International Journal of Production Research,

Vol. 45, No. 11, 1 June 2007, 2595–2613

A critical balance: collaboration and security in the

IT-enabled supply chain

G. E. SMITHy, K. J. WATSON*z, W. H. BAKERx and

J. A. POKORSKI IIx

yXavier University, USA

zUniversity of New Orleans, USA
xVirginia Polytechnic Institute and State University, USA

(Revision received November 2006)

Integration of information flows facilitated by advances in information

technology (IT) has increased collaboration across supply chains. However,
benefits of interconnectivity are not gained without risk, as IT has removed
protective barriers around assets and processes. Thus, supply chains are better
able to satisfy customer needs yet are potentially more vulnerable to disruption
due to an array of IT-specific threats. Highly interconnected supply chains would
appear to be especially prone to these hazards. Although supply chain risk and
information technology risk have been studied in isolation, little has been done to
define the impact of information security on supply chain management. This
exploratory investigation addresses this deficiency in the literature by defining
information security risk in the context of supply chain management. It identifies,
categorizes, and validates information technology threats as sources of risk in the
supply chain. It then establishes a conceptual framework for further study into
supply chain information security risk. Finally, it discusses the implications of
information security risk in the supply chain. It is suggested that supply chain risk
is affected by IT threats and therefore the benefits of collaboration facilitated by
IT integration must exceed the increase in risk due to IT security threats.

Keywords: Supply chain management; Information security; Risk

1. Introduction

The post-industrial manufacturing environment has undergone a profound shift

away from organizations containing isolated hierarchical functions to highly
collaborative virtual networks spanning a multitude of organizations in a variety
of countries. In this environment, it is critical that organizations adopt agile
structures capable of satisfying changing customer requirements. To maximize
competitive position, firms increasingly choose to specialize, focusing on core
processes while outsourcing non-core functions, forming intricate global supply
chains that maximize efficiency from supplier to customer. To deliver on this promise
of efficiency, supply chain management (SCM) attempts to coordinate and integrate

*Corresponding author. Email: KWatson@UNO.Edu

International Journal of Production Research

ISSN 0020–7543 print/ISSN 1366–588X online ß 2007 Taylor & Francis
http://www.tandf.co.uk/journals
DOI: 10.1080/00207540601020544
2596 G. E. Smith et al.

all activities into a single seamless process. According to Lummus and Vokurka
(1999), to improve competitive position, managers must consider:

all the activities involved in delivering a product from raw material through to
the customer including sourcing raw materials and parts, manufacturing and
assembly, warehousing and inventory tracking, order entry and order manage-
ment, distribution across all channels, delivery to the customer, and the
information systems necessary to monitor all of these activities. (p. 11)

With the decline of the vertically integrated organization and an increase in

outsourcing, many of these functions now reside in the extended enterprise. As such,
competition is increasingly seen as between supply chains rather than between firms.
Recognizing that supply chains which share information for coordinated
decision-making achieve maximum efficiency for all members, a systematic approach
to SCM, emphasizing collaboration across functions and between organizations, has
emerged. As the need for collaboration increases, so does the need for integration
and the ability to process massive amounts of information shared among partners.
By way of enabling organizations to capture, process, analyse, store and exchange
enormous quantities of information over vast geographic distances in a timely
manner, information technology (IT) has become an indispensable component of
supply chain collaboration and performance improvement. Firms have made heavy
investments in pursuit of the many advantages promised by the IT-enabled supply
chain. Though often substantial, the benefits of interconnectivity are not gained
without risk.
While IT is clearly essential to support collaboration in supply networks, it has
reduced or removed many of the traditional layers of internal and external
separation that once formed a protective barrier around an organization’s assets and
processes. The result has been increased exposure to an array of new and often
unforeseen IT-specific risks. Malicious threats are able to exploit the speed,
pervasiveness, and openness of IT, often resulting in massive and devastating
consequences. Highly interconnected supply chains designed around the goals
of open collaboration and seamless integration appear especially prone to these
hazards. Because IT serves as the medium of SCM, disruption or compromise to IT
systems can have costly repercussions throughout the supply chain just as would be
the case with disruptions to physical processes. Such incidents have the potential to
temporarily or permanently terminate supply chain functions, thus lessening or
nullifying the benefits normally associated with collaboration. Therefore, organiza-
tions are required to balance inherently opposing goals: increasing IT interconnec-
tivity to facilitate collaboration while simultaneously mitigating exposure to
IT-specific risk by increasing security.
Even though Lee and Whang (2000) consider achieving the critical balance
between integration and security to be among the most challenging and relevant
contemporary topics, little has been done to address this subject. While various
supply chain and production authors have identified this deficiency in the literature,
some even offering insight on IT security in the context of SCM, we found no
evidence of an attempt to comprehensively examine, validate, quantify, or model
information security risk in supply chains. Moreover, although most academicians
 A critical balance 2597

and practitioners agree collaboration and integration benefit SCM, its effect on IT
incidents and risk in the supply chain is unknown. Understanding these relationships
will be critical in the future as SCM continues to leverage IT for increased
competitiveness.
To address the identified deficiency in the literature, we have undertaken a
research program intended to define the nature of information security risk in the
context of supply chain management. First, we will examine the role of information
in supply chain management. Next, we examine the nature of risk as it relates
to supply chains and information security, respectively. Following the identification
of IT-specific threats, we conclude with a discussion of potential risks to the supply
chain and the management implications of disruption in the information flow.

