1

Managing Cyber Risks in the ICT infrastructure of Supply Chains

- Aparajita Banerjee

A research project report submitted in partial fulfilment of the requirements for the Masters of
Supply Chain and Logistics Management, 2016

School of Business IT and Logistics

College of Business
RMIT University
October 2016
 2

Acknowledgements

I would like to acknowledge and thank my supervisor, Dr. Booi Kam, whose relentless support and
guidance provided me with the necessary discipline to undertake this research project. I would
also like to thank the five participants who had been patient with my questions and willingly
shared their insights. Finally, I would like to acknowledge the staff of Supply chain and Logistics
department of RMIT, for providing the necessary tools, facility and their continuous intellectual
nurturing, without which the inception of this idea, would not have existed.
 3

Statement of Authorship

Except where reference is made in the text of the Research Project Report, this report contains no
material published elsewhere or extracted in whole or in part from a thesis or report presented by
me for another degree or diploma.
No other person's work has been used without due acknowledgment in the main text of the
report.
This report has not been submitted for the award of any other degree or diploma in any other
tertiary institution.

(Signed) ................................... (Date) ...............

 4

Table of Contents
Abstract ............................................................................................................................................................. 7
1. Introduction .................................................................................................................................................. 8
1.1 Background .............................................................................................................................................. 8
1.2 Research Focus and Objectives ................................................................................................................ 9
1.3 Contribution and Significance .................................................................................................................. 9
1.4 Report Organisation ................................................................................................................................ 9
2. Literature Review ........................................................................................................................................ 11
2.1 Back -door attacks in Hardware supply chains ...................................................................................... 11
2.2 Malicious intrusions in software supply chains ..................................................................................... 12
2.3 Weak links in third party cybersecurity ................................................................................................. 13
2.4 Current management of Cyber Risks ..................................................................................................... 14
2.5 Adaptive Security Architecture Framework ........................................................................................... 15
3. Methodology ............................................................................................................................................... 17
3.1 Rationale................................................................................................................................................ 17
3.2 Procedure............................................................................................................................................... 18
3.2.1 Informants ...................................................................................................................................... 18
3.2.2 Semi -structured interviews ............................................................................................................ 20
3.3 Data Analysis ......................................................................................................................................... 21
4. Findings: How do experts predict, prevent, detect and respond to cyber-attacks In the ICT
infrastructure of Supply chains? .................................................................................................................... 23
4.1 Stage 2- Interpretation of Findings ........................................................................................................ 24
4.2 Stage 3-Modification of the existing framework. .................................................................................. 29
5. Discussion and Implications ....................................................................................................................... 30
5.1 Significance of the study ........................................................................................................................ 32
5.2 Contributions and Implications .............................................................................................................. 33
5.3 Limitations and Future Directions.......................................................................................................... 33
6. Conclusion ................................................................................................................................................... 34
7. References................................................................................................................................................... 35
8. Appendices .................................................................................................................................................. 39
8A. Managing Cyber- risks in the ICT infrastructure of Supply chains. ........................................................ 39
(Questionnaire) ............................................................................................................................................ 39
8B. Tables for Interview responses for Segment ......................................................................................... 41
 5

List of Figures

Figure 1. Adaptive Security Architecture Framework .................................................................................... 16

Figure 2. Illustration of the Proposed Framework .......................................................................................... 31
Figure 3. Securing the ICT infrastructure in end to end supply chains ............................................................ 32
 6

List of Tables

Table 1. Complimenting Research Questions with the Purpose of the study (Marshall and Roseman ,2014,p.
33). ................................................................................................................................................................... 17
Table 2a. Profile of Informants ........................................................................................................................ 19
Table 2b. Profile of Informants……………………………………………………………………………………………………………………20

Table 3a. Interpreting Prediction of cyber risks. ............................................................................................. 25

Table 4. Proposed nomenclature of existing categories ................................................................................. 29
Table 5 Table for Prediction Segment ............................................................................................................. 41
Table 6 Table for Prevention Segment ............................................................................................................ 42
Table 7 Table for Detection Segment .............................................................................................................. 43
Table 8 Table for Response Segment .............................................................................................................. 44
 7

Abstract
This primary focus of study was to investigate how cyber risks in ICT infrastructures of supply
chains are managed. As its theoretical base, the study used the Adaptive Security Architecture
(ASA) framework that has been employed by most IT security specialists. Five experienced IT
experts participated in a semi-structured interview to provide practical insights on the state of
cybersecurity in supply chains operations from various industries. Their responses were analysed
based on the four stages of prediction, prevention, detection and response.

The findings led to the modification of the existing ASA framework and point to a lack of overall
managerial insight into the issue of cyber risks in supply chains. This study offers a new
cybersecurity framework that requires anticipatory vigilance, profiling malevolence, instantaneous
response and uncompromised recovery to deal with cyber threats posing disruptions to supply
chain operations. The limitations of this study were its qualitative exploratory methodology and
the small number of participants. The significance of this study extends from risk mitigation in
supply chains, securing smart grids and online business operations. Additionally, the findings may
provide a basis for re-evaluating the national policy for cybercrime, reassessing port operations
and connectivity issues relating to integrated supply chains.
 8

Managing Cyber Risks in the ICT infrastructure of Supply chains.

1. Introduction

1.1 Background
There has been a rise in cyber-attacks such as information theft, online frauds and IT sabotage of
the ICT infrastructure of organisations due to increased technological access and integration
across internal and external boundaries of firms (Shackleford , 2015; Urciouli , 2015, Khan and
Estay, 2015).The internal boundaries of the organisation include all departments and their
activities that are managed from within the organisation, whereas external boundaries consists of
suppliers and other stakeholders who are not directly managed by the organisation (Jacobides and
Billinger, 2006). The state of cybersecurity has become a global concern for most organisations
(Khan and Estay, 2015).

Over 10,040 executives from 127 countries were interviewed by PwC about the Global State of
Information Security Survey in 2016. The PwC report (2016) also claimed that 91 % of the
organisations surveyed used a Risk based security strategic framework to analyse the root cause of
the security breach, however, 22% of the most cited source of compromise happened to be
‘people’ such as employees or managers of the organisations (PwC, 2016). This infers that the
protection of information against security breaches is not only a technological matter (Lane,
2011).

ICT infrastructure includes all three tenets - the technology used for gathering, storing,
transmitting, retrieving and processing information, the people who interact with the technology
and the processes employed that enable the interaction (Juneja and Tuli, 2016; Booz Allen
Hamilton, 2012 ; Lane , 2011). In line with this context, Chacko (2015) and Lane (2011) define
cybersecurity as a holistic risk management approach which integrates people, process and
technology in ensuring that information within the organization is secured. The prevention of
cyber risks begin with mitigating the risks associated with the people who interact with the
technology first, as they are noted to be most vulnerable (Humphreys, 2008).This is mainly
because if the people layer is vulnerable to cyber- attacks, the subsequent process and technology
layers of cybersecurity would be easily compromised (Humphreys, 2008; ISO/IEC 13335-1,
2004).The main objective of cyber-security is to ensure that the risk of system-attacks is managed
from the initial layer and further penetration into the subsequent layers is prevented (Yan, Qian,
Sharif and Tipper, 2012 ; Humphreys, 2008, ; ISO/IEC 13335-1, 2004). Therefore, if the people layer
is managed, the process and technology layers would be safeguarded (Chacko, 2015).

