despite the large number of companies
reporting IT security incidents, it is generally held that such incidents are under-
reported. In fact, a 1996 study by the Defense Information Systems Agency (DISA)
estimated that only about 0.7 percent of all attack attempts were ever reported (GAO
1996). This phenomenon can be partly attributed to the desire to avoid negative
publicity; however, even more troubling is the realization that most sophisticated
attacks go unrecognized, as they are narrowly focused and are carried out
clandestinely leaving little or no evidence. The DISA study found that in addition
to a low reporting rate, organizations mostly likely fail to detect about 97.4 percent
of incidents (GAO 1996). Therefore, it is likely that the frequency of attack is much
greater than suggested here.
Malicious code & programs Malicious code or program infection 70.9 75.68
Malicious hacking & intrusion Loss of availability of IT assets due to 29.1 29.73
attempts malicious hacking
Successful network intrusion from supply 19.0 21.62
partners or environment
Successful network intrusion from within the 44.9 40.54
organization
Fraud & deception Reports of fraud and social engineering 24.1 29.73
G. E. Smith et al.
ENVIRONMENT PROCESS
By isolating the point of origin for IT-specific threats, we are able to identify points
of vulnerability within the system and thereby customize risk mitigation strategies.
This is especially important because IT threats may span multiple points of origin.
For example, the most common type of IT threat, malicious code and programs,
often stem from environmental sources in the far reaches of the Internet.
Additionally, malicious code can be written and released by an organization’s own
employees, making this type of threat an organizational risk as well. Less apparent is
that malicious code and programs may also be a substantial source of network risk.
Numerous respondents to surveys conducted to assess the impact of worldwide
malicious code events over the past few years have pointed to supply chain partners
as the source of infection (Baker et al. 2007). This suggests that malicious code is able
to exploit vulnerabilities at one point within the supply chain and then use the high
level of interconnectivity between partners to bypass traditional defenses and infect
other organizations. Thus, by focusing on not only the type of threat but also its
point of origin, we are able to allocate resources to more effectively combat threats
that may span multiple risk sources.
Having identified where threats may originate, the next step toward assessing
IT risk is to understand the characteristics of the threats involved. A further
examination of the previously presented six categories of IT threats is therefore in
order. Malicious code and programs are written to infect IT systems and then
multiply, propagate, modify programs, steal information, and generally act
egregiously. This category of threat is diverse and inescapable for organizations
connected to the Internet. Malicious hacking and intrusion attempts include any
effort to gain unauthorized access to or alter the normal operation of IT systems.
Threats of this type allow a cyber-criminal to take control of a system allowing
a range of options extending from shutting the system down to defacing Web pages
to stealing information. Fraud and deception is any attempt at misrepresentation of
identity to deceive and exploit. Fraud takes many electronic forms like phishing,
hoaxes, or credit card theft; however, it may also be accomplished through non-
technical means. Misuse and sabotage contains a diverse and particularly worrisome
set of threats because an employee, partner, or contractor has a unique opportunity
to misuse the access and privileges granted to them for malevolent purposes. These
threats manifest themselves in the form of embezzlement, inappropriate use of
system resources, or sabotage. Errors and omissions are unintentional and
unavoidable. Included in this set of threats are minor nuisances like coffee on
keyboards, but also threats that may have significant consequences like program-
ming errors. Finally, physical and environmental hazards include equipment failures,
power outages, natural disasters, and physical theft of property or data. Though
typically rare and unavoidable, an organization failing to take appropriate action
will incur high downtime and equipment replacement losses due to threats in this
category.
From this discussion, it should be apparent that IT threats use vastly different
methods, channels, and actors to disrupt information flows in the supply chain. For
instance, intrusion attempts can be separated into virtual and physical. Obviously,
the steps required to gain access to an IT system via a network are not the same as
those used to gain physical access. Even when isolating virtual intrusion attempts,
techniques and possibilities abound. Though seemingly elementary, distinctions such
as this aid in the selection of control and mitigation strategies.
A critical balance 2607
in damages worldwide. Two common threats to system availability, virus and denial
of service attacks, accounted for more than 55 percent of the estimated total losses in
2004 (Gordon et al. 2004). It is clear that as our reliance on IT to help manage
the supply chain increases, so does the seriousness of these types of attacks on the
economy.
