Design and validation of the Medusa supply chain risk assessment methodology and system

Abstract

Supply chains (SC) can be viewed as complex interconnected systems that play a vital role of the transportation and delivery of goods and services. SC usually involves various critical infrastructures, mainly in the transportation sector and exhibit intra-sector and cross-border dependencies with various business entities. Although efforts have been made to standardise supply chain risk assessment (SCRA) approaches, there is a lack of targeted methodologies. In our previous work (Polemi and Kotzanikolaou, 2015) we have proposed a preliminary version of the Medusa SCRA methodology, compliant with ISO28001. The primary goal of Medusa is to assess the risks of an SC rising from the interconnections and interdependencies between the various entities within it. In this paper, we significantly extend our previous work, in order to define all specific details of the Medusa SC RA, such as estimations of threat levels, consequences, risk scales, cascading risks; generation of a baseline SC security policy and identification of security controls. Furthermore, we validate our methodology based on real case scenarios, derived from the pilot operations of the Medusa project and we provide implementation details of the Medusa collaborative system which hosts the methodology and offers SC RA services to the involved BPs.