A Methodology for Cybersecurity Risk Assessment in Supply Chains

Abstract

Supply chain cyberattacks are on the rise as attackers are increasingly exploiting the intricate network of supplier connections between companies. Critical infrastructures too have been successfully targeted using this technique affecting their software and hardware estates, raising serious concerns due to the potential impact on public safety and the proper functioning of countries. This highlights the need to revise cybersecurity risk assessment strategies to stress the focus on threats originating from suppliers. This work proposes a novel supply chain cybersecurity risk assessment tailored for companies with limited cybersecurity expertise and constrained resources to execute risk assessment. Through a set of simple questions, this methodology first captures the perceived likelihood and impact of vulnerabilities and threats that derive from suppliers and target specific organisational assets and then generates cybersecurity risk scores for each relevant threat. A preliminary validation of the methodology is carried out, where generated risk scores are compared to evaluations provided by cybersecurity experts. The results show that the methodology produces risk scores that on average differ by 8% from those deriving from the experts’ assessment, which corroborates the hypothesis that the methodology is reliable even though it does not require detailed information about the suppliers’ cyber posture.