Who cares? Supply chain managers’ perceptions regarding cyber supply chain risk management in the digital transformation era

1. Introduction

Digital transformation has been in place for years and supply chains have not been exempted from it. Supply chains operate in an increasingly connected environment, based on the collaboration of people, processes and devices. The digitalization of processes, which leads to increasing the exchange of data and information along the supply chain, helped by a massive connectivity level, has led to the rise of the “cyber supply chain, a supply chain enhanced by cyber-based technologies to establish an effective value chain” (Kim and Im, 2014).

Although greater sharing of information and greater availability of data are positive elements (Colicchia et al., 2019), they conceal risks that cannot be overlooked. Warren and Hutchinson (2000) noticed for the first time that this is a supply chain issue. Supply chains are frequent targets because a weak link in an integrated system can grant hackers access to every company’s data. In these cases, attacks are carried out on the third-party business, which is deemed to have the weakest internal security measures in place. After a single member’s security protocols are proven to be weak, this weakness is spread to every partner in the supply chain (Momoh, 2016).

Cyber and information risks in supply chains are becoming more and more evident due to the attacks that have resonated globally. A notorious example is the cyber-attack at the Port of Antwerp in Belgium, which took place for over two years, starting in 2011. A trafficking group hid drugs amidst legitimate cargo. They used hackers to infiltrate computer networks in several companies operating at the port. In this way, they had access to sensitive data, such as the location and destination of containers, allowing them to send in corrupted drivers to steal the illegal load before the genuine owner could arrive (Bateman, 2013). More recent examples include the WannaCry attack in 2017, carried out through ransomware that hit several companies, including the car manufacturer Renault, the UK National Health Service, the Russian Interior Ministry and the express courier FedEx. The most interesting victim of this attack from a supply chain perspective was FedEx, which saw the entire TNT Express division inactive for weeks. Due to the blocking of all computers, the company was no longer able to exchange information or access data stored internally. Therefore, it was no longer able to ship cargoes. The companies that relied on this organization for the delivery of their products found themselves in an unexpected difficulty and had to find alternative solutions to reduce inconvenience to their customers in the form of missed deliveries and delays. After an initial estimate made in September 2017, the impact was deemed to cost up to $300m (Bloomberg.com, 2017).

The growth of these cyber-related issues is shaping the agenda of the top managers of companies around the globe; cyber risks and related attacks on information and data in the supply chain are seen as the top threats of the near future and the years to come (BCI, 2019). This has led the European Union to react with the introduction of the General Data Protection Regulation (GDPR), which has been in force since May 2018 and requires that worldwide organizations adopt security countermeasures. However, it seems that companies tend to adopt security measures, especially of information technology (IT) nature, that are mostly aimed at “firewalling themselves”, but not their supply chain (Colicchia et al., 2019). It also seems that cyber risks are dealt with from a technical perspective (Gaudenzi and Siciliano, 2017) within individual organizations (Biener et al., 2015).

