Abstract
Recent supply chain reengineering efforts have focused on integrating firms’ production, inventory and replenishment activities with the help of communication networks. While communication networks and supply chain integration facilitate optimization of traditional supply chain functions, they also exacerbate the information security risk: communication networks propagate security breaches from one firm to another, and supply chain integration causes breach on one firm to affect other firms in the supply chain. We study the impact of network security vulnerability and supply chain integration on firms’ incentives to invest in information security. We find that even though an increase in either the degree of network vulnerability or the degree of supply chain integration increases the security risk, they have different impacts on firms’ incentives to invest in security. If the degree of supply chain integration is low, then an increase in network vulnerability induces firms to reduce, rather than increase, their security investments. A sufficiently high degree of supply chain integration alters the impact of network vulnerability into one in which firms have an incentive to increase their investments when the network vulnerability is higher. Though an increase in the degree of supply integration enhances firms’ incentives to invest in security, private provisioning for security always results in a less than socially optimal security level. A liability mechanism that makes the responsible party partially compensate for the other party’s loss induces each firm to invest at the socially optimal level. If firms choose the degree of integration, in addition to security investment, then firms may choose a higher degree of integration when they decide individually than when they decide jointly, suggesting an even greater security risk to the supply chain.
Similar content being viewed by others
Notes
Our results do not change qualitatively when there are more than two firms in the supply chain.
We use subscript p for parochial investment decision in which firms minimize their own costs. Later, we use subscript s to indicate investment level when firms jointly minimize the total supply chain cost.
Note that in (6) we have already imposed symmetry in SC integration, i.e. β 1 = β 2 = β.
In a 2006 survey of 853 US IT managers, 41% observed that they might not immediately detect a data breach [7].
References
Bourland KE, Powell SG et al (1996) Exploiting timely demand information to reduce inventories. Eur J Operate Res 92:239–253
Cachon PG, Fisher M (2000) Supply chain inventory management and the value of shared information. Manag Sci 46:1032–1048
Camp LJ, Wolfram C (2004) Pricing security. In: Camp LJ, Lewis S (eds) Economics of information security. Kluwer Academic Publishers, MA, pp 17–34
Chen F, Drezner Z, Ryan JK, Simchi Levi D (2000) Quantifying the bullwhip effect in a supply chain: the impact of forecasting, lead times, and information. Manag Sci 46:436–443
Clark TH, Hammond J (1997) Reengineering channel reordering processes to improve total supply-chain performance. Prod Oper Manag 6(6):248–264
Coase RH (1960) The problem of social cost. J Law Econ 3:1–44
Computer Weekly (2006) http://www.computerweekly.com/Articles/2006/08/31/218182/survey-data-breaches-difficult-to-spot-prevent.htm
Forrester Research (2001) When to share supply chain secrets. September
Gal-Or E, Ghose A (2005) The economic incentive of sharing information. Inform Syst Res 16(2):186–208
Gavirneni S (2005) Price fluctuations, information sharing, and supply chain performance. Eur J Operat Res 174(3):1651–1663
Gavirneni S, Kapuscinski R, Tayur S (1999) Value of information sharing in a capacitated supply chain. Manag Sci 45:16–24
Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inform Syst Secur 5(4):438–457
Gordon LA, Loeb PM, William L (2003) Sharing information on computer system security. J Account Public Policy 22
Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security guide for interconnecting information technology systems. NIST Special Publication, August 800–847
Hausken K (2006) Income, interdependence, and substitution effects affecting incentives for security investment. J Account Public Policy 25(6):629–665
Hausken K (2007) Information sharing among firms and cyber attacks. J Account Public Policy 26(6):639–688
Holmstrom B (1982) Moral hazard in teams. Bell J Econ 13(2):324–340
Kunreuther H, Heal G (2003) Interdependent security. J Risk Uncertain 26(2/3):231–249