2. Information and supply chain collaboration

The central principle in creating flexible supply chains is collaboration (Narus and
Anderson 1996), a mutual decision-making process directed toward achieving
common objectives across departments and/or organizations. Collaborative relation-
ships allow supply chain partners to jointly gain a clearer understanding of future
demand, develop realistic plans to satisfy that demand, and coordinate activities to
do so in the most efficient manner (Sahay 2003). Cachon and Fisher (2000) estimate
collaboration can reduce supply chain cost by as much as 12 percent; however, non-
financial improvements such as greater customer service, faster speed to market, and
better utilization of resources are also incentives to increase collaboration (Lee et al.
1997, Metters 1997, Mentzer et al. 2000a, Frohlich and Westbrook 2001, Li 2002,
Simatupang and Sridharan 2005). The extent of the financial and competitive
positioning benefits are such that Ashayeri and Kampstra (2005), state that
collaboration may be the single most pressing need in optimizing supply chain
performance.
To guide collaborative undertakings, a number of authors have attempted to
define levels of integration and identify prerequisites for collaboration (Mentzer et al.
2000a, 2000b, Barratt and Oliveira 2001, Simatupang and Sridharan 2005). Typical
of these endeavors is a framework to assess collaboration and information sharing
between supply chain participants developed by Kolluru and Meredith (2001). At the
lowest level of integration, supply chain participants engage in minimal arms-length
relationships typified by asynchronous one-way data push communication mechan-
isms. Information sharing at this level of integration is limited to the seven
rudimentary information types identified by Lee et al. (1997) as necessary for
operation of a supply chain: inventory level, sales data, order status for tracking and
tracing, sales forecasts, production and delivery schedules, performance metrics, and
capacity. In contrast, supply chains exhibiting the highest level of integration operate
at a strategic level of collaboration across the extended enterprise facilitated by peer-
to-peer client server communication. The types of information shared in these highly
integrated supply chains exceeds rudimentary requirements, expanding to include
product, customer, supplier, process, competitive, and marketing information
(Handfield and Nichols 1999). Based on this model, it is apparent the degree of
integration among supply chain participants dictates the type of information shared
and the means by which it is transmitted.
2598 G. E. Smith et al.

Advances in IT have made integrating information flows in the supply chain

feasible, positioning IT a key driver of supply chain collaboration (Bowersox 1990,
Huang and Gangopadhyay 2004). In fact, the extent to which modern supply chains
rely on IT has lead some authors to argue that it is impossible to achieve an efficient,
competitive, and collaborative supply chain without IT (Gunasekaran and Ngai
2004). Even though the supply chain literature frequently proclaims the virtues of
information sharing, it is not void of warnings concerning potential drawbacks.
Greater levels of collaboration expose significantly more sensitive information to
potential risk suggesting that a greater emphasis must be placed on information
security. This call for increased scrutiny in the area of supply chain information
security has been widely echoed in the literature (Lee and Whang 2000, Kolluru and
Meredith 2001, Finch 2004).

3. Supply chain and information security risk

The definition of risk is a non-trivial matter; Christopher and Peck (2004) speak of
the difficulty in defining risk, identifying two schools of thought: variance-based
definitions from classical decision theory and hazard-focused definitions common
to risk management. Defining the nature of and quantifying exposure to risk is often
seen as the first step toward improving decision-making. The Royal Society (1992)
addresses this problem by defining risk in terms of an expected value measurement, a
‘combination of probability, or frequency, of occurrence of a defined hazard and the
magnitude of the consequences of the occurrence’. However, risk measurements may
also be performed qualitatively, instead of numerically, to arrive at a pragmatic
solution. In either case, identification of the sources of risk and measuring the
consequences of that risk are fundamental to decision-making.

3.1 Supply chain risk

Broadly stated, business risk can be defined as ‘‘the level of exposure to uncertainties
that the enterprise must understand and effectively manage as it executes its
strategies to achieve its business objectives and create value’’ (DeLoach 2000). This
definition of risk is clear yet broad, as business risk may refer to various functions
within an enterprise. However, as Spekman and Davis (2004) state, risk is context
specific; therefore, any definition of supply chain risk must be refined to emphasize
supply and demand. To satisfy this requirement, Zsidisin (2003) states that supply
chain risk is ‘‘the potential occurrence of an incident associated with inbound supply
from individual supplier failures or the supply market, in which its outcomes result in
the inability of the purchasing organization to meet customer demand or cause
threats to customer life and safety.’’ Under this definition, it is possible to identify
five sources of supply chain risk: process, control, demand, supply, and
environmental (Christopher and Peck 2004); which can be further classified in
terms of point of origin: organization, network, and environment (Juttner et al.
2003).
Organization risks are those sources of risk found entirely within the boundaries
of an organization. These risks include uncertainties with regard to labour,
production, and IT systems (Juttner et al. 2003). The most common types of
 A critical balance 2599

organizational risks are process and control risks. Process risk includes disruption to
the execution activities that add value to the organization such as production,
sourcing, warehousing, transportation, planning and scheduling. Control risk
captures the cost of misapplication of assumptions, rules, systems and procedures
that govern how organizations exert control over processes. Cooperation between an
organization’s process and control mechanisms is essential to effect an optimal
supply chain strategy (Christopher et al. 2002).
The need to procure materials from upstream suppliers and sell finished goods
through a network of distributors exposes an organization to network risk.
Interactions between organizations linked in a supply chain increases exposure to
unexpected events that may occur during acquisition, transportation, and employ-
ment of goods and services resulting in an inability to serve a firm’s customers.
Supply risk and demand risk, which comprise network-related risks, are defined by
their role relative to the organization. Supply risk is associated with unexpected
events occurring upstream in the supply chain resulting in a negative consequence
to the organization obtaining the goods and services. Similarly, Christopher and
Peck (2004) define demand risk as the potential for or actual disruption of product or
information flows that exist between an organization and its customers. Exposure to
both supply and demand risk is dependent on the level of process and control risk
experienced by other supply chain participants.
Environmental risk results from uncertainties that occur because of interactions
between supply chain participants and the environment. Environmental risk results
from socio-political actions, accidents, or acts of God (Christopher and Peck 2004),
affecting process, control, supply, and demand risk at both the organizational and
network level. While the point of origin for environmental risk may be far removed
from an organization, the effects can be passed directly from the environment to an
organization or as a cascading failure from one organization to another within a
supply chain.
An appropriate line of inquiry at this juncture concerns the classification of IT
security within the above supply chain risk categories. Unfortunately, due to the
pervasive nature of IT in the supply chain, the literature provides a muddled
picture of IT risk in the context of supply chain management. IT system failures,
which are often caused by security incidents, are considered to be an
organizational risk (Juttner et al. 2003). Yet disruptions to information flows
are certainly within the domain of IT security which Christopher and Peck (2004)
identify as a type of network risk. Further, many IT security threats originate
outside an organization and its network of partners and should therefore be
classified as an environmental risk. Alternatively, others have classified the
security of a firm’s IT systems as its own dimension of supply chain risk
(Spekman and Davis 2004).
These uncertainties and conflicts exist because little has been done in the way of a
unifying framework between IT security and supply chain risk. Given the growing
importance of IT in SCM and the rise in IT security incidents in recent years,
resolving this dilemma is critical to a resilient modern supply chain. In pursuit
of such a framework, a fundamental understanding of IT security risk is
essential. To that end, we provide a discussion of IT-related risk factors in the
following section.
2600 G. E. Smith et al.