In this landscape, a relatively large amount of scientific and practitioners’ contributions focused on the countermeasures that can be adopted by an organization in terms of IT security and cyber resilience in the supply chain (Eling and Wirfs, 2019). These contributions mainly examine the strengths and weaknesses of cyber risk and security initiatives, especially the ones that deal with the IT domain. Consequently, it appears that the industrial and scientific communities are concentrated on trying to make sense of “what can be done” to deal with cyber and information risks in the supply chain, particularly at the IT security level within the boundaries of the single organizations, without focusing first on the elements constituting a supply chain security strategy. Developing a fully integrated strategic approach to cyber risk is fundamental to supply chains and to think about how to address cyber risk at the end of the strategic process is simply too late in a cyber supply chain management process (Pandey et al., 2020). These elements also constitute the pillars for creating alignment in the supply chain regarding what kind of policies, actions and initiatives should be undertaken to secure the entire supply chain, rather than protecting only single organizations, which by themselves can become individual points of failure in cyberspace. Alignment, in fact, is essential to steering a supply chain towards the same objective by ultimately heading in the same direction with all partners (Gattorna and Jones, 1998). This concept applies to risk management as well and it is essential for achieving a better level of resilience through the cyber supply chain risk management (CSCRM) process (Colicchia et al., 2019). To achieve alignment in the CSCRM process, consensus on objectives should be reached among the players operating in the supply chain to integrate the design of shared security strategies (Radanliev et al., 2020) and perceptions related to the security needs are to be understood. In fact, perception plays a paramount role in shaping the policies and actions undertaken by organizations when cyber and information risks are considered (Gaudenzi and Siciliano, 2017). Besides, it can also affect the evaluation of risks by the players operating in a supply chain and, consequently, influence the level of investment in CSCRM measures. In fact, companies work in asymmetric environments, where not all the organizations involved in a supply chain make the same decisions (Ezhei and Tork Ladani, 2018). Asymmetric environments generate externalities that can affect the level of investment in cyber security, potentially leading to underinvestment or overinvestment and contributing to investment inefficiency in the supply chain (Li and Xu, 2020). Externalities are thus connected to potential misalignments in how cyber security is approached by the different organizations operating in the supply chain. Consequently, aligning perceptions and related actions in a supply chain can lead to the achievement of the so-called cyber supply chain balanced resilience (Colicchia et al., 2019), to minimize the investment inefficiency and lead to better resilience of the overall supply chain.

Notwithstanding the relevance of the concepts described above, the existing literature seems to have given more attention to technical aspects (data, application and networks) of single enterprises rather than to organizational aspects of the CSCRM process across the supply chain, including human elements (Ghadge et al., 2020). Moreover, the literature appears to be scattered and covers an extensive range of topics and fields, without a holistic view that enables those coordination mechanisms that allow supply chain partners to adopt an end-to-end approach beyond the dyad (Colicchia et al., 2019). There is a narrow focus on the supply chain perspective, and specifically on cyber risks and countermeasures related to inbound and outbound supply chain contexts (Pandey et al., 2020). Although the literature acknowledges the need to address the highlighted research concerns, recent contributions have focused on the exploration of cyber risks and initiatives in the supply chain in small samples of companies working in different supply chains, without examining the factors leading to adopting those initiatives (Colicchia et al., 2019). Also, previous literature did not extend this type of investigation to global players in different supply chains (Pandey et al., 2020) or carried out vertical studies. Existing research present reviews on the constituents of cyber supply chain risk, identifying the main elements and trends, but without an empirical investigation (Ghadge et al., 2020); or studies the mechanisms of externalities in cyber security and how to tackle them through opportune mechanisms but do not explore how these externalities are generated in the supply chain (Li and Xu, 2020); or again focuses on the data management level only, by devising a new approach for cognitive data analytics to create stronger resilience (Radanliev et al., 2020). To the best of the authors’ knowledge, the current literature is scant of explorations of perceptions across the supply chain about the fundamental elements of CSCRM and connected level of alignment, and equally a vertical study focused on CSCRM along a supply chain does not yet exist. Moreover, empirical data on CSCRM along a whole supply chain are not available.

Given this background, our paper aims at investigating the perceptions of companies about CSCRM and the related level of alignment across a supply chain. The goal is to help organizations operating in a supply chain to understand how they can deploy a cyber security strategy that goes beyond the technical side, the internal side of single companies and beyond the dyad, to create a better alignment that can ultimately lead to better cyber supply chain resilience.

We aim to achieve the objective of our research by providing an answer to the following research questions:

To answer the research questions of the study, we perform a vertical analysis of a specific supply chain, following suggestions from the literature, which calls for this kind of investigation (Colicchia et al., 2019).

Given its importance in terms of amounts of goods moved, the information generated and data exchanged along its supply chain, we examine the fast-moving consumer goods (FMCG) sector. We conduct an exploratory survey that studies the perceptions of supply chain managers regarding the elements of CSCRM. The managers surveyed operate in the three main stages of a generic FMCG supply chain, i.e. Manufacturers, Logistics Service Providers and Retailers. This allows for exploring the perceptions along the supply chain and for generating insights for the achievement of a more aligned CSCRM process that moves towards better resilience and cyber supply chain balanced resilience.

