SC processes for better information flow
|
a) Internal information flow; |
SCC (2010)Supply Chain Council – SCC. (2010). Supply Chain Operations Reference (SCOR) model. Texas., Min & Zhou (2002)Min, H., & Zhou, G. (2002). Supply chain modeling: past, present and future. Computers & Industrial Engineering, 43(1-2), 231-249. http://dx.doi.org/10.1016/S0360-8352(02)00066-9. http://dx.doi.org/10.1016/S0360-8352(02)...
, Gunasekaran et al. (2001)Gunasekaran, A., Patel, C., & Tirtiroglu, E. (2001). Performance measures and metrics in a supply chain environment. International Journal of Operations & Production Management, 21(1-2), 71-87. http://dx.doi.org/10.1108/01443570110358468. http://dx.doi.org/10.1108/01443570110358...
, Croom et al. (2000)Croom, S., Romano, P., & Giannakis, M. (2000). Supply chain management: an analytical framework for critical literature review. Journal of Purchasing and Supply Management, 6(1), 67-83. http://dx.doi.org/10.1016/S0969-7012(99)00030-1. http://dx.doi.org/10.1016/S0969-7012(99)...
, Christopher (2007)Christopher, M. 2007. Logística e gerencimento da cadeia de suprimentos: criando redes que agregam valor (2. ed.). São Paulo: Thomson Learning., Chen et al. (2013)Chen, D. Q., Preston, D. S., & Xia, W. (2013). Enhancing hospital supply chain performance: a relational view and empirical test. Journal of Operations Management, 31(6), 391-408. http://dx.doi.org/10.1016/j.jom.2013.07.012. http://dx.doi.org/10.1016/j.jom.2013.07....
, Ballou (2006)Ballou, R. H. (2006). Gerenciamento da cadeia de suprimentos/logística empresarial (5. ed.). Porto Alegre: Bookman.
|
b) Information flow among members; |
Identification of the organization’s role and the information that flows within the chain |
c) Role of the organization within the SC; |
d) Definition of members and relations. |
Information to be secured
|
a) What is the critical information that needs to be secured; |
Warren & Hutchinson (2000)Warren, M., & Hutchinson, W. (2000). Cyber attacks against supply chain management systems: a short note. International Journal of Physical Distribution & Logistics Management, 30(7/8), 710-716. http://dx.doi.org/10.1108/09600030010346521. http://dx.doi.org/10.1108/09600030010346...
, Guttman & Roback (1995)Guttman, B., & Roback, E. A. (1995). An introduction to computer security: the NIST handbook. Gaithersburg: National Institute of Standards and Technology., Gunasekaran et al. (2004)Gunasekaran, A., Patel, C., & McGaughey, R. E. (2004). A framework for supply chain performance measurement. International Journal of Production Economics, 87(3), 333-347. http://dx.doi.org/10.1016/j.ijpe.2003.08.003. http://dx.doi.org/10.1016/j.ijpe.2003.08...
, Gordon et al. (2010)Gordon, L. A., Loeb, & Sohail, (2010). Market value of voluntary disclosures concerning information security. Management Information Systems Quarterly, 34(3), 567-594. http://dx.doi.org/10.2307/25750692. http://dx.doi.org/10.2307/25750692...
, Gomes & Ribeiro (2004)Gomes, C. F. S., & Ribeiro, P. C. C. (2004). Gestão de cadeia de suprimentos integrada à tecnologia da informação. São Paulo: Pioneira Thomson Learning., Gaunt (2000)Gaunt, N. (2000). Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2), 151-157. http://dx.doi.org/10.1016/S1386-5056(00)00115-5. PMid:11154966. http://dx.doi.org/10.1016/S1386-5056(00)...
, Chen et al. (2013)Chen, D. Q., Preston, D. S., & Xia, W. (2013). Enhancing hospital supply chain performance: a relational view and empirical test. Journal of Operations Management, 31(6), 391-408. http://dx.doi.org/10.1016/j.jom.2013.07.012. http://dx.doi.org/10.1016/j.jom.2013.07....
, Bojanc & Jerman-Blažič (2008)Bojanc, R., & Jerman-Blažič, B. (2008). An economic modeling approach to information security risk management. International Journal of Information Management, 28(5), 413-422. http://dx.doi.org/10.1016/j.ijinfomgt.2008.02.002. http://dx.doi.org/10.1016/j.ijinfomgt.20...
|
Analysis of how the organizations in the SC transition critical information |
b) How information is accessed; |
c) How information is exchanged among members. |
Threats and mitigating actions
|
a) Recognition of threats and their impacts |
Warren & Hutchinson (2000)Warren, M., & Hutchinson, W. (2000). Cyber attacks against supply chain management systems: a short note. International Journal of Physical Distribution & Logistics Management, 30(7/8), 710-716. http://dx.doi.org/10.1108/09600030010346521. http://dx.doi.org/10.1108/09600030010346...