IT system A Pipe IT system B

Information

Figure 1. Components of interconnected IT systems (adapted from NIST 1997).

3.2 Information technology risk

Management of risk related to IT systems within a single organization has been
extensively discussed in academic, professional, and governmental arenas.
Management of IT risk as it relates to the interconnections between organizations
has received somewhat less attention. Regardless of scope, most sources define
IT risk as the product of the frequency of potential threats, the likelihood of their
success, and their impacts to the organization (Baker and Rees in press). This
definition is similar to the quantitative definition of risk previously discussed, with
the key elements being the identification of sources of risk and their associated
consequences.
One of the primary roles of IT in the supply chain is to provide a conduit for
information transfer to facilitate collaboration between various parties, either
within an organization or across the extended enterprise. The National Institute
of Standards and Technology (NIST) defines the three components necessary for
such a transfer as two IT systems and an interconnecting ‘‘pipe’’ through which
information is made available (Grance et al. 2002). These components are
depicted in figure 1.
The manifestation of risk on such a system has traditionally been classified in
terms of loss or degradation of any of the following primary security goals:
confidentiality, integrity, and availability (Stoneburner et al. 2002).
Confidentiality requires that information be secure from unauthorized disclosure
while integrity refers to its reliability and protection from improper modification.
The goal of availability mandates that IT systems, interconnections and information
remain accessible and uninterrupted. Figure 2 illustrates breaches to confidentiality,
integrity, and availability within interconnected IT systems.
Loss or degradation of confidentiality, integrity, and availability is largely
dependent on the vulnerability of an organization’s IT assets, including systems,
software, information, personnel, and equipment. A vulnerability is a condition or
weakness that could be accidentally or intentionally exercised by a threat
(Stoneburner et al. 2002). If no vulnerabilities are present, the likelihood of a
threat’s success is zero and thus IT risk is eliminated. Unfortunately, it is difficult,
if not impossible, and cost-prohibitive to eliminate an organization’s vulnerability to
all IT threats. Therefore, the aim of IT risk management is to minimize vulnerability
by implementing managerial, operational, and technical controls in an efficient and
effective manner and, in the event that IT security control measures are not effective,
to mitigate the negative consequences to the firm.
 A critical balance 2601

Confidentiality
3rd party
IT system A IT system B

Integrity
IT system A IT system B

0110.. ...0101

Availability
IT system A IT system B

Figure 2. Effects of IT incidents on interconnected systems.

4. Threats to information technology systems

As the intended audience for this research spans both the IT and supply chain
communities, it is beneficial to define a rational categorization of IT threats to
facilitate understanding and establish the scope of IT risk in the context of supply
chain management. In identifying threat categories for the purpose of this study, we
draw from professional experience and the numerous taxonomies that have been
proposed by academic, industry and government sources to classify and systematize
common IT security threats. As our chief purpose is to discuss IT security risk in the
context of the supply chain, we include threats identified in SCM literature (Warren
and Hutchinson 2000, Kolluru and Meredith 2001, Spekman and Davis 2004) as well
as from traditional IT sources (Smith 1989, Loch and Carr 1992, Cheswick and
Bellovin 1994, Icove et al. 1995, Cohen 1997, NIST 1997, Whitman 2003, Gordon
et al. 2004).
These efforts result in the selection of six general IT security threat
categories. Table 1 displays these categories and provides examples from the
literature as to potential threats contained within each. We do not claim this list
to be exhaustive or descriptive, rather it is a high-level categorical representation
of a large spectrum of specific threats to IT systems and interconnections;
nonetheless, it does have one advantage over many of the existing taxonomies in
that it separates threats from impacts. Many of the taxonomies we reviewed
failed to make this distinction, treating causes (threats) and effects (impacts)
interchangeably; however, separating threats and impacts is a prerequisite for
measuring risk.
2602 G. E. Smith et al.

Table 1. Categories of potential threats to IT resources.