The remainder of the paper is organized as follows: Section 2 presents an overview of the literature on CSCRM and highlights some research gaps; Section 3 presents the research methodology adopted in this work; Section 4 describes the results from the empirical investigation carried out; Section 5 discusses the findings of the analysis; Section 6 presents the conclusion.

2. Theoretical background

To support the achievement of the objective of the present study, a literature review on the concept of CSCRM has been carried out. This has been done to unveil, understand and isolate the principal elements of CSCRM, which will be the object of the present investigation. To better support the analysis of perceptions of cyber and information risk by managers, specific literature focused on this theme has also been scrutinized.

CSCRM, according to Boyson (2014), is a construct that includes “the strategy and initiatives focusing on the assessment and mitigation of cyber and information risks across the end-to-end operations of a supply chain”. Compared to the usual approach to information risk management, CSCRM implies that a more holistic approach is adopted to combine processes, people and technology to take into account a “relationship dimension” (Spekman and Davis, 2004). The relationship dimension is aimed at allowing for a superior level of integration among supply chain partners. Integration should allow for going beyond the dyad to overcome the limitations of a focus on single points of the interface along the supply chain. The purpose of CSCRM is to extend control on cyber risks across the end-to-end supply chain in a fashion that enables a continuously adaptive capacity. According to the theory on CSCRM, a holistic approach is expected to lead to better cyber resilience. More in general, supply chain resilience can be achieved through the identification of a suitable fit between the riskiness of a company’s supply chain and the related level of preparedness to manage risks. This “right fit” is then applied to the decisions to make appropriate investments in supply chain risk management initiatives that could cope with the identified level of risk. Pettit et al. (2013) define this fit as “balanced resilience”. According to Gualandris and Kalchschmidt (2015), the concept of balanced resilience represents:

the match between the level of riskiness of a certain supply chain configuration and the related amount of investment in the supply chain risk management process, appropriate to adequately confront that level of riskiness and to continuously adapt to changes

Colicchia et al. (2019) extend the concept of balanced resilience to cyber risks and, as a result, they propose the concept of “cyber supply chain balanced resilience”. To achieve cyber supply chain balanced resilience, the fit between the level of cyber risk in the supply chain and the consequent actions and initiatives to be undertaken needs to be grounded on the evaluation of the level of riskiness and the needs for protection along the entire supply chain and not only in the focal company. Hence, it appears that the set of perceptions that decision makers hold constitutes the basis of that fit leading to enhanced balanced resilience.

Having a good understanding of risk is essential to supporting managers in making the right decisions and adopting appropriate security measures (Volpentesta et al., 2011). However, the ability of humans to make objective estimations about risk and events that might happen in the future, basing their judgement on what happened in the past, is limited (Bernstein, 1996). This becomes of particular relevance if we take into account the two dimensions composing the concept of risk, i.e. probability and impact on business (March and Shapira, 1987). The existing literature has attempted to support decision makers in the assessment of the two dimensions of risk, by providing semi-subjective guidelines to assist in the definition of the “values” of probability and impact in the context of risk. Hallikas et al. (2004) proposed an impact assessment scale that spans from “no impact” when the consequences of a risk event are “insignificant in terms of the whole company” to “catastrophic impact” when the consequences of a risk event are able to “discontinue business”. Similarly, they also proposed a probability assessment scale that spans from “very unlikely” in the presence of a “very rare event” to “very probable” in the presence of an “event that recurs frequently”. These semi-subjective estimates have been combined in risk assessment matrixes to support decision makers in a structured and replicable way (Wieland, 2013). However, still much is left to individuals’ viewpoints in relation to the organization in which they work and the sector in which their company operates. These limitations also apply to the case of attempts to quantitatively estimate the impacts of a multitude of (though partially connected) drivers of risk, particularly “when there is no way to rely on a real baseline” (Alter and Sherer, 2004). As a consequence, even though decisions and initiatives related to information security are supposed to be based on structured techniques and methods to assess cyber and information risk assessment, these decisions and initiatives seem to be the result of the perception security managers have of information risk, i.e. a personal estimation of the likelihood that a certain type of incident may happen and how they think this affects information systems in terms of the magnitude of its effects (Volpentesta et al., 2011). Individuals are inclined to rely on their perception of risks, that is, on their confidence about the existence of certain sources of risk and their own belief that certain incidents and negative impacts will manifest themselves.