6. Discussion
The purpose of this research was to define the nature of information security risk in
the context of supply chain management. To that end, we have introduced a model
of supply chain information security risk. This model depicts risk as originating from
organization, network, and environmental sources. Additionally, it identifies those
processes and linkages that are vulnerable to IT threats in the supply chain.
Therefore, we are now able to define Supply Chain Information Security Risk
(SCISR) as degradation or disruption to a supply chain’s infrastructure or structural
resources resulting from the successful exploitation of IT vulnerabilities by threats
within an organization, within the supply chain network, or in the external
environment.
As depicted in figure 4, it is apparent that supply chain risk is affected by
IT threats and therefore SCISR must be included in the scope of supply chain
management. The IT systems used to support information sharing and thereby
facilitate collaboration across the supply chain mitigate traditional sources of supply
chain risk while simultaneously increasing each of the interconnected organizations
exposure to the sources of IT risk. This in turn increases exposure to IT-specific
threats, which may then be able to exploit vulnerabilities within the supply chain,
negatively affecting the chain’s ability to satisfy customer demand. While
conventional wisdom would suggest that collaboration and integration benefit
To
facilitate
Information Supply chain
sharing collaboration
That Increases
support exposure
Reducing
Sources SC risk
(organizational
IT assets Supply chain risk Increasing
network,
environmental)
Increasing Increasing
To
impact Contain
IT vulnerabilities IT threats
That
exploit
60%
50%
40%
30%
20%
10%
0%
None Low Moderate High
Number of supply 0% 24% 23% 57%
chain partners
Level of IT system 7% 22% 37% 45%
integration
Amount of 17% 23% 31% 37%
information sharing
academicians at this time. Simply stated, the component processes and scope to be
considered have been too ill-defined to allow for any meaningful measurement of the
supply chain costs associated with an IT security incident.
Indicative of this problem is the estimate of financial loss provided in the 2005
FBI Computer Crime Survey. As previously stated, 87 percent of respondents
reported at least one IT security incident; however, only 64 percent of respondents
reported a financial loss. It would appear that 23 percent of organizations reporting
incidents were either unable or unwilling to quantify losses. Furthermore, when
estimating total losses due to IT security incidents in the USA, the authors felt
compelled to reduce the percentage of organizations incurring financial loss to 20
percent. This reduced the overall cost of security incidents from in excess of $200
billion to slightly more than $67 billion. We encountered similar deficiencies while
analysing the results of a survey conducted in conjunction with a leading IT security
company. Analysis reveals extreme variance and a great deal of uncertainty among
responses, especially when respondents were asked to estimate costs associated with
each IT security incident. Not only do these results restrict researchers and
practitioners from drawing conclusions based on cost, supply chain function, or size
of company, it leads us to question the validity of this sort of industry-standard
survey for accurate quantitative risk measurement. Other researchers have echoed
this sentiment (Ryan and Jefferson 2005).
Recently, a stream of research has emerged in the literature which attempts to
shed light on the process of determining the cost of IT security incidents (Gordon
and Loeb 2002, Cavusoglu et al. 2004a, b). While these are useful first steps in
defining the cost of each incident, they are too narrowly focused to capture all of the
costs within a supply chain. As this line of research holds the key to understanding
the relationship between collaboration and SCISR, and thereby a means for
evaluating members of the supply chain, much work in this area remains to be done.
7. Conclusion
element in the decision-making process. Research toward this end is critical for SCM
to ensure that proper consideration is given to IT security risk as organizations seek
to leverage IT to establish collaborative relationships.
References
Amoroso, E.G., Fundamentals of Computer Security Technology, 1994 (Prentice Hall PTR:
Upper Saddle River, NJ).
Anonymous, JUST blame the software Guys. Business 2.0, 2001, 6, 25.
Ashayeri, J. and Kampstra, R.P., Realities of supply chain collaboration, in EurOMA
International Conference Proceedings, 2005.
Australian Department of Commerce, The Office of Information and Communications
Technology, Information Security Guideline for NSW Government Agencies - Part 2
Examples of Threats and Vulnerabilities, 2003.
Baker, W.H., Pokorski, J., Smith, G.E. and Watson, K.J., Assessing information security risk
in the supply chain, in Informs 2005 Annual Meeting, 2005.
Baker, W.H. and Rees, L.P., Necessary measures: metric-driven information security risk
assessment and decision-making. Commun. ACM, in press.