Malicious Code and Programs
Malicious Code/Programs (Amoroso 1994, NIST 1997, CyberProtect 1999, NSW Guideline
2003)
Viruses and Worm (Loch and Carr 1992, Landwehr et al. 1994, Icove et al. 1995, Cohen 1997,
CyberProtect 1999, Whitman 2003, Gordon et al. 2004)
Trojan Horse (Landwehr et al. 1994, Icove et al. 1995, Cohen 1997, CyberProtect 1999)
Logic/Time Bombs (Landwehr et al. 1994, Icove et al. 1995, CyberProtect 1999)
Malicious Hacking & Intrusion Attempts
Hacking (Loch and Carr 1992, NIST 1997, CyberProtect 1999, Spekman and Davis 2004)
Unauthorized Access/System Penetration (Loch and Carr 1992, Warren and Hutchinson 2000,
NSW Guideline 2003, Whitman 2003, Gordon et al. 2004, Spekman and Davis 2004)
Denial of Service Attacks (Loch and Carr 1992, Cheswick and Bellovin 1994, Icove et al. 1995,
NIST 1997, CyberProtect 1999, Warren and Hutchinson 2000, NSW Guideline 2003,
Whitman 2003, Spekman and Davis 2004)
Password Sniffing/Cracking Software (Amoroso 1994, Icove et al. 1995, Cohen 1997,
CyberProtect 1999, Warren and Hutchinson 2000)
Industrial/Government Espionage (NIST 1997, NSW Guideline 2003, Whitman 2003)
Eavesdropping (Amoroso 1994, Icove et al. 1995, CyberProtect 1999, NSW Guideline 2003)
Web Site Intrusion/Defacement (NSW Guideline 2003, Gordon et al. 2004, Spekman and
Davis 2004)
Trap Doors (Landwehr et al. 1994, Icove et al. 1995)
Fraud and Deception
Fraud (NIST 1997, NSW Guideline 2003, Gordon et al. 2004, Spekman and Davis 2004)
Spoofing (Icove et al. 1995, Cohen 1997, CyberProtect 1999, Warren and Hutchinson 2000)
Masquerading (Amoroso 1994, Icove et al. 1995, Cohen 1997, NSW Guideline 2003)
Social Engineering (Cheswick and Bellovin 1994, Cohen 1997, NSW Guideline 2003)
Salami Attacks (Icove et al. 1995, Cohen 1997)
Privacy/Identity Threats (NIST 1997)
Misuse and Sabotage
Deliberate Acts of Sabotage or Vandalism (Loch and Carr 1992, NIST 1997, NSW Guideline
2003, Whitman 2003, Gordon et al. 2004)
Abuse/Misuse of Resources (Amoroso 1994, Icove et al. 1995, Cohen 1997, Kolluru and
Meredith 2001, NSW Guideline 2003, Gordon et al. 2004)
Abuse/Misuse of Privileges (Amoroso 1994, Icove et al. 1995, Cohen 1997)
Insiders (Cohen 1997, CyberProtect 1999)
Unauthorized Software Changes (Cohen 1997, NSW Guideline 2003)
Errors and Omissions
Human Error (Cohen 1997, NIST 1997, NSW Guideline 2003, Whitman 2003)
Software/Programming Errors (Loch and Carr 1992, Cheswick and Bellovin 1994, Cohen
1997, NSW Guideline 2003, Whitman 2003)
Accidental Entry/Destruction of Data by Employees (Loch and Carr 1992)
Protocal/Routing/Transmission Errors (Cheswick and Bellovin 1994, Cohen 1997, NSW
Guideline 2003)
Physical and Environmental Hazards
Forces of Nature (fire, flood, earthquake, etc.) (Loch and Carr 1992, NSW Guideline 2003,
Whitman 2003)
Service Disruptions from 3rd Party Provider (power, WAN, etc.) (Loch and Carr 1992, Icove
et al. 1995, Cohen 1997, NIST 1997, NSW Guideline 2003, Whitman 2003)
Weak, Ineffective, Inadequate Physical Control (Loch and Carr 1992, Cohen 1997)
Physical Data/Equipment Theft (Loch and Carr 1992, Amoroso 1994, Cohen 1997, NIST
1997, Kolluru and Meredith 2001, Gordon et al. 2004, Spekman and Davis 2004)
Dumpster Diving (Icove et al. 1995, Cohen 1997, CyberProtect 1999)
 A critical balance 2603

To assess the level of risk each of our threat categories pose to the operation of a
supply chain, not only must we understand the characteristics of the potential
threats, but we must also grasp the frequency with which they affect organizations.
According to the 2005 FBI Computer Crime Survey, 87 percent of 2 066 respondents
reported at least one security incident in the preceding 12 months with nearly 20
percent experiencing more than 20 such incidents. In a separate survey conducted in
conjunction with an industry leader in IT security (see table 2), a significant
percentage of companies reported at least one security incident in each of our six
threat categories (Baker et al. 2005). Despite the large number of companies
reporting IT security incidents, it is generally held that such incidents are under-
reported. In fact, a 1996 study by the Defense Information Systems Agency (DISA)
estimated that only about 0.7 percent of all attack attempts were ever reported (GAO
1996). This phenomenon can be partly attributed to the desire to avoid negative
publicity; however, even more troubling is the realization that most sophisticated
attacks go unrecognized, as they are narrowly focused and are carried out
clandestinely leaving little or no evidence. The DISA study found that in addition
to a low reporting rate, organizations mostly likely fail to detect about 97.4 percent
of incidents (GAO 1996). Therefore, it is likely that the frequency of attack is much
greater than suggested here.

5. Supply chain information security risk

Because modern supply chains are founded upon a series of interconnected IT

systems, it is logical that they are subject to all the risks heretofore discussed as being
inherent to both supply chains and information technology. Consequently, we now
focus on the nature of the relationship between these two systems and in so doing,
seek a proper and comprehensive model for IT security risk within the context of the
supply chain. For pedagogical reasons we previously presented the six high-level
categories of IT threats; however, we agree with Howard and Longstaff (1998) that
such a categorical representation alone is insufficient to provide the necessary clarity,
accuracy, and measurability of risk required for IT security incidents. Therefore, we
have adopted a more realistic model of how IT security incidents affect risk in the
supply chain by accounting for (1) point of origin, (2) type of threat, (3) potential
impact to IT assets, and (4) consequences within the supply chain.
In an effort to build an enveloping structure of supply chain information security
risk, information flows between and within organizations, along with essential
supply chain component representations, must be identified. Figure 3 incorporates
these linkages and establishes a full categorical identification of the point of origin
for supply chain information security risk. In keeping with the model proposed by
Juttner et al. (2003), we have identified supply chain information security risk as
originating from organization, network, and environmental sources. Similar to the
model proposed by Christopher and Peck (2004), we have identified five processes
and linkages vulnerable to information distortions within the supply chain: physical
supply, the transformation process, physical distribution, control processes, and the
information linkages between organizations.
As depicted, at a broad level, the points of origin for IT security and supply chain
risk are similar, containing organization, network, and environmental sources.
 2604

Table 2. Reported incidence of threat categories.