Lee HL (2004) The Triple-A Supply Chain. Harvard Bus Rev October 2004:2–11
Lee HG, Clark T, Tam KY (1999) Research report. Can EDI benefit adopters? Inform Syst Res 10(2):186–195
Lee HL, So KC, Tang CS (2000) The value of information sharing in a two-level supply chain. Manag Sci 46(5):626–643
Li L (2002) Information sharing in a supply chain with horizontal competition. Manag Sci 48(9):1196–1212
Li L, Zhang H (2005) Confidentiality and information sharing in supply chain coordination. http://ssrn.com/abstract=690862
Metters R (1997) Quantifying the bullwhip effect in supply chains. J Operat Manag 15:89–100
Mishra B, Raghunathan S, Yue X (2007) Credible exchange of information in supply chains: incentives for information distortion. IIE Trans 39(9):863–877
Mukhopadhyay T, Kekre S, Kalathur S (1995) Business value of information technology: a study of electronic data interchange. MIS Q 19(2):137–155
Niederman F (1998) The diffusion of electronic data interchange technology. In: Larsen TJ, McGuire E (eds) Information systems innovation and diffusion: issues and directions. Idea Group Publishing, Hershey, pp 141–160
Ogut H, Raghunathan S, Menon N (2005) Cyber insurance and IT security investment: impact of interdependent risk. In: Proceedings of the workshop on the economics of information security, Cambridge, MA, 2–3 June
Pigou AC (1920) The economics of welfare. Macmillan, London
Raghunathan S (2001) Information sharing in a supply chain: a note on its value when the demand is non-stationary. Manag Sci 47:605–610
Raghunathan S, Yeh A (2001) Beyond EDI: impact of continuous replenishment program (CRP) networks between a manufacturer and its retailers. Inform Syst Res 12:406–419
Schoeniger E (2006) The new reality of supply chain security. www.microsoft.com/midsizebusiness/supply-chain-security.mspx
Srinivasan K, Kekre S, Mukhopadhyay T (1994) Impact of electronic data interchange technology on JIT shipments. Manag Sci 40(10):1291–1304
Susarla A, Barua A, Whinston AB (2007) An empirical analysis of complementarity in information integration and inter-organizational coordination. Working Paper, The University Of Texas At Austin
Tanaka H, Matsuura K, Sudoh O (2005) Vulnerability and information security investment: an empirical analysis of e-local government in Japan. J Account Public Policy 24(1):37–59
Varian H (2002) System reliability and free riding. Working Paper, The University of California at Berkeley
Varian H (2004) System reliability and free riding. In: Camp LJ, Lewis S (eds) Economics of information security. Kluwer Academic Publishers, MA, pp 1–16
Zhang H (2002) Vertical information exchange in a supply chain with duopoly retailers. Prod Operat Manag 11:531–546
Acknowledgments
We thank the participants of WITS 2004 and UT-Dallas Risk Management Conference 2007 for their helpful comments on earlier versions of this paper.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix
See Table 1
Proofs for propositions
Proposition 1
Firms’ security investment is decreasing in network vulnerability in an unintegrated supply chain.
Proof The FOC for minimization is given by \( p^{\prime } (c_{p}^{*} )\left( {1 - qp(c_{p} *)} \right) + {\frac{1}{L}} = 0 \). Therefore, \( Sign\left( {{\frac{{\partial c_{p}^{*} }}{\partial q}}} \right) = - Sign\left( {{\frac{\partial }{\partial q}}\left( {p^{\prime } (c_{p}^{*} )(1 - qp(c_{p}^{*} )) + {\frac{1}{L}}} \right)} \right) \), which is negative.
Proposition 2
In an unintegrated supply chain, firms invest less when they make investment decisions individually compared to when they make decisions jointly and the difference in the investments increases as q increases.
Proof The FOC for minimization when firms decide investments jointly is given by \( p^{\prime } (c_{s}^{*} )\left( {1 + q\left( {1 - 2p(c_{s}^{*})} \right)} \right) + {\frac{1}{L}} = 0 \). Therefore, \( Sign\left( {{\frac{{\partial c_{s}^{*} }}{\partial q}}} \right) = - Sign\left( {{\frac{\partial }{\partial q}}\left( {p^{\prime } (c_{s}^{*} )(1 + q(1 - 2p(c_{s}^{*} ))) + {\frac{1}{L}}} \right)} \right) \), which is positive. From proposition 1, we know that \( Sign\left( {{\frac{{\partial c_{p}^{*} }}{\partial q}}} \right) \) is negative. The proposition follows from these results.
Proposition 3
(i) Firms’ security investment is increasing in the network vulnerability in a tightly-integrated supply chain, and (ii) firms’ security investment is decreasing in the network vulnerability in a loosely-integrated supply chain.