Baker, W.H., Smith, G.E. and Watson, K.J., Information security risk in the e-supply chain.
In E-Supply Chain Technologies and Management, edited by Q. Zhang, 2007 (Idea
Group Publishing: Hershey, PA).
Barratt, M. and Oliveira, A., Exploring the experiences of collaborative planning initiatives.
Int. J. Phys. Distrib. Log. Mgmt, 2001, 31, 266–289.
Bowersox, D.J., The strategic benefits of logistics alliances. Harvard Bus. Rev., 1990, 68, 36.
Cachon, G.P. and Fisher, M., Supply chain inventory management and the value of shared
information. Manage. Sci., 2000, 46, 1032–1048.
Carr, N.G., IT doesn’t matter. Harvard Bus. Rev., 2003, 81, 41.
Cavusoglu, H., Cavusoglu, H. and Raghunathan, S., Economics of IT security management:
four improvements to current security practices. Commun. AIS, 2004a, 14, 65–75.
Cavusoglu, H., Mishra, B. and Raghunathan, S., A model for evaluating IT security
investments. Commun. ACM, 2004b, 47, 87–92.
Cheswick, W.R. and Bellovin, S.M., Firewalls and Internet Security: Repelling the Wily
Hacker, 1994 (Addison-Wesley: Reading, Mass).
Chopra, S. and Sodhi, M.S., Managing risk to avoid supply-chain breakdown. MIT Sloan
Mgmt Rev., 2004, 46, 53.
Christopher, M. and Peck, H., Building the resilient supply chain. Int. J. Log. Mgmt,
2004, 15, 1.
Christopher, M., Peck, H., Wilding, R. and Chapman, P., Supply chain vulnerabilities.
Department of Transport, Local Government and the Regions, Home Office,
Department of Trade and Industry, Cranfield, UK, 2002.
Cohen, F., Information system attacks: a preliminary classification scheme. Comput. Secur.,
1997, 16, 29.
DeLoach, J.W., Enterprise-Wide Risk Management: Strategies for Linking Risk and
Opportunity, 2000 (Financial Times/Prentice Hall: London).
Finch, P., Supply chain risk management. Supply Chain Mgmt: An Int. J., 2004, 9, 183–196.
Frohlich, M.T. and Westbrook, R., Arcs of integration: an international study of supply chain
strategies. J. Oper. Mgmt, 2001, 19, 185.
Gordon, L.A. and Loeb, M., The economics of information security investment. ACM Trans.
Inform. Syst. Secur., 2002, 5, 438–457.
Gordon, L.A., Loeb, M., Lucyshyn, W. and Richardson, R., Ninth Annual CSI/FBI
Computer Crime and Security Survey. Computer Security Institute, 2004.
Grance, T., Hash, J., Peck, S., Smith, J. and Korow-Diks, K., Security guide for
interconnecting information technology systems. Report No. 800-47, National
Institute of Standards and Technology, 2002.
2612 G. E. Smith et al.
Greenhouse, S., How Costco Became the Anti-Wal-Mart, in The New York Times, 2005
(The New York Times Company: New York).
Gunasekaran, A. and Ngai, E.W.T., Information systems in supply chain integration and
management. Eur. J. Oper. Res., 2004, 159, 269.
Handfield, R.B. and Nichols, E.L., Introduction to Supply Chain Management, 1999 (Prentice
Hall: Upper Saddle River, N.J.).
Howard, J.D. and Longstaff, T.A., A common language for computer security incidents.
Report No. SAND98-8667, U.S. Department of Energy, Sandia National Laboratories,
Albuquerque, NM, 1998.
Huang, Z. and Gangopadhyay, A., A simulation study of supply chain management to
measure the impact of information sharing. Inform. Res. Mgmt J., 2004, 17, 20.
Icove, D.J., Seger, K.A., VonStorch, W. and NetLibrary Inc., Computer Crime: A
Crimefighter’s Handbook, 1995 (O’Reilly & Associates: Sebastopol, CA).
Ismail, S., An investigation of MRP benefit-determinant relationships: ACE model. Probl.
Perspect. Mgmt, 2005, 2, 80–98.
Jorgensen, B., Confidentiality guidelines set. Electron. Buyers’ News, 1998, 36, 1134.
Juttner, U., Peck, H. and Christopher, M., Supply chain risk management: outlining an
agenda for future research. Int. J. Log.: Res. Appli., 2003, 6, 197.
