Supply chain risk management has been a focal point of interests for supply chain researchers as well as practitioners recently. Information security risk has been identified as a significant risk factor. Yet current research to investigate the impacts and management of information security risks in supply chain remains lacking. In this paper, we develop an innovative analytical model of a general multi-tier supply chain with multiple information assets facing multiple information security threats, which may propagate from one node to another if unmitigated. In analyzing our model, we show that our model formulation can guarantee the existence of an optimal strategy of information security investment, and the optimal strategy can be derived by standard optimization approaches. Our analyses also indicate the direct and significant impacts of information security threat propagation on the information security investment strategy. In addition, we also discuss the practical significance and managerial implications of our model and analyses to the supply chain management practitioners.

Ashtiani, M. and Azgomi, M. (2014). “A distributed simulation framework for modeling cyber attacks and the evaluation of security measures”, simulation: Transactions of the Society for Modeling and Simulation International, Vol. 90, No. 9, 2014, pp. 1071–1102.

Autry, C. and Bobbitt, L. (2008). "Supply chain security orientation: conceptual development and a proposed framework", The International Journal of Logistics Management, Vol. 19 No. 1, 2008, pp. 42 - 64.

Baker, W. and Wallace, L. (2007). “Is information security under control? Investigating quality in information security management”, IEEE Security & Privacy, January 2007.

Baker, W., Rees, L., and Tippett, P. (2007). “Necessary measures: Metric-driven information security risk assessment and decision making”, Communications of the ACM, Vol. 50, No. 10, October 2007

Bandyopadhyay, T., Jacob, V., and Raghunathan, S. (2010). “Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest”, Information Technology Management, Vol. 11, 2010, pp. 7-23.

Bojanc, R. and Blazic, B. (2008). “An economic modelling approach to information security risk management,” International Journal of Information Management, Vol. 28, 2008, pp.413–422.

Boyson, S. (2014). “Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems”, (2014). Technovation, Vol. 34, No. 7, 2014, pp. 342-353

Carter, K., Idika, N., and Streilein, W. (2011). “Probabilistic threat propagation for malicious activity detection”, IEEE ICASSP 2013, pp. 2940 - 2944.

Chen, X., Bose, I., Leung, A., and Guo, C. (2011). “Assessing the severity of phishing attacks: A hybrid data mining approach”, Decision Support Systems, Vol. 50, 2011, pp. 662–672.

Darcy, J. and Hovav, A. (2009). “Does one size fit all? Examining the differential effects of is security countermeasures”, Journal of Business Ethics, Vol. 89, 2009, pp. 59–71.

Deane, J., Ragsdale, C., and Rakes, T. (2009). “Managing supply chain risk and disruption from IT security incidents”, Operation Management Research, 2009, No. 2, pp. 4–12.

Department of Defence, Australian Government (2017). “Future Cyber Security Landscape - A Perspective on the Future”, http://www.dst.defence.gov.au/sites/

default/files/publications/documents/Future-Cyber-Security-Landscape.pdf, accessed on August, 2017.

Durowoju, O., Chan, H., and Wang, X. (2012). "Entropy assessment of supply chain disruption", Journal of Manufacturing Technology Management, Vol. 23 No. 8, 2012, pp. 998 - 1014.

Feng, N., Wang, H., and Li, M. (2014). “A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis”, Information Sciences, Vol. 256, 2014, pp. 57–73.

Gao, X., Zhong, W., and Mei, S. (2013). “Information Security Investment When Hackers Disseminate Knowledge”, Decision Analysis, Vol. 10, No. 4, 2013, pp. 352-368.

Garvey, M., Carnovale, S., and Yeniyurt, S. (2015). “An Analytical Framework for Supply Network Risk Propagation: A Bayesian Network Approach”, European Journal of Operational Research, Vol. 243 No. 2, 2015, pp. 618-627

Gordon, L. and Loeb, M. (2002). “The Economics of Information Security Investment”, (2002). ACM Transactions on Information and System Security, Vol. 5, No. 4, November 2002, pp. 438–457.

Gould, J., Macharis, C., and Haasis, H. (2010). “Emergence of security in supply chain management literature”, Journal of Transportation Security, 2010, No. 3, pp. 287–302

Huang, C. and Behara, R. (2013). “Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints”, International Journal of Production Economics, Vol 141, 2013, pp. 255–268.

Huang, C., Behara, R., and Goo, J. (2014). “Optimal information security investment in a Healthcare Information Exchange: An economic analysis”, Decision Support Systems, Vol. 61, 2014, pp. 1 - 11.

Huang, C., Hu, Q., and Behara, R. (2008). “An economic analysis of the optimal information security investment in the case of a risk-averse firm”, International Journal of Production Economics, Vol 114, 2008, pp. 793– 804.

ISACA, “State of cybersecurity: Implications for 2015”, (2015). http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf, 2015, accessed on September, 2017.

Kong, J., Xu, D., and Zeng, X. (2010). “UML-based modeling and analysis of security threats”, International Journal of Software Engineering and Knowledge Engineering, Vol. 20, No. 6, 2010, pp. 875 - 897.

Kraemer, S. and P. Carayon (2007). “Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists”, Applied Ergonomics, Vol. 38, 2007, pp. 143–154.

Linton, J., Boyson, S., and Aje, J. (2014). “The challenge of cyber supply chain security to research and practice – An introduction”, Technovation, Vol. 34, No. 7, 2014, pp. 339-341.

Metcalf, L, Hatleback, E., and Spring, J. (2016). “Blacklist ecosystem analysis: 2016 update,” http://resources.sei.cmu.edu/asset_files/WhitePaper/2016_019_001

_466029.pdf, 2016, accessed on September, 2017.

Peidro, D., Mula, J., and Poler, R. (2009). “Quantitative models for supply chain planning under uncertainty: a review”, International Journal of Advanced Manufacturing Technology Vol. 43 No.3-4, 2009. pp. 400-420

Simangunsong, E., Hendry, L. and Stevenson, M. (2012). “Supply-chain uncertainty: a review and theoretical foundation for future research”, International Journal of Production Research, Vol. 50, No. 16, 2012, pp. 4493-4523.

Smith, G., Watson, K., Baker, W., and Polorski II, J. (2007). “A critical balance: Collaboration and security in the IT-enabled supply chain”, International Journal of Production Research, Vol. 45, No. 11, 1 June 2007, pp. 2595–2613.

Sumner, M. (2009). “Information security threats: A comparative analysis of impact, probability, and preparedness”, Information Systems Management, Vol. 26, 2009, pp. 2–12.

Tejay, G. and Zadig, S. (2012). “Investigating the effectiveness of is security countermeasures towards cyber attacker deterrence”, 45th Hawaii International Conference on System Sciences, 2012.

Whitman, M. (2003). “Enemy at the gate: Threats to information security”, Communications of the ACM, Vol. 46, No. 8, August 2003.

Williams, Z., Lueg, J. and LeMay, S. (2008). "Supply chain security: an overview and research agenda", The International Journal of Logistics Management, Vol. 19 No. 2 2008, pp. 254 - 281

Xu, D. and Nygard, K. (2006). “Threat-driven modeling and verification of secure software using aspect-oriented Petri nets”, IEEE Transactions on Software Engineering, Vol. 32, No. 4, 2006, pp. 265 - 278.

Yeh, Q. and Chang, A. (2007). “Threats and countermeasures for information system security: A cross-industry study”, Information & Management, Vol. 44, 2007, pp. 480–491.