Proof The FOC for minimization is given by \( p^{\prime } (c_{p}^{*} )\left( {1 + q\left( {\beta - \left( {1 + \beta } \right)p(c_{p} *)} \right)} \right) + {\frac{1}{L}} = 0 \). Following the same line of reasoning as in the proofs for Proposition 1 and Proposition 2, \( Sign\left( {{\frac{{\partial c_{p}^{*} }}{\partial q}}} \right) \) is positive iff \( \beta > {\frac{{p(c_{p} *)}}{{1 - p(c_{p} *)}}} \).
Proposition 4
In a loosely-coupled supply chain, firms invest less when they make investment decisions individually compared to when they make decisions jointly.
Proof The proof is similar to that of Proposition 2 and hence omitted.
Proposition 5
The liability mechanism with A 1 = βL and\( A_{2} = (1 + \beta )(1 - p(c_{s}^{*} ))L \)coordinates the supply chain.
Proof Under the proposed penalty structure, the total expected losses to firm 1 is:
which can be written as
Thus the objective of firm 1 is now
So,
Substituting the expressions for A 1 and A2 given in the proposition into the above expressions and simplifying we obtain \( c_{p}^{*} (\beta ,q) = c_{s}^{*} (\beta ,q) \).
Proposition 6
In an integrated supply chain, if firms choose their optimal levels of integration and security investment independently, (i) firms’ security investment is decreasing and the level of integration is increasing in the level of integration in the network vulnerability in a loosely-integrated supply chain, (ii) firms’ security investment is increasing and the level of integration is decreasing in the network vulnerability in a tightly-integrated supply chain.
Proof (i) Firm i maximizes the following.
The FOCs for the maximization problem are given by the following.
At the symmetric equilibrium, the second order conditions for the maximization are as follows.
where \( A^{*} = \left\{ {\beta_{p}^{*} - (1 + \beta_{p}^{*} )p_{p}^{*} } \right\} \)
Using (A1), we have
Using (A2), we have
Equating (A3) and (A4), we have
Further, using (11), we have \( {\frac{{d\beta_{p}^{*} }}{{dc_{p}^{*} }}} < 0 \). So, \( if\;\beta_{p}^{*} < {\frac{{p_{p}^{*} }}{{1 - p_{p}^{*} }}},\;{\text{then}}\;{\frac{{d\beta_{p}^{*} }}{dq}} > 0. \)
(ii) The proof is similar to that of (i) and hence omitted.
Proposition 7
In an integrated supply chain, if firms choose their optimal levels of integration and it results in a loosely-integrated supply chain, then firms invest less in security and choose a higher degree of integration when they make investment decisions individually compared to when they make decisions jointly.
Proof From Proposition 6, we have the following: \( if\;\beta_{p}^{*} < {\frac{{p_{p}^{*} }}{{1 - p_{p}^{*} }}},\;then\;{\frac{{d\beta_{p}^{*} }}{dq}} > 0\;and\;{\frac{{dc_{p}^{*} }}{dq}} < 0. \) Using (12) and (13), and following the proof for Proposition 6, we have \( {\frac{{d\beta_{p}^{*} }}{dq}} < 0\;and\;{\frac{{dc_{p}^{*} }}{dq}} > 0 \). Since \( c_{p}^{*} = c_{s}^{*} \) and \( \beta_{p}^{*} = \beta_{s}^{*} \) when q = 0, the proposition directly follows.
Proposition 8
The liability mechanism with A 1 = βL and\( A_{2} = (1 + \beta_{s}^{*} )(1 - p(c_{s}^{*} ))L \)coordinates the supply chain.
Proof Comparing (11) and (13), we observe that that if \( c_{p}^{*} = c_{s}^{*} \), then \( \beta_{p}^{*} = \beta_{s}^{*} \). Further, following the proof for Proposition 5, we obtain that the FOCs when the firms make decisions individually are identical to those when firms make decision jointly when we incorporate the liability mechanism in firms’ payoff expressions. Consequently, \( c_{p}^{*} = c_{s}^{*} \), and therefore, \( \beta_{p}^{*} = \beta_{s}^{*} \) under the proposed liability mechanism.
Rights and permissions
About this article
Cite this article
Bandyopadhyay, T., Jacob, V. & Raghunathan, S. Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest. Inf Technol Manag 11, 7–23 (2010). https://doi.org/10.1007/s10799-010-0066-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10799-010-0066-1