Threat Type of security Percent reporting at Percent,

category incident least one incident production only

Malicious code & programs Malicious code or program infection 70.9 75.68
Malicious hacking & intrusion Loss of availability of IT assets due to 29.1 29.73
attempts malicious hacking
Successful network intrusion from supply 19.0 21.62
partners or environment
Successful network intrusion from within the 44.9 40.54
organization
Fraud & deception Reports of fraud and social engineering 24.1 29.73
G. E. Smith et al.

Misuse and sabotage Employee abuse and misuse 74.1 75.68

Errors and omissions Employee error and omissions 91.1 89.19
Physical & environmental Loss of availability of IT assets due to physical 75.3 89.19
hazards and environmental hazards
Loss of confidentiality of IT assets due to 10.1 5.41
successful physical intrusion of premises
Physical Transformation Physical Physical Transformation Physical Physical Transformation Physical
supply process distribution supply process distribution supply process distribution

Control Control Control

A critical balance

ENVIRONMENT PROCESS

NETWORK PHYSICAL FLOW OF PRODUCT

ORGANIZATION INFORMATION LINKAGE

Figure 3. Model of supply chain information security risk.

2605
2606 G. E. Smith et al.

By isolating the point of origin for IT-specific threats, we are able to identify points
of vulnerability within the system and thereby customize risk mitigation strategies.
This is especially important because IT threats may span multiple points of origin.
For example, the most common type of IT threat, malicious code and programs,
often stem from environmental sources in the far reaches of the Internet.
Additionally, malicious code can be written and released by an organization’s own
employees, making this type of threat an organizational risk as well. Less apparent is
that malicious code and programs may also be a substantial source of network risk.
Numerous respondents to surveys conducted to assess the impact of worldwide
malicious code events over the past few years have pointed to supply chain partners
as the source of infection (Baker et al. 2007). This suggests that malicious code is able
to exploit vulnerabilities at one point within the supply chain and then use the high
level of interconnectivity between partners to bypass traditional defenses and infect
other organizations. Thus, by focusing on not only the type of threat but also its
point of origin, we are able to allocate resources to more effectively combat threats
that may span multiple risk sources.
Having identified where threats may originate, the next step toward assessing
IT risk is to understand the characteristics of the threats involved. A further
examination of the previously presented six categories of IT threats is therefore in
order. Malicious code and programs are written to infect IT systems and then
multiply, propagate, modify programs, steal information, and generally act
egregiously. This category of threat is diverse and inescapable for organizations
connected to the Internet. Malicious hacking and intrusion attempts include any
effort to gain unauthorized access to or alter the normal operation of IT systems.
Threats of this type allow a cyber-criminal to take control of a system allowing
a range of options extending from shutting the system down to defacing Web pages
to stealing information. Fraud and deception is any attempt at misrepresentation of
identity to deceive and exploit. Fraud takes many electronic forms like phishing,
hoaxes, or credit card theft; however, it may also be accomplished through non-
technical means. Misuse and sabotage contains a diverse and particularly worrisome
set of threats because an employee, partner, or contractor has a unique opportunity
to misuse the access and privileges granted to them for malevolent purposes. These
threats manifest themselves in the form of embezzlement, inappropriate use of
system resources, or sabotage. Errors and omissions are unintentional and
unavoidable. Included in this set of threats are minor nuisances like coffee on
keyboards, but also threats that may have significant consequences like program-
ming errors. Finally, physical and environmental hazards include equipment failures,
power outages, natural disasters, and physical theft of property or data. Though
typically rare and unavoidable, an organization failing to take appropriate action
will incur high downtime and equipment replacement losses due to threats in this
category.
From this discussion, it should be apparent that IT threats use vastly different
methods, channels, and actors to disrupt information flows in the supply chain. For
instance, intrusion attempts can be separated into virtual and physical. Obviously,
the steps required to gain access to an IT system via a network are not the same as
those used to gain physical access. Even when isolating virtual intrusion attempts,
techniques and possibilities abound. Though seemingly elementary, distinctions such
as this aid in the selection of control and mitigation strategies.
 A critical balance 2607

