Digital Supply Chains (DSCs) are highly integrated global internet communities of customers, distributors, producers, and suppliers. DSCs have increasingly incorporated Internet of Things (IoT) innovations such as field sensors and real time condition monitoring; and have served as effective platforms for IoT technology diffusion. However, as IoT has become more pervasive, pushing the edges of networks further out, new cyber threat windows have opened everywhere. More recently, Cyber-Supply Chain Risk Management (C-SCRM) has emerged as a critical discipline combining expertise from cybersecurity, supply chain management and enterprise risk management; and designed to stem the proliferation of digital supply chain attacks seeking illicit access to corporate networks for competitive espionage, financial and intellectual property theft, and disruption of operations. Yet to date, there has been little evidence that C-SCRM practices are actually effective in containing all or even some types of breaches. Our decade-long research provides the first statistical analysis of the effects on an organization’s breach profile based on the extent of its adoption of policies and practices defined within the U.S. National Institute of Standards and Technology (NIST) ‘s Cybersecurity Framework, increasingly the de-facto global C-SCRM standard. Our analysis determined that there were specific Framework activity areas and sets of policies/practices within those activity areas that strongly correlated with more effective control of specific breach types. Our findings lay the foundation for an evidence-based approach to mastering IT network vulnerabilities and defending global digital supply chains.

数字供应链 (DSC) 是高度集成的全球互联网社区，由客户、分销商、生产商和供应商组成。DSC 越来越多地融入物联网 (IoT) 创新，例如现场传感器和实时状态监测；并已成为物联网技术传播的有效平台。然而，随着物联网变得越来越普遍，将网络的边缘推得更远，新的网络威胁窗口无处不在。最近，网络供应链风险管理 (C-SCRM) 已成为一门结合网络安全、供应链管理和企业风险管理专业知识的关键学科；旨在阻止数字供应链攻击的扩散，这些攻击寻求非法访问企业网络以进行竞争性间谍活动、金融和知识产权盗窃，和运营中断。然而迄今为止，几乎没有证据表明 C-SCRM 实践能够有效遏制所有甚至某些类型的违规行为。我们长达十年的研究提供了对组织违规情况影响的首次统计分析，基于其采用美国国家标准与技术研究院 (NIST) 的网络安全框架中定义的政策和实践的程度，越来越多的德-事实上的全球 C-SCRM 标准。我们的分析确定，在这些活动领域中存在与更有效地控制特定违规类型密切相关的特定框架活动领域和政策/实践集。