A resilience framework for managing cyber risks in digital supply chains in the Norwegian power industry
Original version
Aarland, M. (2024). A resilience framework for managing cyber risks in digital supply chains in the Norwegian power industry [Doctoral Dissertation]. University of Agder.Abstract
In today’s interconnected society, the complexity of digital supply chains complicates management. These digital supply chains consist of actors interconnected through digital infrastructure to generate value. Digitalisation expands the attack surface by introducing more actors and devices, escalating cyber risks. Due to the characteristics of digital supply chains, managing these risks becomes challenging. Consequently, cyber-attacks can trigger ripple effects throughout the supply chain, leading to significant disruptions in critical infrastructure, such as the power industry.
With its unique characteristics, the Norwegian power industry presents an interesting case for studying cyber risks in digital supply chains. As a highly regulated industry providing a critical service to society, the potential for disruptions constitutes an essential concern. This highlights the role of promoting resilience in digital supply chains. Moreover, the context of Norway, known for its high level of trust, offers an intriguing setting as trust is often exploited in supply chain attacks. Using resilience to promote the management of digital supply chains from handling emerging cyber risks, this dissertation explores the research question: How can the power industry manage evolving cyber risks by promoting resilience in the digital supply chain?
To understand the research phenomenon, this dissertation applies ecosystem theory. This theoretical framework is used to explore resilience and management of cyber risks in digital supply chains. By applying concepts such as collaboration and resilience this framework contributes to understanding how various actors interact and align their roles to promote resilience in the digital supply chain. To answer the research question, the dissertation employs a qualitative methodology. The research methods include semistructured interviews, focus group workshops, and system dynamics simulations to gather and analyse data on cyber risk management in digital supply chains. This approach allowed for an in-depth exploration of the challenges and dynamics within thepower industry’s digital supply chain, providing valuable insights for developing a resilience framework.
The findings of this dissertation highlight the critical importance of balancing trust and control among actors in the digital supply chain. Introducing the Digital Supply Chain Management Framework, the dissertation proposes a potential solution to managing the cyber risks in the digital supply chain. The framework is presented as a process that underlines adaptation to the dynamics of digital supply chains. This holistic approach integrates cybersecurity, risk management, and supplier relationship management to understand and address cyber risks in digital supply chains.
Altogether, this framework aims to manage cyber risks within the digital supply chain. The dissertation contributes to understanding why cyber risks are challenging to manage, and how the framework should be seen as a continuous process to co-evolve with the digital supply chain. Additionally, this dissertation contributes to literature on digital supply chains and ecosystem theory within the power industry. It offers practical implications for managing cyber risks, provides actionable insights to address realworld challenges, and proposes policy recommendations to promote resilience in digital supply chains.
Has parts
Paper I: Aarland, M. & Gjøsæter, T. (2022). Digital Supply Chain Vulnerabilities in Critical Infrastructure: A Systematic Literature Review on Cybersecurity in the Energy Sector. Proceedings of the International Conference on Information Systems Security and Privacy (ICISSP), 1, 326-333. https://doi.org/10.5220/0010803800003120. Published version. Full-text is available in AURA as a separate file: https://hdl.handle.net/11250/3052765.Paper II: Aarland, M & Radianti, J. (Forthcomming). Somebody else’s problem: trust and cyber risks in digital supply chains. Submitted version. Full-text is not available in AURA as a separate file.
Paper III: Aarland, M; Radianti, J & Gjøsæter, T. (2023). Using System Dynamics to Simulate Trust in Digital supply Chain. In J. Radianti, I. Dokas, N. LaLone & D. Khazanchi (Eds.), 20th Global Information Systems for Crisis Response and Management Conference (ISCRAM 2023), pp. 516 - 529. Published version. Full-text is not available in AURA as a separate file.
Paper IV: Aarland, M. (2023). Digital Supply Chain Roles in the Power Industry. In J. Dugdale, T. Gjøsæter & O. Uchida (Eds.). Information Technology in Disaster Risk Reduction : 8th IFIP WG 5.15 International Conference, ITDRR, pp 185–199. Accepted version. Full-text is not available in AURA as a separate file.
Paper V: Aarland, M. (2024). Cybersecurity in digital supply chains in the procurement process: introducing the digital supply chain management framework. Information and Computer Security. Special Issue on “New Frontiers in Information Security Management” https://doi.org/10.1108/ICS-10-2023-0198. Accepted version. Full-text is not available in AURA as a separate file.