Cyber Risk Management in Supply Chains: Three Essays on Cyber Resilience, Business Continuity, and Information Security

This dissertation provides empirical and theoretical support for the antecedents and consequences of cyber resilience via three essays on cyber resilience. Essay 1 comprises 2 studies using a multi-method empirical research effort to determine whether emphasizing suppliers' implementation and use of business continuity management (S-BCM) is actually beneficial to buyers. In Study 1, data from 150 managers was collected via a survey-based questionnaire to determine whether buyers' adoption of monitoring supplier operational performance (MS-OP) and monitoring S-BCM (MS-BCM) enhances S-BCM implementation and use. Evidence from Study 1 suggests that MS-BCM is more effective than MS-OP. Moreover, the results suggest that while buyer power positively augments the effectiveness of MS-BCM, it actually has a diminishing effect on the effectiveness of MS-OP. Study 2 uses the data of 114 managers from a vignette-based experiment to determine whether S-BCM leads to improved buyer operational and financial performance. Study 2 offers evidence that confirms the positive link between S-BCM and buyer operational and financial performance. The results also suggest that the use of reward power further enhances the association between S-BCM and buyer performance. Using two studies, Essay 2 examines how supply chain power and learning can be related to cyber resilience capability. Study 1 indicated that powerful buyers and supply chain learning from new knowledge contribute to visibility to build cyber resilience while dominant suppliers are reluctant to share information. The results of Study-2 show that supply chain and operations managers believe that companies and their suppliers would have better operational performance if they invest in the accuracy of visibility. Moreover, supply chains properly can avoid, maintain, and recover from cyber disruption when real-time information is available. Essay 3 focuses on the role of downstream complexity along with enterprise resource planning (ERP) in building cyber resilience in supply chains. The results reveal that ERP systems help supply chains to mitigate the negative effect of downstream complexity on the impact of information sharing in a secure system needed to build cyber resilience in times of data breaches and cyber-attacks. Although the use of information technology increases cyber risk, supply chain managers should take advantage of ERP systems to mitigate the negative effect of complexity in supply chain cyber resilience