, Ten et al. (2008)Ten, C.-W., Liu, C.-C., & Manimaran, G. (2008). Vulnerability assessment of cybersecurity for SCADA systems. Power Systems, IEEE Transactions on, 23(4), 1836-1846. http://dx.doi.org/10.1109/TPWRS.2008.2002298. http://dx.doi.org/10.1109/TPWRS.2008.200...
, Patel et al. (2008)Patel, S. C., Graham, J. H., & Ralston, P. A. S. (2008). Quantitatively assessing the vulnerability of critical information systems: a new method for evaluating security enhancements. International Journal of Information Management, 28(6), 483-491. http://dx.doi.org/10.1016/j.ijinfomgt.2008.01.009. http://dx.doi.org/10.1016/j.ijinfomgt.20...
, Gordon et al. (2015)Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. Journal of Information Security, 6(1), 24-30. http://dx.doi.org/10.4236/jis.2015.61003. http://dx.doi.org/10.4236/jis.2015.61003...
, Gaunt (2000)Gaunt, N. (2000). Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2), 151-157. http://dx.doi.org/10.1016/S1386-5056(00)00115-5. PMid:11154966. http://dx.doi.org/10.1016/S1386-5056(00)...
, CERT (2015)Centro de Estudos, Resposta e Tratamento de Incidentes de Segurança no Brasil – CERT. (2015). Retrieved in 2015, April 1, from http://www.cert.br/ http://www.cert.br/...
, Bojanc & Jerman-Blažič (2008)Bojanc, R., & Jerman-Blažič, B. (2008). An economic modeling approach to information security risk management. International Journal of Information Management, 28(5), 413-422. http://dx.doi.org/10.1016/j.ijinfomgt.2008.02.002. http://dx.doi.org/10.1016/j.ijinfomgt.20...
, Bojanc et al. (2012)Bojanc, R., Jerman-Blažič, B., & Tekavčič, M. (2012). Managing the investment in information security technology by use of a quantitative modeling. Information Processing & Management, 48(6), 1031-1052. http://dx.doi.org/10.1016/j.ipm.2012.01.001. http://dx.doi.org/10.1016/j.ipm.2012.01....
, Safa et al. (2016)Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. http://dx.doi.org/10.1016/j.cose.2015.10.006. http://dx.doi.org/10.1016/j.cose.2015.10...
, Huang et al. (2014)Huang, C., Behara, R. S., & Goo, J. (2014). Optimal information security investment in a Healthcare Information Exchange: an economic analysis. Decision Support Systems, 61, 1-11. http://dx.doi.org/10.1016/j.dss.2013.10.011. http://dx.doi.org/10.1016/j.dss.2013.10....
|
b) Mitigation actions on Information Systems; |
Identification of how organizations understand the threats, and their actions to mitigate them |
c) Mitigation actions on employees; |
d) Information monitoring. |
Information Security investments
|
a) To evaluate the impact of threats; |
Warren & Hutchinson (2000)Warren, M., & Hutchinson, W. (2000). Cyber attacks against supply chain management systems: a short note. International Journal of Physical Distribution & Logistics Management, 30(7/8), 710-716. http://dx.doi.org/10.1108/09600030010346521. http://dx.doi.org/10.1108/09600030010346...
, Ten et al. (2008)Ten, C.-W., Liu, C.-C., & Manimaran, G. (2008). Vulnerability assessment of cybersecurity for SCADA systems. Power Systems, IEEE Transactions on, 23(4), 1836-1846. http://dx.doi.org/10.1109/TPWRS.2008.2002298. http://dx.doi.org/10.1109/TPWRS.2008.200...
, Huang et al. (2014)Huang, C., Behara, R. S., & Goo, J. (2014). Optimal information security investment in a Healthcare Information Exchange: an economic analysis. Decision Support Systems, 61, 1-11. http://dx.doi.org/10.1016/j.dss.2013.10.011. http://dx.doi.org/10.1016/j.dss.2013.10....
, Gupta et al. (2006)Gupta, M., Rees, J., Chaturvedi, A., & Chi, J. (2006). Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decision Support Systems, 41(3), 592-603. http://dx.doi.org/10.1016/j.dss.2004.06.004. http://dx.doi.org/10.1016/j.dss.2004.06....
, Gordon & Loeb (2002)Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438-457. http://dx.doi.org/10.1145/581271.581274. http://dx.doi.org/10.1145/581271.581274...
, Bojanc et al. (2012)Bojanc, R., Jerman-Blažič, B., & Tekavčič, M. (2012). Managing the investment in information security technology by use of a quantitative modeling. Information Processing & Management, 48(6), 1031-1052. http://dx.doi.org/10.1016/j.ipm.2012.01.001. http://dx.doi.org/10.1016/j.ipm.2012.01....
|
Analysis of how organizations define their Information Security budget. |
b) Specific Information Security budget; |
c) Investment impact on the organization and SC financial performance. |