The third requirement of a realistic model of supply chain information security

risk accounts for potential impacts to IT assets. As previously stated, IT risk
management has traditionally classified impacts in terms of loss or degradation of
confidentiality, integrity, and availability (Stoneburner et al. 2002). Once a threat has
materialized, the impact may range from inconvenient to catastrophic and permeate
all levels of a supply chain. With these impacts come numerous secondary and
downstream consequences that ripple not only through the organization in which
they originate but the entire supply chain.
Finally, having identified potential technical impacts, we can determine the
consequences in the supply chain. Perhaps the greatest threat to collaborative supply
chain networks is the loss of confidentiality. Li (2002) speaks of the need to guard the
confidentiality of information flows between supply chain partners from either direct
or inadvertent disclosure. Findings suggest that there is a disincentive to share data
due to ‘‘information leakage’’ and resulting strategic actions by competitors.
A recent example of how such leakage may occur and the consequence was reported
in The New York Times (Greenhouse 2005); a supplier lost their entire account when
a Wal-Mart invoice was inadvertently routed to Costco showing a lower price for
items stocked by both companies. While this disclosure was accidental, the same type
of disclosure could result from the unauthorized access of company data due to any
number of IT threats and could be used not only for competitive purposes, but to
blackmail a company whose vulnerabilities have been exploited. To improve trust
and spur increases in information sharing, three electronics trade associations
proposed guidelines for the treatment of confidential information between supply
chain partners (Jorgensen 1998).
One of the most important factors for implementation of IT systems to facilitate
coordination of the supply chain is data integrity. Data accuracy has been found to
be a critical success factor for implementation of MRP (Petroni 2002, Ismail 2005)
and ERP (Nelson 2002, Xu et al. 2002) systems. Data integrity is not just an issue for
implementation but extends to the operation of the supply chain. Raman et al. (2001)
point to the experience of a retailer that audited inventory on hand at a new store,
finding inaccuracies in 29 percent of SKUs. Many of these inaccuracies can be
attributed to incorrect receiving practices or incorrectly scanning products at the
point of sale. A second retailer found 16 percent of stock outs were falsely reported
to customers, reducing the company’s profitability by an estimated 25 percent.
Beyond these, transmission errors between channel partners or between systems may
result in an incorrect product being ordered or an incorrect quantity of the correct
product being delivered. For example, NIKE blamed i2 Technologies for an
estimated $80–100 million shortfall in quarterly revenues when a glitch in a new
order processing system intended to match forecasts with demand created
inefficiencies in their supply chain (Anonymous 2001).
Any number of threats can create disruptions and degrade an IT system’s
availability. Regardless of the vulnerability, disruptions to the information
infrastructure create serious consequences not only within a firm but also, by
contributing to bullwhip and schedule nervousness, to those outside the originating
organization. Chopra and Sodhi (2004) provide the example of the ‘‘Love Bug’’ virus
to illustrate consequences of information disruptions on the supply chain. In 2000,
the Love Bug virus shut down many government and industry email servers,
including that of the Pentagon and Ford Motors, causing an estimated billion dollars
2608 G. E. Smith et al.

in damages worldwide. Two common threats to system availability, virus and denial
of service attacks, accounted for more than 55 percent of the estimated total losses in
2004 (Gordon et al. 2004). It is clear that as our reliance on IT to help manage
the supply chain increases, so does the seriousness of these types of attacks on the
economy.

6. Discussion

The purpose of this research was to define the nature of information security risk in
the context of supply chain management. To that end, we have introduced a model
of supply chain information security risk. This model depicts risk as originating from
organization, network, and environmental sources. Additionally, it identifies those
processes and linkages that are vulnerable to IT threats in the supply chain.
Therefore, we are now able to define Supply Chain Information Security Risk
(SCISR) as degradation or disruption to a supply chain’s infrastructure or structural
resources resulting from the successful exploitation of IT vulnerabilities by threats
within an organization, within the supply chain network, or in the external
environment.
As depicted in figure 4, it is apparent that supply chain risk is affected by
IT threats and therefore SCISR must be included in the scope of supply chain
management. The IT systems used to support information sharing and thereby
facilitate collaboration across the supply chain mitigate traditional sources of supply
chain risk while simultaneously increasing each of the interconnected organizations
exposure to the sources of IT risk. This in turn increases exposure to IT-specific
threats, which may then be able to exploit vulnerabilities within the supply chain,
negatively affecting the chain’s ability to satisfy customer demand. While
conventional wisdom would suggest that collaboration and integration benefit

To
facilitate
Information Supply chain
sharing collaboration
That Increases
support exposure
Reducing

Sources SC risk
(organizational
IT assets Supply chain risk Increasing
network,
environmental)

Increasing Increasing

To
impact Contain
IT vulnerabilities IT threats
That
exploit

Figure 4. Flow of supply chain information security risk.

 A critical balance 2609

SCM, the benefits of that collaboration facilitated by IT integration must be greater

than the increase in risk due to IT security threats.
To examine the effect of supply chain integration, degree of information
exchange, and number of partners on IT incidents, in conjunction with a leading IT
security company, we conducted a survey where participants were asked to indicate
their level of each of these variables as either none, low, moderate, or high (Baker
et al. 2005). Next, survey respondents indicated whether their organization had
experienced an IT security incident directly traceable to supply chain partners. The
percentage of respondents that reported IT security incidents of this type is depicted
in figure 5. The pattern is clear and extremely important: as the number of supply
chain partners, level of integration, and amount of information exchanged rises, so
too does the number of security incidents. It is apparent therefore, that a balance
must exist between collaboration and security in the IT-enabled supply chain. Thus,
the ability to quantify the benefits and consequences of collaboration becomes
critical to supply chain management.
Although not an exact science, quantifying the benefits afforded by collaboration
within supply chains is fairly well understood. For instance, Wise and Fahrenwald
(2001) found that a firm stands to increase its profit margin by as much as 3 percent
depending on the extent of collaboration. On the other hand, quantifying the
consequences of IT security incidents, especially in supply chains, has proven a much
more difficult measure. While we have been able to define SCISR in terms of point
of origin, type of threat, and impact on IT assets; the consequence of successful
exploitation of IT vulnerabilities has only been addressed utilizing anecdotal
evidence. A true accounting, in financial terms, of the consequences resulting from a
successful attack remains beyond the capabilities of both practitioners and

60%

50%

40%

30%

20%

10%

0%
None Low Moderate High
Number of supply 0% 24% 23% 57%
chain partners
Level of IT system 7% 22% 37% 45%
integration
Amount of 17% 23% 31% 37%
information sharing

Figure 5. Impact of integration on IT incidents.