Risk management of the People layer included trainings in recognising threats such as phishing,
virus and all forms of social engineering, at the outset of an attack (Ponemon Institute, 2015).
Additionally, Janes (2012) noted that background checks by Human Resources (HR) and extensive
verification of the resume along with adequate training given in implementing the prevention,
identification or recovery stage would significantly reduce the risk of the insider threat
(ProtectWise, 2016 ; Janes, 2012 ; Chacko , 2015) . In the Process layer, Janes (2012) and Lane
(2011) noted that policies and processes about ‘Incident Response Process’, management of
passwords and instructions about the way in which a data loss incident should be communicated
in the appropriate chain of commands (Shackleford, 2015; Janes, 2012; Lane, 2011).The
Technology layer was concerned with the monitoring of confidential information such as product
and other financial data and preventing data leaving a business using data loss prevention
controls, network security, protection of external data transference and encryption (Janes, 2012 ;
 9

Luthra, 2016; Tuli and Juneja , 2016). Furthermore, information is considered to be secured via
the three pillars of information security, i.e. Confidentiality, Integrity and Availability (Iyenger,
2016). Bolhari (2009) defined Confidentiality of information as encrypted documents that were
electronically transferred and protected against unwanted exposure. Integrity was maintained
when the encryption could not be broken into and its coding changed. Availability of information
ensured that the data is visible throughout the relevant systems in supply chains, in e-commerce
organisations. Additional definitions of information security have included non-repudiation,
accountability, authenticity, and reliability of information and protection of the actual data in the
information system (Bolhari, 2009; ISO/IEC 13335-1, 2004; Dhillon, 2007).

Previously, studies have focussed on detection and response of information security breaches at
the technological layer of organisations (Boyes, 2015; Jensen 2015 ; Khan and Estay 2015 and
Urciouli ,2015), neglecting the first two layers of cybersecurity (i.e people and processes).
Furthermore, Petit, Fiskel and Croxton (2010), Wilding and Wheatley (2015) along with
Masvosvere and Venter (2015) have highlighted a lack of managerial insights regarding risk
prevention and mitigation strategies to avoid cyber-attacks on ICT infrastructures.

1.2 Research Focus and Objectives

This research aims to investigate how businesses manage risks involving the Information and
Communications Technology (ICT) infrastructure against cyber-attacks in their supply chains?

Based on the Adaptive Security Architecture framework, first proposed by Gartner in 2014, four
additional sub questions were included that would lead to answering the main research question.

RQ 1. How do businesses predict that their systems or operations may be vulnerable to cyber-
attacks?

RQ 2. What kind of prevention strategies are in place to safeguard against cyber- attacks?

RQ 3. What kind of detection strategies are in place to isolate and contain threats?

RQ 4. What kind of response strategies are in place to react to the breach and mitigate the
damage?

1.3 Contribution and Significance

The theoretical contribution of this study provides a new framework for managing risks in the ICT
infrastructure of supply chains based on the in-depth analysis of interviews by the IT and cyber
security experts. Essentially, the adaptive security architecture framework has been reassessed
and refined as per the interview responses. Therefore, the practical contribution of this study
asserts a new cyber -risk management model that can be applied throughout the nodes and
operations in any supply chain with the purpose of monitoring any malicious intrusions in real
time. This significance of this study pivots on transforming the overall discourse in the ways cyber-
attacks are perceived and therefore managed in the supply chain and logistics industry.

1.4 Report Organisation

This report is organised in five subsequent chapters following the Introduction. The literature
review elaborates on the salient factors of supply chains that have had been subjected to cyber-
 10

attacks in the past decades. The literature review also includes an explanation of the adaptive
security architecture framework in section 2.5. The Methodology section elaborates on the
rationale for using an explorative study, a semi-structure interview, the profile of informants, and
the process through which data is analysed. The primary focus of the findings revolves around
interpreting the interview responses and modifying the existing framework. In light of the
modified framework, the discussion explains the functionality of the framework, followed by an
elaboration on the significance and limitations of the study.
 11

2. Literature Review
The importance of the cyberinfrastructure cannot be trivialised in the wake of current socio -
technological developments (Forte, D., Perez, R., Kim, Y., 2016). Critical systems such as power
grids, transportation networks, portable water distribution and emergency responses rely on the
cyber infrastructure for the functionality of their information systems (Forte, D., Perez, R., Kim, Y.,
2016). The slightest disruption to the cyber infrastructure can have debilitating economic and life
threating consequences (Williams, 2014). In line with this thought, Williams (2014) reinforces the
idea of “Cyber” encapsulating not only computers and computer networks, the internet or
internet of things but the interconnectedness of things including information communication
systems (ICS) and Supervisory control and data acquisition systems (SCADA), that characterise the
critical infrastructure.

Considering the recent cyber risks in integrated circuits (ICs), Karri, Koushanfar, Sinanoglu, Makris
and Mai (2015) factored in the dangers associated with creating backdoor in ICs. This is primarily
because injecting a malware in ICs (through backdoors) would damage the information security
stored and processed in ICs, therefore granting easy access to the integrated circuits within
hardware and software supply chains (Karri et al. 2015). According to Hahn, Thomas, Lozano and
Cardenas (2015) an emerging concern that renders integrated supply chains susceptible to
malware attacks is the cyber- physical systems that constitute both the hardware and software
components. Another crucial factor that has been recently addressed in a study by He, Maple,
Watson, Tiwari, Mehnen and Jin (2016) focusses on third party risks associated with engaging an
external software provider. The potential to “trojanise” legitimate industrial control systems are
increased when external software providers have the access to company websites and can freely
add malware in their systems. Considering the emerging concerns, it would be important to
investigate current cyber -risk management strategies and framework such as the Adaptive
Security Architecture framework.

Therefore, the following section will explore literature pertaining to basic aspects of cyber security
in supply chains including i. Back -door attacks in Hardware supply chains, ii. Malicious intrusions
in software supply chains, iii. Weak links in third party cybersecurity, iv. Current management of
cyber risks and v. Adaptive Security Architecture framework.

2.1 Back -door attacks in Hardware supply chains

Studies done by Sethumadhavan, Waksman, Suozzo and Yipeng (2015) and Forte et al. (2016)
address the cyber risks involved in global supply chains , where design -related flaws are the
consequence of malicious intrusions in the hardware and software within the supply chains.
According to Forte et al. (2016), the life cycle of electronic components include design, fabrication,
distribution, system integration, reuse and resignation. This end to end cycle involves many third
parties at different stages in the global technology supply chain (Forte et al. ,2016). In the context
of hardware supply chains, a rule-of-10 in integrated circuits asserts that the cost of detecting a
fault increases by a factor of 10 in the lifecycle of the hardware component, therefore security
flaws detected at a later stage could impact the hardware’s intellectual property (IP) and therefore
the owner’s revenue and reputation (Forte et al. ,2016). Typically, IP of hardware components are
 12

referred to the circuit design or subsystem that is abstracted on chips for reusability which make
them vulnerable to malicious attacks through different sources (Williams, 2014; Forte et al.,2016)

Sethumadhavan et al. (2015) claims that the knowledge gap between integrated circuit (IC)
designers and their understanding of security is a major concern in the protection of critical assets.
For example, the may not be conversant with the latest attacks and unintentionally leave
important components unprotected. Forte et al. (2016) also claims that the trade-off between
adding new circuitries may improve the overall manufactural yield and testability but at a cost of
overall security. For example, in order to aid the debugging and maintenance capability, a secret
access key was extracted from Actel’s ProASIC3 Field Programmable Gate Array (FPGA) chip, which
compromised cyber security by activating the ‘back door’ control (Skorobogatov and Woods,
2012). According to Wired (2014), a backdoor in a computer system of software “is an
undocumented portal that allows an administrator to enter the system to troubleshoot or do
upkeep.” However, the portal can also grant illicit access to hackers and intelligence agencies
(Wired, 2014). As a result, both Skorobogatov and Woods (2012) and Forte et al. (2016) assert that
attackers who have access to the backdoor are able to extract the configuration data from the
chip, alter the silicon features, access unencrypted configuration information and damage the
device. The wide spread implication of this includes intellectual property theft, fraud and other
malicious modifications such as introducing a new backdoor during hardware design (Forte et al.
,2016; Sethumadhavan et al. ,2015; Skorobogatov and Woods ,2012). One of the most concerning
aspect of the hardware supply chain is that backdoors that have been compromised cannot be
patched and will continue to circulate in the end to end cycle until one its iteration is detected and
destroyed (Skorobogatov and Woods ,2012).