Kolluru, R. and Meredith, P.H., Security and trust management in supply chains. Inform.
Mgmt Comp. Secur., 2001, 9, 233–236.
Landwehr, C.E., Bull, A.R., McDermott, J.P. and Choi, W.S., A taxonomy of computer
security flaws. ACM Comput. Surv., 1994, 26, 211–254.
Lee, H.L., Padmanabhan, V. and Whang, S., Information distortion in a supply chain: the
bullwhip effect. Mgmt Sci., 1997, 43, 546.
Lee, H.L. and Whang, S., Information sharing in a supply chain. Int. J. Tech. Mgmt., 2000, 20,
373.
Li, L., Information sharing in a supply chain with horizontal competition. Mgmt Sci., 2002,
48, 1196.
Loch, K.D. and Carr, H.H., Threats to information systems: today’s reality, yesterday’s
understanding. MIS Quart., 1992, 16, 173.
Lummus, R.R. and Vokurka, R.J., Defining supply chain management: a historical
perspective and practical guidelines. Ind. Mgmt Data Syst., 1999, 99, 11.
Mentzer, J.T., Foggin, J.H. and Golicic, S.L., Collaboration: the enablers, impediments, and
benefits. Sup. Chain Mgmt Rev., 2000a, 4, 52–58.
Mentzer, J.T., Min, S. and Zacharia, Z.G., The nature of interfirm partnering in supply chain
management. J. Retailing, 2000b, 76, 549.
Metters, R., Quantifying the bullwhip effect in supply chains. J. Oper. Mgmt, 1997, 15, 89.
Narus, J.A. and Anderson, J.C., Rethinking distribution: adaptive channels. Harvard Bus.
Rev., 1996, 74, 112.
Nelson, K., Bad data plagues ERP. Bank Syst. Tech., 2002, 39, 12.
Petroni, A., Critical factors of MRP implementation in small and medium-sized firms. Int. J.
Oper. Prod. Mgmt, 2002, 22, 329.
Raman, A., DeHoratius, N. and Ton, Z., The Achilles’ heel of supply chain management.
Harvard Bus. Rev., 2001, 79, 25.
Royal Society, Risk: analysis, perception and management, 1992.
Ryan, J. and Jefferson, T., The Use, Misuse, and Abuse of Statistics in Information Security
Research, in Proceedings of the 2003 ASEM National Conference, 2005.
Sahay, B.S., Supply chain collaboration: the key to value creation. Work Study, 2003, 52,
76–83.
Simatupang, T.M. and Sridharan, R., The collaboration index: a measure for supply chain
collaboration. Int. J. Phys. Distrib. Log. Mgmt, 2005, 35, 44.
Smith, M., Computer security - threats, vulnerabilities, and countermeasures. Inform. Age,
1989, 11, 205–210.
Spekman, R.E. and Davis, E.W., Risky business: expanding the discussion on risk and the
extended enterprise. Int. J. Phys. Distrib. Log. Mgmt, 2004, 34, 414.
A critical balance 2613
Stoneburner, G., Goguen, A. and Feringa, A., risk Management Guide for Information
Technology Systems. Special Publication 800-30, U.S. Department of Commerce,
National Institute of Standards and Technology, Gaithersburg, MD, 2002.
U.S. Defense Information Systems Agency, CyberProtect, 1999.
U.S. Department of Commerce, National Institute of Standards and Technology, An
Introduction to Computer Security: The NIST Handbook. Special Publication 800-12,
Gaithersburg, MD, 1997.
U.S. General Accounting Office, Information Security: Computer Attacks at Department of
Defense Pose Increasing Risks, 1996.
Warren, M. and Hutchinson, W., Cyber attacks against supply chain management systems: a
short note. Int. J. Phys. Distrib. Log. Mgmt, 2000, 30, 710.
Whitman, M.E., Enemy at the gate: threats to information security. Commun. ACM, 2003, 46,
91.
Wise, D. and Fahrenwald, B., Supply chain collaboration: close encounters of the best kind.
Businessweek, 2001.
Xu, H., Nord, J.H., Brown, N. and Nord, G.D., Data quality issues in implementing an ERP.
Ind. Mgmt Data Syst., 2002, 102, 47.
Zsidisin, G.A., A grounded definition of supply risk. J. Purch. Supp. Mgmt, 2003, 9, 217.