2610 G. E. Smith et al.

academicians at this time. Simply stated, the component processes and scope to be
considered have been too ill-defined to allow for any meaningful measurement of the
supply chain costs associated with an IT security incident.
Indicative of this problem is the estimate of financial loss provided in the 2005
FBI Computer Crime Survey. As previously stated, 87 percent of respondents
reported at least one IT security incident; however, only 64 percent of respondents
reported a financial loss. It would appear that 23 percent of organizations reporting
incidents were either unable or unwilling to quantify losses. Furthermore, when
estimating total losses due to IT security incidents in the USA, the authors felt
compelled to reduce the percentage of organizations incurring financial loss to 20
percent. This reduced the overall cost of security incidents from in excess of $200
billion to slightly more than $67 billion. We encountered similar deficiencies while
analysing the results of a survey conducted in conjunction with a leading IT security
company. Analysis reveals extreme variance and a great deal of uncertainty among
responses, especially when respondents were asked to estimate costs associated with
each IT security incident. Not only do these results restrict researchers and
practitioners from drawing conclusions based on cost, supply chain function, or size
of company, it leads us to question the validity of this sort of industry-standard
survey for accurate quantitative risk measurement. Other researchers have echoed
this sentiment (Ryan and Jefferson 2005).
Recently, a stream of research has emerged in the literature which attempts to
shed light on the process of determining the cost of IT security incidents (Gordon
and Loeb 2002, Cavusoglu et al. 2004a, b). While these are useful first steps in
defining the cost of each incident, they are too narrowly focused to capture all of the
costs within a supply chain. As this line of research holds the key to understanding
the relationship between collaboration and SCISR, and thereby a means for
evaluating members of the supply chain, much work in this area remains to be done.

7. Conclusion

As IT increasingly becomes the medium of business functionality, a reliance on its

secure and continued operations has redefined corporate risk (Loch and Carr 1992).
In the supply chain, information sharing and partner relationships are designed to
drive down supply chain risk (Christopher and Peck 2004). However, the high
integration and IT requirements essential to this goal can increase risk as greater
levels of collaboration expose significantly more sensitive information to potential
risk from a wider variety of sources. In support of this assertion, we found
indications that highly integrated supply chains were at greater risk for security
incidents versus those exhibiting less integration.
As the usage of IT becomes ubiquitous within single organizations and supply
networks, its pure strategic value diminishes and the risks it creates threaten to
become more important than the advantages it provides (Carr 2003). Therefore,
protecting these systems without overspending now poses a critical challenge to
business. This paper is an essential first step toward addressing this issue, introducing
a model of IT risk depicting both point of origin for attacks and the processes and
linkages that are vulnerable to IT threats in the supply chain. However, considerable
work remains in terms of measuring the consequences of that risk, a fundamental
 A critical balance 2611

element in the decision-making process. Research toward this end is critical for SCM
to ensure that proper consideration is given to IT security risk as organizations seek
to leverage IT to establish collaborative relationships.

References

Amoroso, E.G., Fundamentals of Computer Security Technology, 1994 (Prentice Hall PTR:
Upper Saddle River, NJ).
Anonymous, JUST blame the software Guys. Business 2.0, 2001, 6, 25.
Ashayeri, J. and Kampstra, R.P., Realities of supply chain collaboration, in EurOMA
International Conference Proceedings, 2005.
Australian Department of Commerce, The Office of Information and Communications
Technology, Information Security Guideline for NSW Government Agencies - Part 2
Examples of Threats and Vulnerabilities, 2003.
Baker, W.H., Pokorski, J., Smith, G.E. and Watson, K.J., Assessing information security risk
in the supply chain, in Informs 2005 Annual Meeting, 2005.
Baker, W.H. and Rees, L.P., Necessary measures: metric-driven information security risk
assessment and decision-making. Commun. ACM, in press.
Baker, W.H., Smith, G.E. and Watson, K.J., Information security risk in the e-supply chain.
In E-Supply Chain Technologies and Management, edited by Q. Zhang, 2007 (Idea
Group Publishing: Hershey, PA).
Barratt, M. and Oliveira, A., Exploring the experiences of collaborative planning initiatives.
Int. J. Phys. Distrib. Log. Mgmt, 2001, 31, 266–289.
Bowersox, D.J., The strategic benefits of logistics alliances. Harvard Bus. Rev., 1990, 68, 36.
Cachon, G.P. and Fisher, M., Supply chain inventory management and the value of shared
information. Manage. Sci., 2000, 46, 1032–1048.
Carr, N.G., IT doesn’t matter. Harvard Bus. Rev., 2003, 81, 41.
Cavusoglu, H., Cavusoglu, H. and Raghunathan, S., Economics of IT security management:
four improvements to current security practices. Commun. AIS, 2004a, 14, 65–75.
Cavusoglu, H., Mishra, B. and Raghunathan, S., A model for evaluating IT security
investments. Commun. ACM, 2004b, 47, 87–92.
Cheswick, W.R. and Bellovin, S.M., Firewalls and Internet Security: Repelling the Wily
Hacker, 1994 (Addison-Wesley: Reading, Mass).
Chopra, S. and Sodhi, M.S., Managing risk to avoid supply-chain breakdown. MIT Sloan
Mgmt Rev., 2004, 46, 53.
Christopher, M. and Peck, H., Building the resilient supply chain. Int. J. Log. Mgmt,
2004, 15, 1.
Christopher, M., Peck, H., Wilding, R. and Chapman, P., Supply chain vulnerabilities.
Department of Transport, Local Government and the Regions, Home Office,
Department of Trade and Industry, Cranfield, UK, 2002.
Cohen, F., Information system attacks: a preliminary classification scheme. Comput. Secur.,
1997, 16, 29.
DeLoach, J.W., Enterprise-Wide Risk Management: Strategies for Linking Risk and
Opportunity, 2000 (Financial Times/Prentice Hall: London).
Finch, P., Supply chain risk management. Supply Chain Mgmt: An Int. J., 2004, 9, 183–196.
Frohlich, M.T. and Westbrook, R., Arcs of integration: an international study of supply chain
strategies. J. Oper. Mgmt, 2001, 19, 185.
Gordon, L.A. and Loeb, M., The economics of information security investment. ACM Trans.
Inform. Syst. Secur., 2002, 5, 438–457.
Gordon, L.A., Loeb, M., Lucyshyn, W. and Richardson, R., Ninth Annual CSI/FBI
Computer Crime and Security Survey. Computer Security Institute, 2004.
Grance, T., Hash, J., Peck, S., Smith, J. and Korow-Diks, K., Security guide for
interconnecting information technology systems. Report No. 800-47, National
Institute of Standards and Technology, 2002.
2612 G. E. Smith et al.