2.2 Malicious intrusions in software supply chains

Studies have also explored parallel issues within the supply chains of softwares. According to Dark
Reading (2015), outsourced development and failure to test and patch codes along with open
source libraries and compromised third party software may render systems susceptible to data
leakage and loss. According to Forte et al. (2016), rogue employees engaged in software
development may insert a malware or Trojan to initiate “time bombs” which trigger private data
leakage, upon usage. A direct consequence of such malicious intrusion is the ‘zero-day
vulnerability’ in the software that gets transferred to vendors without their awareness. According
to Symantec (2016) a zero-day vulnerability refers to ‘a hole in software that is unknown to the
vendor. This security hole is then exploited by hackers before the vendor becomes aware and
hurries to fix it—this exploit is called a zero-day attack. Uses of zero day attacks can include
infiltrating malware, spyware or allowing unwanted access to user information. ‘ Symantec (2016).

However, Lysne ,Hole, Otterstad, Ytrehus ,Aarseth, and Tellnes ( 2016) claim that the software
supply chains have an unprecedented set of cyber security challenges as the distribution model
shifted from a physical model to an internet- based digital model that has given hackers ample
opportunities to manipulate codes. According to Dark Reading (2015) hackers target software
package’s development and distribution site, infect the software spread it via unsuspecting users
who install it. Both Lysne et al. (2016) and Dark Reading (2015) assert that the widespread access
and use of the internet and social networking sites have provided a medium through which
 13

malicious software is spread. Therefore, both studies emphasise that the digital distribution model
the facilitates supply chain integration, itself is a source of vulnerability and risk to the operation
of the critical computer systems (Lysne et al. ,2016; Dark Reading ,2015). According to Forte et al.
(2016) an increased number of independent developers use open source code and tools which
increase the risk of hacking. Both Lysne et al. (2016) and Forte et al. (2016) state that unaware
users at the users’ end compromise their systems through installing updates and patches for
software maintenance which are essentially entry points of attackers to install malware, masked
as patches to correct vulnerabilities.

An example of this was the computer worm known as Stuxnet, that targeted Siemen’s SCADA
systems in Iran and shut down one fifth of Iran’s centrifuges, however feeding the system’s
monitoring false data that recorded usual operations (Curly, 2011). The malware hosted on the
runtime patching of software in a multi-phased attack in which was connected to frequency
converter drives and other devices that regulated the speed of industrial motors (Curly, 2011).
Essentially, Williams (2014) and Sethumadhavan et al. (2015) claim that security of software are
compromised due to the short time frame given to commercialise the software and release it to
the market. Bugs are fixed with relative ease providing both the software developers and users a
false sense of security (Forte et al. ,2016; Sethumadhavan et al. ,2015; Williams ,2014).

Another source of concern for supply chains hoisted on the cyber-infrastructure is the increased
likelihood of hostile actors such as drug traffickers and underground criminals executing their
intentions through the integrated information technology platforms (Sethumadhavan et al. ,2015).

An example of this is the theft from the Port of Antwerp by drug traffickers who breach IT systems
that control the movement of shipping containers and recovered the cocaine and heroin among
legitimate cargoes shipped from South America. According to (Brasington and Park, 2016) hackers
were able to access secure location data and security details of containers, therefore aim to steal
the cargo prior to the arrival of the legitimate owner. However, BBC News (2013) claimed that this
was a multi- phased attack on the port that was initiated through malicious software being
emailed to the staff and granting the organised crime remote access to data. However, the case
has also highlighted concerns about security negligence in ports that allowed hackers to fit key
logging devices (a small USB) onto staff computers that allowed them wireless access to screen
shots from monitors (Brasington and Park, 2016; BBC News 2013).

2.3 Weak links in third party cybersecurity

According to TrustWave (2012), 76% of all data breaches were a result of third-party security
deficiencies that were exploited and therefore compromised the online operations. In a similar
vein, Servidio and Taylor (2015) recently observed that 44% of banks surveyed do not require to
be notified by third parties if breached. Third parties are not tested for their security compliance
on data or products by banks which puts them at high security risks (Servidio and Taylor ,2015).
Recent studies suggest that although the methodology between different hacks differed, the
common trend was that the companies’ suppliers and subcontractors had a vital role to play (Hale,
2016; McGuinn , Seckman , Sheppard, 2016). The weak link in integrated supply chains are the
security controls and compliance of the third parties, which are considered to be path of least
 14

resistance by black hat hackers (McGuinn et al., 2016). Hale (2016) also asserts that allowing
integrators or suppliers into the supply chain increases cyber risks, as suppliers demand a
connection with industrial environment or inventory management data to improve efficiency.
Emphasising on this point, Yoni Shohet, chief executive of SCADAfence asserts that supply chain
managers and end users are not completely aware of the potential problems the integration may
cause (Hale, 2016). It is crucial therefore for all human operations within the industrial supply
chain environment to adhere to a common protocol and all parties in the system (inside the
company and external suppliers) should not be allowed to perform an operation anonymously and
incognito (Hale, 2016). Both Hale (2016) and McGuinn et al. (2016) assert that cross validation and
constant vigilance of third party and internal employee is key to ensure that basic security
measures are not manipulated. In order to manage issues with third party risks, Hale (2016) and
Fischer (2016) suggest that internal strategies are required to allow third parties to connect into
the environment. Hale (2016) does not think that a secure private virtual connect would suffice for
compliance as once the third parties are inside the network and connected to the environment,
Hale (2016) suggests that their operations should be monitored so that insiders have a view of
how technicians or contractors are for example, performing an upgrade on a Programme Logic
Controller. The importance of monitoring is encased with having a bird’s eye view of the potential
threats that may arise from various parties operating on your network and safeguarding supply
chains against attackers who are looking out for the easiest access to systems anywhere in the
supply chain (Fischer ,2016; McGuinn et al. ,2016 ;Hale, 2016).

2.4 Current management of Cyber Risks

According to the PwC report (2015), security incidences have outpaced both global smartphone
users and GDP combined. It states that the Compound Annual Growth Rate (CAGR) of cyber
security incidents has increased by 48% since 2013, in comparison with 22% global smart phone
users and 21% Global GDP. Adding to the severity of the issue, a report by Dell (2014) found that
of the 1440 organisations interviewed globally, nearly 75% admitted to experiencing a security
breach in the last 12 months. Unfortunately, the study also claimed that only 18% considered
predicting and detecting unknown threats as a prioritised organisational concern Dell (2015).
Despite such alarming incidences, Inside Counsel (2015) had highlighted the findings of PwC report
indicating a decreasing trend in the investment for cybersecurity from 2013 to 2014.

According to O'Rourke (2015), an important component for establishing a formal threat

intelligence and incident response plan for cyber-attacks is to frequently review and update it.
Unfortunately, a survey of IT professionals in 30 countries by the security division of the IT form
EMC, revealed that a third of the respondents claimed that their organisation did not have a cyber
breach plan and of those that did, 57% did not review or update it. O’Rourke (2O15) clearly stated
that there was a knowledge gap about the actual contribution of cybersecurity beyond protecting
networks and systems. Burnson (2013) had referred to a study conducted by KPMG of 1,800
members of corporate audit committees across 21 countries. 45% of the respondents asserted
that their organisation’s risk management plan that included cyber security still required
“substantial work”. Burnson (2013) concluded that supply chain cyber risk management strategies
 15

require oversight and engagement from the top executives, with a focus on the audit committees
playing a proactive role.

O’Rourke (2O15) followed a similar approach to Burnson (2013) in claiming that cybersecurity
should be a proactive risk management strategy that goes beyond the information security and
ideally should be incorporated within corporate strategy.

