Managing supply chain risk and disruption from IT security incidents

Supply chain practices often put companies and their supply chains at risk. One of the most serious risks is disruptions. While many types of disruptions have been considered, little attention has been given to disruptions caused by information technology (IT) security incidents. Partner cooperation can assist in preventing or mitigating damage from IT security breaches in supply chains, where breaches can disrupt production, cause loss of essential data, and compromise confidential information. We develop a generalizable mathematical model that quantifies IT security risk in the supply chain. We then show how to find solutions for optimal risk reduction under several definitions of optimality: minimizing upstream risk, minimizing downstream risk, and minimizing global (supply chain) risk. We show how to develop curves for each of the above scenarios that indicate when extra funds should be spent on security, which security controls should be implemented, and when subsidies among partners are beneficial.