Greenhouse, S., How Costco Became the Anti-Wal-Mart, in The New York Times, 2005
(The New York Times Company: New York).
Gunasekaran, A. and Ngai, E.W.T., Information systems in supply chain integration and
management. Eur. J. Oper. Res., 2004, 159, 269.
Handfield, R.B. and Nichols, E.L., Introduction to Supply Chain Management, 1999 (Prentice
Hall: Upper Saddle River, N.J.).
Howard, J.D. and Longstaff, T.A., A common language for computer security incidents.
Report No. SAND98-8667, U.S. Department of Energy, Sandia National Laboratories,
Albuquerque, NM, 1998.
Huang, Z. and Gangopadhyay, A., A simulation study of supply chain management to
measure the impact of information sharing. Inform. Res. Mgmt J., 2004, 17, 20.
Icove, D.J., Seger, K.A., VonStorch, W. and NetLibrary Inc., Computer Crime: A
Crimefighter’s Handbook, 1995 (O’Reilly & Associates: Sebastopol, CA).
Ismail, S., An investigation of MRP benefit-determinant relationships: ACE model. Probl.
Perspect. Mgmt, 2005, 2, 80–98.
Jorgensen, B., Confidentiality guidelines set. Electron. Buyers’ News, 1998, 36, 1134.
Juttner, U., Peck, H. and Christopher, M., Supply chain risk management: outlining an
agenda for future research. Int. J. Log.: Res. Appli., 2003, 6, 197.
Kolluru, R. and Meredith, P.H., Security and trust management in supply chains. Inform.
Mgmt Comp. Secur., 2001, 9, 233–236.
Landwehr, C.E., Bull, A.R., McDermott, J.P. and Choi, W.S., A taxonomy of computer
security flaws. ACM Comput. Surv., 1994, 26, 211–254.
Lee, H.L., Padmanabhan, V. and Whang, S., Information distortion in a supply chain: the
bullwhip effect. Mgmt Sci., 1997, 43, 546.
Lee, H.L. and Whang, S., Information sharing in a supply chain. Int. J. Tech. Mgmt., 2000, 20,
373.
Li, L., Information sharing in a supply chain with horizontal competition. Mgmt Sci., 2002,
48, 1196.
Loch, K.D. and Carr, H.H., Threats to information systems: today’s reality, yesterday’s
understanding. MIS Quart., 1992, 16, 173.
Lummus, R.R. and Vokurka, R.J., Defining supply chain management: a historical
perspective and practical guidelines. Ind. Mgmt Data Syst., 1999, 99, 11.
Mentzer, J.T., Foggin, J.H. and Golicic, S.L., Collaboration: the enablers, impediments, and
benefits. Sup. Chain Mgmt Rev., 2000a, 4, 52–58.
Mentzer, J.T., Min, S. and Zacharia, Z.G., The nature of interfirm partnering in supply chain
management. J. Retailing, 2000b, 76, 549.
Metters, R., Quantifying the bullwhip effect in supply chains. J. Oper. Mgmt, 1997, 15, 89.
Narus, J.A. and Anderson, J.C., Rethinking distribution: adaptive channels. Harvard Bus.
Rev., 1996, 74, 112.
Nelson, K., Bad data plagues ERP. Bank Syst. Tech., 2002, 39, 12.
Petroni, A., Critical factors of MRP implementation in small and medium-sized firms. Int. J.
Oper. Prod. Mgmt, 2002, 22, 329.
Raman, A., DeHoratius, N. and Ton, Z., The Achilles’ heel of supply chain management.
Harvard Bus. Rev., 2001, 79, 25.
Royal Society, Risk: analysis, perception and management, 1992.
Ryan, J. and Jefferson, T., The Use, Misuse, and Abuse of Statistics in Information Security
Research, in Proceedings of the 2003 ASEM National Conference, 2005.
Sahay, B.S., Supply chain collaboration: the key to value creation. Work Study, 2003, 52,
76–83.
Simatupang, T.M. and Sridharan, R., The collaboration index: a measure for supply chain
collaboration. Int. J. Phys. Distrib. Log. Mgmt, 2005, 35, 44.
Smith, M., Computer security - threats, vulnerabilities, and countermeasures. Inform. Age,
1989, 11, 205–210.
Spekman, R.E. and Davis, E.W., Risky business: expanding the discussion on risk and the
extended enterprise. Int. J. Phys. Distrib. Log. Mgmt, 2004, 34, 414.
 A critical balance 2613

Stoneburner, G., Goguen, A. and Feringa, A., risk Management Guide for Information
Technology Systems. Special Publication 800-30, U.S. Department of Commerce,
National Institute of Standards and Technology, Gaithersburg, MD, 2002.
U.S. Defense Information Systems Agency, CyberProtect, 1999.
U.S. Department of Commerce, National Institute of Standards and Technology, An
Introduction to Computer Security: The NIST Handbook. Special Publication 800-12,
Gaithersburg, MD, 1997.
U.S. General Accounting Office, Information Security: Computer Attacks at Department of
Defense Pose Increasing Risks, 1996.
Warren, M. and Hutchinson, W., Cyber attacks against supply chain management systems: a
short note. Int. J. Phys. Distrib. Log. Mgmt, 2000, 30, 710.
Whitman, M.E., Enemy at the gate: threats to information security. Commun. ACM, 2003, 46,
91.
Wise, D. and Fahrenwald, B., Supply chain collaboration: close encounters of the best kind.
Businessweek, 2001.
Xu, H., Nord, J.H., Brown, N. and Nord, G.D., Data quality issues in implementing an ERP.
Ind. Mgmt Data Syst., 2002, 102, 47.
Zsidisin, G.A., A grounded definition of supply risk. J. Purch. Supp. Mgmt, 2003, 9, 217.