2.5 Adaptive Security Architecture Framework

In line with the research question, this study will draw on the tenets of the Adaptive Security
Architecture framework, originally proposed by Gartner (2014), which focuses on the prevention,
detection and response to cyber-threats, to examine how businesses manage the three layers of
cyber-security (Business Security Insider, 2016). Although a relatively new framework, Aman
(2016) and Wand et al. (2016) have referred to the basic foundations of the adaptive security
architecture in their studies.

The competencies of the adaptive security architecture framework enable organisations to protect
against advanced attacks by predicting, preventing, detecting and responding capabilities. The
predictive capabilities allow organisations to observe and learn from external events and monitor
underground cyber criminals. This allows organisations to anticipate new attacks on the current
state of systems and the data it has stored. This intelligence is used to feed back into the
prevention stage (Gartner, 2016). The prevention capability usually consists of policies and
processes that are in place to prevent surface attacks from penetrating the systems any further.
The main objective of this capability is to ensure that hacking into the enterprise is made difficult
and the layers of policies and processes are able to block the attacks. The detective capabilities
allow to locate the attacks that have penetrated through the preventative stage. The goal of
detection is to is to reduce any potential damage it may cause to the enterprise. Finally, the
response stage remediates issues discovered by the detection stage and provide root cause
analysis for future prediction and prevention (Gartner, 2016; Gartner, 2014).

Figure 1. illustrates how the Adaptive Security Architecture framework interacts with the three
layers of cyber-security.
 16

Figure 1. Adaptive Security Architecture Framework

Source: Adapted from Business Security Insider (available online at: https://business.f-secure.com/cyber-security-is-not-a-
solution-but-a-process/ <accessed on 27 August 2016>)
 17

3. Methodology

3.1 Rationale
According to Elsbach and Kramer (2003), traditional quantitative studies that use statistical
analysis are not suited to examine a dynamic and evolving phenomenon. This is because they are
static. Qualitative studies, on the other hand, are suited to analyse interactive and dynamic
processes (Elsbach and Kramer, 2003). As a result, an exploratory qualitative study was selected
for this research. The rationale for selecting an exploratory qualitative methodology was to
undergo a direct observation with the experts in the field to understand ‘how’ and the ‘why’
factors of the topic interact with each other (Meredith, 1998). Meredith (1998) and Marshall and
Roseman (2014) explained that the purpose of the study should match the research questions.
Figure 2 below highlights the main purpose of an exploratory study and the type of general
questions that it aims to answer.

Table 1. Complimenting Research Questions with the Purpose of the study (Marshall and Roseman ,2014,p. 33).

In this research, the three criteria for the purpose of the study and their corresponding target
research questions (as highlighted in Figure 2) for selecting an exploratory qualitative
methodology have been met. Furthermore, the main research question (how businesses manage
risks involving the Information and Communications Technology (ICT) infrastructure against cyber-
attacks in their supply chains?) emphasises on explaining the phenomena which according to
Meredith (1998) establishes a meaningful exploration of the topic beyond the domain of
quantitative correlations.

Specifically, semi-structured interviews were conducted to collect the data from Informants who
have had experience in dealing with ICT security. Judgement sampling will be used as the
technique for selecting five IT professionals. Dworkin (2012) suggested that a minimum number of
five informants are required in semi structured interviews before saturation (a point at which data
collection offer no new insights) is reached.

Marshall (1996) states that in qualitative studies, when a researcher actively selects the
participants based on their experience and expertise that assist in answering the research
question, a purposeful sampling technique is being employed. Both Marshall (1996) and Marshall
and Rossman (2014) realise that the judgement sampling technique is strategic in the informant
 18

selection process as during the interpretation of the data, this technique will aid in supporting the
emerging ideas discussed previously by other researchers as well as disagree with them. Marshall
(1996) states that the judgement sampling is a holistic method that builds the body of knowledge
being explored. This research cannot be categorised under a case study as the informants who will
be interviewed may not be a part of the same organisation nor the same industry, therefore, each
participant to be taken as a unit of analysis (Narasimhan, 2014). Interviewing IT professionals who
have had years of experience in managing the security of integrating IT systems would allow for
more probing into their knowledge base and create grounds for discovering meaningful insights
(Guercini, 2014 ; Marshall and Roseman ,2014). The Exploratory qualitative study in this research
will be conducted using semi-structured interviews. Forza (2002) had explained the relevance of a
semi –structured interview in contributing to a body of knowledge in a particular area. Forza
(2002) and Bowen (2009) state that a qualitative data collection involves collecting information
from individuals through mailed questionnaires, telephone calls or face to face interviews about
the topic in concern.

In this research, the format of the semi-structured interview would be a set of open ended
questions, sequenced in four major sections which would complement the four sub research
questions (RQ 1, RQ 2 , RQ 3 and RQ 4.), to uncover and explore in depth of the responses in
answering the main research question (Auriat and Siniscalco, 2005). The advantages of using open
ended questionnaires or free response questions are that the participants are given the
opportunity to clarify the main theme or standpoint of the response further. In this way, Auriat
and Siniscalco (2005) note that the answers can be immediately clarified (in case of telephone
interview or face to face), due to the “prompts” embedded in the sub questions (Auriat and
Siniscalco, 2005; Forza, 2002).

3.2 Procedure

3.2.1 Informants
Five IT professionals who have had experience in working with integrated information systems or
ICT infrastructure security will be selected for the study, after they had consented to participate.
In order to maintain the confidentiality of both the participants and the organisation they were or
had been associated with, code names were given to the participant and their organisation prior
to their interview session (Bryman and Bell, 2011). The profile of each informant is detailed in the
figure below.
 19

Table 2a. Profile of Informants

 20

Table 2b. Profile of Informants

3.2.2 Semi -structured interviews

Each Informant (IT expert) was given a plain language statement of the research that briefly
outlines what this study is about, i.e the research question, the importance of this study and that it
is being conducted under RMIT. The A consent form was mailed/given to the participant prior to
the interview session. Along with the first documents, an outline of questionnaire was also
received by the participants for them to prepare for the semi-structured interview. The interviews
were saved as mp3 or phone recordings for ease of reference.

The interview was structured around the questionnaire (See Appendix A) and the duration of the
interview (telephone or face to face) was approximately be 1 to 1.5 hours. The time frame was
approximately in that range , to allow an in depth discussion about their experiences in working in
the field. Additionally, at any point in time if the participant had any insights that are not
mentioned in the survey /questionnaire, the researcher followed that stream of thought to a
logical conclusion (Boyatzis, 1998). For example, if the participant alluded to political angles during
the course of the interview, then the researcher attempted to categorise that in one of best suited
sub sections (Bryman and Bell, 2011; Boyatzis, 1998). The participants were allowed to draw from
past experiences. An audio call recorder (for iphone) was used to record the telephone
 21

conversations and voice recording was used to record face to face interviews. Open-ended
questions will be used for all five interviews (Braun and Clarke, 2006).

The narrative of the interview was led by the four sub-research questions and initially requested
the informants to introduce the kind of IT specializations they had. The informants were then
asked to describe their daily IT work in detail. Then the informants were asked to explain what
they understand by Cyber security and how their company predict whether their systems are
vulnerable to cyber-attacks.

In the next part of the interview, informants were asked to elaborate on how their organisation
prevented the surface attacks on the people layer of security. In addition, the informants were
asked to detail what sort of scanning or other filtration processes where adapted by the HR in
order to make sure that the right people where employed and internal threats minimised.

The next part instructed the informants to detail a cyber-attack incident that had taken place and
how the informant detected the attack. In addition to the detection process, the informant was
asked to explain how the detection process interacted with the process layer in recognising,
isolating and containing the threat.

The final part of the interview enquired ways in which steps were taken to respond once the ICT
infrastructure has been maliciously penetrated. In this part, the informants were asked to detail
the by the three layers of security (people, process and technology) in the prevention of cyber-
attacks of their critical networks. Finally, in the informants were asked how the technology could
be safeguarded within supply chains and how third parties should be carefully selected based on
cyber risks. In the concluding sections, informants were asked to explain the impact cyber –attacks
will have on global supply chains and how supply chain managers should mitigate the risks.

