Toward a Decision Support System for Measuring and Managing Cybersecurity Risk in Supply Chains

dc.contributor.authorBaker, Wade Hendersonen
dc.contributor.committeechairRees, Loren P.en
dc.contributor.committeememberCook, Deborah F.en
dc.contributor.committeememberMatheson, Lance A.en
dc.contributor.committeememberWallace, Linda G.en
dc.contributor.committeememberRagsdale, Cliff T.en
dc.contributor.departmentBusiness Information Technologyen
dc.date.accessioned2018-09-26T06:00:41Zen
dc.date.available2018-09-26T06:00:41Zen
dc.date.issued2017-04-03en
dc.description.abstractMuch of the confusion about the effectiveness of information security programs concerns not only how to measure, but also what to measure — an issue of equivocality. Thus, to lower uncertainty for improved decision-making, it is first essential to reduce equivocality by defining, expanding, and clarifying risk factors so that metrics, the "necessary measures," can be unambiguously applied. We formulate a system that (1) allows threats to be accurately measured and tracked, (2) enables the impacts and costs of successful threats to be determined, and (3) aids in evaluating the effectiveness and return on investment of countermeasures. We then examine the quality of controls implemented to mitigate cyber risk and study how effectively they reduce the likelihood of security incidents. Improved control quality was shown to reduce the likelihood of security incidents, yet the results indicate that investing in maximum quality is not necessarily the most efficient use of resources. The next manuscript expands the discussion of cyber risk management beyond single organizations by surveying perceptions and experiences of risk factors related to 3rd parties. To validate and these findings, we undertake in an in-depth investigation of nearly 1000 real-world data breaches occurring over a ten-year period. It provides a robust data model and rich database required by a decision support system for cyber risk in the extended enterprise. To our knowledge, it is the most comprehensive field study ever conducted on the subject. Finally, we incorporate these insights, data, and factors into a simulation model that enables us study the transfer of cyber risk across different supply chain configurations and draw important managerial implications.en
dc.description.abstractgeneralThis dissertation comprises several manuscripts exploring various topics under the overall theme of cybersecurity risk in supply chains. The first topic presents the difficulties involved in measuring risk in the cybersecurity domain and discusses how this hinders firms in making justified decisions and taking appropriate actions to manage risk. We then examine the quality of controls implemented to mitigate cyber risk and study how effectively they reduce the likelihood of security incidents. Next, we survey firms to explore perspectives and experiences related to security incidents involving their supply chain partners. To validate these perspectives, we then analyze data collected from over 900 forensic investigations of real-world breaches. This provides excellent visibility into how 3rd parties cause and contribute to incidents in supply chains and key risk factors. Finally, we incorporate these insights, data, and factors into a simulation model that enables us study the transfer of cyber risk across different supply chain configurations and draw important managerial implications.en
dc.description.degreePh. D.en
dc.format.mediumETDen
dc.identifier.othervt_gsexam:9779en
dc.identifier.urihttp://hdl.handle.net/10919/85128en
dc.publisherVirginia Techen
dc.rightsIn Copyrighten
dc.rights.urihttp://rightsstatements.org/vocab/InC/1.0/en
dc.subjectcybersecurityen
dc.subjectcyber securityen
dc.subjectinformation securityen
dc.subjectcyber risken
dc.subjectinformation risken
dc.subjectrisk modelingen
dc.subjectrisk managementen
dc.subjectsecurity metricsen
dc.subjectdecision support systemsen
dc.subjectsupply chain managementen
dc.subjectsupply chain risken
dc.subjectsupply chain information sharingen
dc.titleToward a Decision Support System for Measuring and Managing Cybersecurity Risk in Supply Chainsen
dc.typeDissertationen
thesis.degree.disciplineBusiness, Business Information Technologyen
thesis.degree.grantorVirginia Polytechnic Institute and State Universityen
thesis.degree.leveldoctoralen
thesis.degree.namePh. D.en

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Baker_WH_D_2017.pdf
Size:
3.74 MB
Format:
Adobe Portable Document Format