3.3 Data Analysis

A thematic Analysis was conducted to identify patterns and themes within the collected data
(Bowen , 2009). Bowen (2009) and Marshall and Roseman (2014) noted that thematic analysis
transforms the qualitative set of data into meaningful patterns, from which themes emerge. Braun
and Clarke (2006) define theme as clusters of patterned response that add to overall body of
existing knowledge. Braun and Clarke (2006) also emphasise the importance of capturing
something insightful that related to the research question. The transcripts were coded and further
categorised into emerging themes.

Stage 1.

The responses from each interview was categorised into four segments, namely Prediction,
Prevention, Detection and Response. The five sets of responses for each section were sorted
according to the category they fitted into. All Prediction responses of the five informants were
tabulated under the Prediction segment; while answers to Prevention were tabulated under the
Prevention Segment and the answers to Detection and Response were matched with their
respective segments. Five interviews were each coded as Interview 1, Interview 2, Interview 3,
Interview 4 and Interview 5.

Stage 2.
 22

Once the coded responses are categorised under the specific research segment (i.e. Prediction,
Prevention, Detection and Response), the researcher observed repetitive words, or processes or
other form of field specific references and identify a theme. For example, in Prevention, if a
particular risk prevention framework is alluded to in more than three interviews, then that
emerged as a theme or malware attacks could emerge as a repeating incident in the Detection
factor.

Stage 3.
Once themes were established under each factor, for example, under the Detection factor,
Malwares, Specialist training and DDoS may become emerging themes, the specifics of the themes
were analysed in more depth. For example, what kind of specialist trainings were discussed by
interview 1 and any new directions will add a new perspective. However, if new themes emerged
out of new reference points not anticipated previously, those would be added to separate sections
during analysis. The data was sorted under the following outline, Interview(s) -> Factor (Predict,
Prevent, Detect, Respond) -> Theme (Boyatzis, 1998).
 23

4. Findings: How do experts predict, prevent, detect and respond to cyber-attacks In the ICT
infrastructure of Supply chains?

The analysis from the semi structured interviews indicate that supply chain managers should not
only incorporate strategies to mitigate cyber risks in all nodes of their supply chains, but also focus
more on detection and response than prevention. Although Adaptive Security Architecture
framework provides an initial risk management strategy to all business operations, including
supply chains, cyber security experts have expressed their concerns over the lack of practical
implementation in a real-life scenario involving a cyber-attack. The semi structured interview with
five informants also drew attention to the fact that detection and response were more important
than prevention in managing cyber risks in supply chain. In a typical response, one expert noted:

[From my perspective, I think that cybersecurity and technology security in general has always focussed on
too heavily on the prevention side of things, it’s the whole.. We have big fences but everything inside of it is
open, so prevention is only one side of it, you have to detect when you’ve been breached, otherwise you
don’t actually know that someone is stealing all your information and then you have to have established
response procedures otherwise once you do detect, people run around like headless chicken and freak out.
Again, with the incident I dealt with, with the larger company and the malware outbreak, because they did
not have an established response process, once it was made clear to them that there was serious risk and a
threat, present on the network, nobody knew what to do. And that meant, that people had to make
decisions in the heat of the moment, on the fly based on their personal judgement at the time and that a.
leads to [in optimal ] decisions at the time and b. people will be overly cautious because they are afraid of
the repercussions coming back].

In another response, to the third sub question, one informant elaborated on the way in which
malicious codes infect user’s systems and the importance for users to differentiate between
authentic and spams to avoid networks and systems from getting compromised. This is evident
from the following interview excerpt:

[ What the investigation revealed had actually happened was that the user had got one of these emails
from what appeared to be from Australia Post that says , you have a parcel waiting for you, click on this link
to find the details, and if you click on the link, it takes you to a webpage that was at a domain that was
Australia parcel post @.net.au or something, not an Australia post domain but it looked like one and the
website was a rip off of the Australia post website, and it asked you to enter your parcel no. here and click
this button. But once you click the button, the button was the actual mechanism to execute the code on the
page, which infected the person’s laptop. From there, the code on the laptop downloads extra malware
from google drive, install it on the laptop, runs it in the background, its hidden from the process list so you
can’t actually see it and then starts searching the disc for any office files and starts encrypting them, with a
randomly generated key, that it sends to the command and control server and because of network shares, it
was encrypting documents across the network as well. The issue was is that office document can execute
code as well, so any one who opened an office document would then infect their computer as well and it
would propagate that way. So this scenario where one user doing one thing wrong, out of curiosity puts the
whole organisation at risk.]
 24

A description of each informant’s salient responses to the four sub questions are tabulated below
(see Appendix B) upon which further thematic analysis is carried out in stages 2 and 3 in the
following sections.

4.1 Stage 2- Interpretation of Findings

In this stage, the interpretation of the findings suggests emerging themes in the four sub segments
that further refine the research question.

Although the interview questions were based on the Adaptive Security Architecture framework,
the responses from the five interviews indicate that practical implications and application has
variations as illustrated in the figure below. The illustrative responses within the table consist of
interview quotes that reinforce a theme, elaborated in the Interpretation section.
 25

Table 3a. Interpreting Prediction of cyber risks.

 26

Table 3b. Interpreting Prevention of cyber risks.

 27

Table 3c. Interpreting Detection of cyber risks.

 28

Table 3d. Interpreting Response of cyber risks.

 29

4.2 Stage 3-Modification of the existing framework.

The resultant four aspects of managing cyber risks in the ICT infrastructures of supply chains
include Anticipatory Vigilance of the entire supply chain, Profiling Malevolence of all people who
have partial, complete or indirect access to data in the operations, Instantaneous Response of any
detected intrusion within systems and Uncompromised Recovery of the both the unaffected data
and purged systems to ensure business continuity.

Table 4. Proposed nomenclature of existing categories

Existing Categories Proposed Nomenclature

1. Predict Anticipatory Vigilance

2. Prevent Profiling Malevolence

3. Detect Instantaneous Response

4. Respond Uncompromised Recovery

 30

5. Discussion and Implications

Proposed Framework

The main objective of this research was to investigate how the ICT in supply chains could be
safeguarded against cyber-attacks. The Adaptive security architecture framework was considered
as a reference point while formulating the four sub questions.

The findings revealed a new and detailed approach to the existing adaptive security architecture
framework. The essential components in focus were the role of the people factor in the preventing
the first layers of attacks and the importance of real time detection in the cyber risk mitigation
process. However, to refine the nomenclature of the phases within the adaptive security
architecture framework, a specific focus of each phase should be synchronised with the main aim
of that phase. For example, a general first stage in cybersecurity in organisations is that of
prediction, however, within the context of managing risks in the ICT infrastructure of supply
chains, the urgency to be vigilant is based on an anticipated attack at any point in time, as
explained by the experts.

Thus, in the context of managing the cyber risks in the ICT infrastructures, Anticipatory Vigilance,
is substituted for prediction. On a similar note, for the second stage, it is especially important to
emphasise on the behaviour and intent of people who are capable of directly sabotaging the
organisation (i.e insider threat) or indirectly act on criminal intent (i.e external cyber criminals).
Thus, to emphasise on not only their actions but motivations, Profiling Malevolence, which may
be of any form posing threat to the infrastructure is substituted for Prevention. It was evident
from the expert’s experience that in most occasions, that the more time it took to detect the
threat, the higher the adverse impact.

The approach suggested in this stage is to shorten the time frame between detection and
response. Thus, Instantaneous Response fulfils the nomenclature of the refined model for the
detection stage. Finally, the main aim of the response stage emphasises on the business
continuity, and therefore supply chain cyber resilience. As one of the main purpose is to minimise
further data loss or system damage, the theme of Uncompromised Recovery is substituted for a
simple response stage. This stage then feedback loops into the Anticipatory vigilance to promote
continuous alert and monitoring capabilities within all nodes of the supply chain. An illustration of
the proposed framework is provided below.
 31

Figure 2. Illustration of the Proposed Framework

The efficacy of the new framework lies in its cyclic iteration throughout three layers of
cybersecurity (i.e People, process and technology) in all nodes of the supply chain. Therefore, the
end-to end process of an integrated supply chain would ideally embed the framework in in a bid to
enhance its cyber resilience. An illustrative example has been provided below in figure 3.

The figure below emphasises the need for ICT infrastructures within the end to end supply chains
to be secured by design. The proposed framework operationalises a continuous monitoring and
responding capability that is entrenched in the people, process and technology layers in the nodes
of the supply chain.
 32

Figure 3. Securing the ICT infrastructure in end to end supply chains

In addition to refining the pre-existing framework, the findings were also consistent with the
literature that suggested that there was a lack of managerial insight with regards to risk mitigation
strategies in supply chains. However, the knowledge gap was due to a lack of dialogue between
the IT security team and the corporate heads, who still perceived them to be back office staff.
Therefore, another important finding is the need for supply chain managers to incorporate cyber
security as a part of their business strategy, especially in the advent of increased internet
integration.

5.1 Significance of the study

In line with Shackleford (2015) and along with Tuli and Juneja (2016) who claimed that supply
chain vendors, third parties and the consumers were equally vulnerable to cyber- attacks, as
sophisticated techniques such as hacking, phishing, business transaction frauds presented new
areas of compromised security. The findings of this study would offer insights on how cyber-
security could be more effectively managed to ensure continuity of business process, information
transactions and customer confidence in the new era of integrated supply chains.

In the coming age of digital integration and technological innovation, such as next generation
smart phone, Internet of things (IoT), increased automation along with the explosion of big data,
businesses and consumers are vulnerable to increased information theft and cyber-crimes
 33

(Masvosvere and Venter, 2015). Drawing from Barron, et.al (2016), consequences of malevolent
attacks could adversely impact inventory, time of deliver and quality of product in supply chains,
due to the interconnected economies. Therefore, this study would also lend insights in the
management of Cyber Supply Chain Vulnerability analysis, where multiple nodes and routes
interact as a part of global supply chains (Booz Allen Hamilton, 2012).

As stated by Kaushik and Tayal (2016), a severe problem in computer networks is malevolent
attacks on critical nodes that transfer data packets across integrated networks. An example of
where the findings may be vital is in Omni- channel retailing, where consumers leave traces of
customer data that are attractive for cyber criminals and consumers are unaware of the dangers
of putting confidential information on websites, apps and mobile websites (Deloitte,2016). The
findings may offer insights on how business could protect multiple points of exposure, manage
many vendors and detect new malwares that may be device –specific (PRNewswire, 2015).The
findings would also provide an opportunity for future research on securing the Critical
infrastructures of resources such as electricity, energy and the vulnerabilities of a smart grid
(Knapp and Samani,2013) thereby setting grounds for investigations on how cyber security could
be a key factor in implementing policies on national security.

5.2 Contributions and Implications

The research has proposed a new framework that could be practically applied in mitigating cyber
threats in the ICT infrastructures of supply chains. As already established in the findings, experts
have advised supply chain managers to embed this iterative framework in all nodes and parties of
the supply chain. For example, while monitoring and therefore managing risks in the warehouse
and distribution systems, supply chain managers would benefit from adopting the four strategies
in safeguarding the ICT systems in of the warehousing and distribution centre. The strategies can
be extended to all the nodes, i.e manufacturing, assembly, delivery, consolidation and retail nodes
in attempt to secure the end to end ICT infrastructure.

Another important implication that would have a direct impact on e-commerce supply chains is
that of securing the omni channel operations. This framework would ensure that omni channel
operators and consumers are mindful of the cyber- threat indicators and immediate responses
while operating in the omni channel world. Furthermore, when omni channels source products
from overseas for the purposes of order fulfilment, this framework would be especially important
for third party procurement and vendor selections (Deloitte,2016).

5.3 Limitations and Future Directions

A constraint of the study is the qualitative methodology. As the study, does not include a
longitudinal analysis over time, the findings could not explore the subject matter into more depth
as the study was restricted to the informants having been interviewed once, within a certain time
frame. A limitation of the study was that only five informants were ultimately chosen out of the six
participants who had initially committed to the interview. This restricted the scope of uncovering
more experiential knowledge from others in different industries. However, it was evident that
informants had extensive experience in various industries so the researcher aimed at
understanding what had been done from a consistent source. Additionally, the lack of a greater
sample size infers that this research could be extended to a greater sample of participants in
future studies to garner a comprehensive understanding of the research topic.
 34

6. Conclusion
The nature of cybercrime has evolved considerably over the years as sophisticated technologies
provide ample opportunities for underground cyber criminals to act on their intent. With the
advent of global technological integration, governments, businesses and individuals are
predisposed to an unprecedented level of online fraud, data theft and systemic damage. As the
conventional linear supply chain model is being transformed into a networked omni-channel
supply chain configuration, supply chain operations have become more vulnerable to
cyberattacks. The proposed cybersecurity framework offers an updated set of procedures for
organizations to re-evaluate their current supply chain risk mitigation measures. More
significantly, the proposed framework sets an agenda to extend contemporary dialogue in cyber
security to deal with the increasing threats associated with the growing popularity of omnichannel
operations.
 35

7. References
5. Aman, W., 2016, July. Assessing the Feasibility of Adaptive Security Models for the Internet
of Things. In International Conference on Human Aspects of Information Security, Privacy,
and Trust (pp. 201-211). Springer International Publishing.
6. Auriat, N. Siniscalco,M.T., 2005. Questionnaire design. Quantitative research methods in
educational planning, 8, 1-91.
7. Business Security Insider. 2016. THE 360 DEGREE APPROACH TO CYBER SECURITY. [ONLINE]
Available at: https://business.f-secure.com/cyber-security-is-not-a-solution-but-a-process/.
[Accessed 25 August 2016].
8. Booz Allen Hamilton, Booz Allen Hamilton, 2012. Managing Risks in Global ICT Supply
Chains. Booz Allen Hamilton Report, 1-12.(
https://www.boozallen.com/content/dam/boozallen/media/file/managing-risk-in-global-
ict-supply-chains-vp.pdf)
9. Bolhari, A., 2009, December. Electronic-Supply Chain Information Security: A Framework
for Information. In Australian Information Security Management Conference (p. 10).
10. Boyes, H., 2015. Cybersecurity and Cyber-Resilient Supply Chains. Technology Innovation
Management Review, 1, 1-8.
11. Bowen, G.A., 2009. Document analysis as a qualitative research method. Qualitative
research journal, 9(2), pp.27-40.
12. Braun, V., & Clarke, V. (2006).Using thematic analysis in psychology. Qualitative
research in psychology, 3(2), 77-101.
13. Bryman, A., & Bell, E. (2011). Business Research Methods. Oxford University press Oxford,
United Kingdom.
14. Boyatzis, R. E. (1998). Transforming qualitative information: Thematic analysis and code
development. Thousand Oaks, CA: Sage Publications.
15. Barron, S., Cho, Y.M., Hua, A., Norcross, W., Voigt, J. and Haimes, Y., 2016, April. Systems-
based cyber security in the supply chain. In 2016 IEEE Systems and Information Engineering
Design Symposium (SIEDS) (pp. 20-25). IEEE.
16. Brasington, H. and Park, M., 2016. CYBERSECURITY AND PORTS: VULNERABILITIES,
CONSEQUENCES AND PREPARATION. Ausmarine,38(4), p.23.
17. BBC NEWS. 2013. Police warning after drug traffickers' cyber-attack. [ONLINE] Available
at:http://www.bbc.com/news/world-europe-24539417. [Accessed 16 October 2016].
18. Burnson, P., 2013. Supply Chain Cybersecurity: A Team Effort. Supply Chain Management
Review, [Online]. 17 (3), 6-7. Available at: https://eds-b-ebscohost-
com.ezp.lib.unimelb.edu.au/eds/pdfviewer/pdfviewer?sid=0eb3befb-6e18-4801-80fd-
ba08da2b3d4d%40sessionmgr103&vid=2&hid=121 [Accessed 14 October 2016].
19. Chacko, A., (2015). Cybersecurity - Integrating People, Process and Technology. In IASA
87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW. Las Vegas, June 7-10. Las
Vegas: IASA. 1-37.
20. Curley, R., 2011. The Science of War: Strategies, Tactics, and Logistics . 1st ed. New York:
Rosen Education Service .
21. Dell. 2014. Protecting the organization against the unknown. [ONLINE] Available
at:https://software.dell.com/documents/protecting-the-organization-against-the-
unknown-whitepaper-27396.pdf. [Accessed 15 October 2016].
22. Dhillon G. Principles of information systems security. John Wiley & Sons; 2007.
23. Dark Reading -Information week. 2015. 4 Signs Your Board Thinks Security Readiness Is
Better Than It Is. [ONLINE] Available at: http://www.darkreading.com/operations/4-signs-
your-board-thinks-security-readiness-is-better-than-it-is/d/d-
id/1321111?_ga=1.216408595.464050780.1476605545. [Accessed 15 October 2016].
 36

24. Deloitte. 2016. Cyber security challenges for retailers. [ONLINE] Available
at:http://www2.deloitte.com/nl/nl/pages/consumentenmarkt/articles/cyber-security-
challenges-for-retailers.html#. [Accessed 27 August 2016].
25. Dworkin, S.L., 2012. Sample size policy for qualitative studies using in-depth
interviews. Archives of sexual behavior, pp.1-2.
26. Elsbach, K.D. and Kramer, R.M., 2003. Assessing creativity in Hollywood pitch meetings:
Evidence for a dual-process model of creativity judgments.Academy of Management
journal, 46(3), pp.283-301.
27. Fischer, E.A., 2016. Management of Cybersecurity Risks. Congressional Research Service:
Report, [Online]. 1(1), 2-3. Available at: https://eds-b-ebscohost-
com.ezp.lib.unimelb.edu.au/eds/pdfviewer/pdfviewer?sid=0eb3befb-6e18-4801-80fd-
ba08da2b3d4d%40sessionmgr103&vid=5&hid=121 [Accessed 15 October 2016].
28. Forza, C., 2002. Survey research in operations management: a process-based
perspective. International journal of operations & production management, 22(2), pp.152-
194.
29. Forte, D., Perez, R., Kim, Y., 2016. Supply-Chain Security for Cyber-infrastructure. IEEE
Computer Society, [Online]. 49(8), 12-16. Available at:
30. Gartner. 2014. Designing an Adaptive Security Architecture for Protection From Advanced
Attacks. [ONLINE] Available at: https://www.gartner.com/doc/2665515/designing-
adaptive-security-architecture-protection. [Accessed 24 August 2016].
31. Gartner. 2016. Designing an Adaptive Security Architecture for Protection From Advanced
Attacks. [ONLINE] Available at: https://www.gartner.com/doc/reprints?id=1-
279SLRJ&ct=150109&st=sb. [Accessed 30 October 2016].
32. Guercini, S., 2014.New qualitative research methodologies in management.Management
Decision, 52(4), pp.662-674.
33. Hahn, A., Thomas, R.K., Lozano, I. and Cardenas, A., 2015. A multi-layered and kill-chain
based security analysis framework for cyber-physical systems. International Journal of
Critical Infrastructure Protection, 11, pp.39-50.
34. He, H., Maple, C., Watson, T., Tiwari, A., Mehnen, J., Jin, Y. and Gabrys, B., 2016. The
Security Challenges in the IoT enabled Cyber-Physical Systems and Opportunities for
Evolutionary Computing & Other Computational Intelligence.
35. Humphreys, E., 2008. Information security management standards: Compliance,
governance and risk management. Information Security Technical Report, 13, 247-255.
36. Hale, G., 2016. Advice on securing the supply chain. Control Engineering , [Online]. 63(7), 1-
2. Available at: http://www.oilandgaseng.com/singlearticle/advice-on-securing-the-supply-
chain/72434d878a58eee91e4ccc4d7efd160e.html [Accessed 15 October 2016].
37. ISO/IEC. ISO/IEC TR 13335-1:2004 information technology security techniques
management of information and communications technology security part 1: concepts and
models forinformation and communications technology security management. ISO/IEC, JTC
1, SC27, WG 1 2004.
38. Iyengar, S. 2016, "Enterprise IT Security - Need of the Hour", Communications Today.
39. InsideCounsel, InsideCounsel, 2015. Risk and Compliance by the Number. Summit Business
Media, [Online]. 28(278), 40. Available at: https://eds-b-ebscohost-
com.ezp.lib.unimelb.edu.au/eds/pdfviewer/pdfviewer?sid=0eb3befb-6e18-4801-80fd-
ba08da2b3d4d%40sessionmgr103&vid=10&hid=121 [Accessed 14 October 2016].

40. Juneja , N., Tuli, K., 2016. CYBER SECURITY CHALLENGES & ONLINE FRAUDS ON
INTERNET.International Journal of Advanced Research in IT and Engineering , [Online]. 5, 1-
12. Available at:http://garph.co.uk/IJARIE/Feb2016/1.pdf [Accessed 21 August 2016].
 37

41. Jensen, L., 2015. Challenges in Maritime Cyber-Resilience. Technology Innovation

Management Review, 5(4), p.35.
42. Janes, P., 2012. INFORMATION ASSURANCE AND SECURITY INTEGRATIVE PROJECT PEOPLE,
PROCESS, AND TECHNOLOGIES IMPACT ON INFORMATION DATA LOSS. SANS Institute
InfoSec Reading Room, 1, 1-44.
43. Jacobides, M.G. and Billinger, S., 2006. Designing the boundaries of the firm: From “make,
buy, or ally” to the dynamic benefits of vertical architecture. Organization science, 17(2),
pp.249-261.
44. Khan, O., & Estay, D. A. Sepúlv. 2015. Supply Chain Cyber-Resilience: Creating an Agenda
for Future Research. Technology Innovation Management Review, 5(4): 6-
12. http://timreview.ca/article/885
45. Karri, R., Koushanfar, F., Sinanoglu, O., Makris, Y., Mai, K., Sadeghi, A.R. and Bhunia, S.,
2015. Guest Editorial Special Section on Hardware Security and Trust. IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, 34(6), pp.873-874.
46. Knapp,E.D. ,& Samani,R. (2013). Applied Cyber Security and the Smart Grid :Implementing
Security Controls into the Modern Power Infrastructure. Elsevier / Syngress.
47. Kaushik, K. and Tayal, S., 2016. Performance Analysis of Black Hole Attack in
VANET. International Journal of Wired and Wireless Communications,4(2), pp.29-34.
48. Lysne, O.,Hole, K.J.,Otterstad,C, Ytrehus, O.,Aarseth, R. Tellnes, J., 2016. Vendor Malware:
Detection Limits and Mitigation. IEEE Journals & Magazines, [Online]. 49(8), 62 - 69.
Available at:
http://ieeexplore.ieee.org.ezp.lib.unimelb.edu.au/stamp/stamp.jsp?tp=&arnumber=75434
30 [Accessed 15 October 2016].
49. Lane, D., 2011. The Chief Information Officer's Body of Knowledge: People, Process, and
Technology. 1st ed. New Jersey: John Wiley & Sons.
50. Luthra, S., 2016. Botnet and Malwares Analysis and Detection (Minor Thesis). Deakin
University , 1, 2-22.
51. Masvosvere, D.J.E. and Venter, H.S., 2015, August. A model for the design of next
generation e-supply chain digital forensic readiness tools. InInformation Security for South
Africa (ISSA), 2015 (pp. 1-9). IEEE.
52. Meredith, J., 1998. Building operations management theory through case and field
research. Journal of operations management, 16(4), pp.441-454.
53. Marshall, M.N., 1996. Sampling for qualitative research. Family practice,13(6), pp.522-526.
54. Marshall, C. and Rossman, G.B., 2014. Designing qualitative research.Sage publications.
55. McGuinn, M., Seckman, P. R., Sheppard, E. B., 2016. CYBERSECURITY AND YOUR SUPPLY
CHAIN: WHAT YOU DON'T KNOW MAY HURT YOU. Contract Management, [Online]. 56(2),
14-21. Available
at:http://www.mondaq.com/unitedstates/x/487130/Government+Contracts+Procurement
+PPP/Cybersecurity+And+Your+Supply+Chain+What+You+Dont+Know+May+Hurt+You[Acc
essed 15 October 2016].
56. Narasimhan, R., 2014. Theory development in operations management: Extending the
frontiers of a mature discipline via qualitative research.Decision Sciences, 45(2), pp.209-
227.
57. O'Rourke , M., 2015. Gauging supply chain resilience. Risk Management, [Online]. 62(5),
36. Available at: https://eds-b-ebscohost-
com.ezp.lib.unimelb.edu.au/eds/pdfviewer/pdfviewer?sid=c10cfc77-d54c-417d-bd94-
c852c9859576%40sessionmgr105&vid=8&hid=121 [Accessed 13 October 2016].
 38

58. PwC . 2016. The Global State of Information Security® Survey 2016. [ONLINE] Available
at:http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html.
[Accessed 24 August 2016].
59. PwC. 2015. The Global State of Information Security® Survey 2017. [ONLINE] Available
at:http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html.
[Accessed 16 October 2016].
60. Ponemon Institute , 2015. The Cost of Phishing & Value of Employee Training. Ponemon
Insitute Research Report, 1, 1-15.
61. Pettit, T. J., Fiksel, J., & Croxton, K. L. 2010. Ensuring Supply Chain Resilience: Development
of a Conceptual Framework. Journal of Business Logistics, 31(1): 1–21.
http://dx.doi.org/10.1002/j.2158-1592.2010.tb00125.x
62. ProtectWise, ProtectWise, 2016. 5 Blind Spots that Kill Cybersecurity. Dark Reading, 1, 1-
10.
63. PRNewswire. 2015. Omni-Channel Needs Omni-Security iSheriff Report Reveals Security
Risks of New Omni-Channel Retail Strategy. [ONLINE] Available
at: http://www.prnewswire.com/news-releases/omni-channel-needs-omni-security-
300179974.html. [Accessed 28 August 2016].
64. Servidio, J.S., Taylor, R.D., 2015. Safe and Sound: Cybersecurity for Community
65. Shackleford, D., 2015. Combatting Cyber Risks in the Supply Chain. SANS Institute InfoSec
Reading Room, [Online]. 1, 1-17. Available at: https://www.sans.org/reading-
room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252 [Accessed 21
August 2016].
66. Sethumadhavan, S.,Waksman, A., Suozzo, M.,Yipeng, H., Eum, J. , 2015. Trustworthy
Hardware from Untrusted Components. Communications of the ACM, [Online]. 58(9), 60-
71. Available at:http://cacm.acm.org/magazines/2015/9/191186-trustworthy-hardware-
from-untrusted-components/abstract [Accessed 15 October 2016].
67. Skorobogatov, S. and Woods, C., 2012, September. Breakthrough silicon scanning discovers
backdoor in military chip. In International Workshop on Cryptographic Hardware and
Embedded Systems (pp. 23-40). Springer Berlin Heidelberg.
68. Symantec. 2016. Security News. [ONLINE] Available at: http://www.pctools.com/security-
news/zero-day-vulnerability/. [Accessed 17 October 2016].
69. TrustWave, T., 2012. Global security report, 2012.
70. Urciuoli, L. 2015. Cyber-Resilience: A Strategic Approach for Supply Chain
Management.Technology Innovation Management Review, 5(4): 13-
18. http://timreview.ca/article/886
71. Williams, C., 2014. Security in the cyber supply chain: Is it achievable in a complex,
interconnected world? . Technovation, [Online]. 34(7), 382–384. Available
at:http://www.sciencedirect.com.ezp.lib.unimelb.edu.au/science/article/pii/S0166497214
000212? [Accessed 14 October 2016].
72. Wilding, R. and Wheatley, M., 2015. Q&A. How Can I Secure My Digital Supply
Chain?. Technology Innovation Management Review, 5(4), p.40.
73. Wired. 2014. Hacker Lexicon: What Is a Backdoor?. [ONLINE] Available
at:https://www.wired.com/2014/12/hacker-lexicon-backdoor/. [Accessed 17 October
2016].
74. Wang, S., Bie, R., Zhao, F., Zhang, N. and Cheng, X., 2016. Security in wearable
communications. IEEE Network, 30(5), pp.61-67.
75. Yan, Y., Qian, Y., Sharif, H. and Tipper, D., 2012. A survey on cyber security for smart grid
communications. IEEE Communications Surveys & Tutorials,14(4), pp.998-1010.
 39

8. Appendices

8A. Managing Cyber- risks in the ICT infrastructure of Supply chains.

(Questionnaire)

So you have gone through the participation information and consent form?

Willing to go ahead with the interview?

……………………………………………………………………………………………………………………………………
Part 1
Just to start off the interview with some basic questions…

Could you please elaborate on the kind of IT skill/ or IT security specialization you have…
So what does you daily work involve?
Previously what sort of security projects have you been involved in?
In your view, how important is cyber security in this day and age? And why?
Now we‘ll move onto some specific questions about how organisations integrate cyber
security in their daily operations…..
How would you predict whether the organisation is vulnerable to attacks?
Specifically, looking into supply chains, where should supply chain managers direct their
focus?
Where in the supply chains (third parties, internal employees, any particular
node/department ) that would require strict compliance?

Part 2

This part of the interview will look more into the prevention of surface attacks…..

Is security only about the technology?

So what else is important in this domain?
What about people?
So say for instance, you had to select the right kind of employees for your organisation,
how would you ensure that the screening process is robust?
Are there any social engineering techniques you employ while filtering the right kind of
employees?

Part 3

This part is about the detection of the attacks….

 40

So from your past experience, could you please detail a cyber-incident that had taken
place….
If you could please elaborate step by step about the detection process.
So immediately after the attack, how do employees or rather who detects it ?
And then what kind of compliance policy (if at all) was present at the time?
So in summary how would you analyse the situation in the context of recognising, isolating
and containing the threat?

Part 4

The focus of this part is about response strategies …..

Once the ICT infrastructures have been hacked into, and have been detected, how do
respond to the incident?
Are there different kinds of response strategies for different detection points? ( So for
example, before the system completely gets destroyed , how quickly detect the malicious
intrusion) would you have different response strategies?

Okay, so basically putting everything together, if there was a strategy that would instruct
managers to predict the vulnerabilities, prevent, detect and respond…..keeping the people
and technology in mind, how would you go about advising them?
So in the case of protecting the sensitive data in the critical infrastructure, how do you
ensure that the ICT is safeguarded , given there is so much of integration taking place…

Bringing this all into the context of supply chains, what do supply chain industries or
managers have to know about preventing protecting the data they share?
What about selection of the third party vendors, what stage of cyber security would that
comes under?
Finally, could you please explain the impact cyber-attacks will have on global supply chains,
and how should supply chain manage approach this issue? Any specific type of attack
supply chain, and logistics managers should keep in mind?
 41

8B. Tables for Interview responses for Segment

Table 5 Table for Prediction Segment

 42

Table 6 Table for Prevention Segment

 43

Table 7 Table for Detection Segment

 44

Table 8 Table for Response Segment