If risk perception seems to be a subjective measure that affects the set of decisions taken by decision makers in terms of risk mitigation actions, subjectivity might be of paramount importance when the effect of decisions taken in a certain stage of a chain of supply spans across multiple stages (Gaudenzi and Siciliano, 2017). Having different perceptions potentially leads to misalignment in the supply chain, which causes a decrease in the overall supply chain performance (Gattorna and Jones, 1998); this concept also applies to risk management, when different approaches or decisions about initiatives are taken for managing (cyber) risks in the supply chain by different players in different stages, with negative effects on the overall level of resilience (Colicchia et al., 2019). In other words, alignment of perceptions along the supply chain could lead to the undertaking of CSCRM actions that veer towards the attainment of improved resilience and cyber supply chain balanced resilience. This idea is closely connected to the principles of the protection motivation theory (Rogers, 1983), which deals with predicting an individual’s intention to engage in protective actions based on his/her appraisal of the threats and of his/her capability to cope with those threats (Anderson and Agarwal, 2010).

According to this view, it is essential to take into account the elements to be appraised in terms of threats and in terms of actions to cope with risk because, as previously discussed, they constitute the foundations and backbone of any security policy. Alignment among the players of the supply chain regarding the various elements that make up the CSCRM process, in this sense, could help in conducting consistent appraisals across the supply chain. In the least, it could provide a broader view of the threats that can span the various stages of the chain of supply. In this way, measures could be taken that adequately cope with those threats at a supply chain level. The elements composing the CSCRM process to be appraised in terms of perceptions of the players operating in the supply chain have been examined and classified by the existing literature and they have been condensed into a set of constituents. More specifically, scientific contributions such as Ghadge et al. (2020) and Colicchia et al. (2019) propose the following set of elements: cyber risks in supply chains, sources of risks, responsibility and ownership of the CSCRM process, information exchanged in the supply chain and countermeasures and initiatives to manage cyber risks in the supply chain.

Table 1 presents a list of the main contributions on the investigated topic that have been analysed and classified, according to the abovementioned elements of the CSCRM process, through the concept-based structure proposed by Webster and Watson (2002). Overall, no contributions focus on all the CSCRM elements in an integrated way, which is fundamental to support the development of an effective and fully strategic approach to CSCRM (Pandey et al., 2020). Among the elements, much of the focus for research still appears to be on cyber risks, sources of cyber risks and measures to tackle them. Previous contributions mainly present conceptual frameworks without empirical data (Boyson, 2014; Radanliev et al., 2020), investigations with illustrative cases or on companies working in different supply chains (Urciuoli and Hintsa, 2017; Pandey et al., 2020) or modelling efforts on specific issues or risk events (Deane et al., 2009; Li and Xu, 2020). The only contributions on the evaluation of perceptions within the investigated field focus either on the effect of incident awareness on information security policies (Volpentesta et al., 2011) or on perceptions of risks and IT interventions (Gaudenzi and Siciliano, 2017) – but without embracing cyber risks according to a supply chain perspective. Also, previous contributions predominantly focus on the technical aspects of single organizations. The nexus between technical aspects and organizational ones, in terms of perceptions, responsibility, type of information shared and countermeasures directed at the backbone of supply chains, i.e. employees, along with empirical data on a whole supply chain is critical to adopt an end-to-end approach that goes beyond the dyad (Smith et al., 2007; Ghadge et al., 2020). Given that the overview of the literature confirms the absence of contributions able to address this nexus, we developed our research building on the contributions included in Table 1.

The elements composing the CSCRM process are defined and classified according to different taxonomies and categories as reported below. In our endeavour, we will take into consideration a combination of the various approaches that merge the different viewpoints to provide a holistic view of the CSCRM process.

3. Methodology

Given the objective and the research questions of the present study and the identified research gaps, we decided to develop a quantitative study through a survey built upon the existing exploratory research on CSCRM. This approach based on exploratory research is consistent with several studies published in the literature that deal with supply chain contexts (Croom, 2005) or cutting-edge supply chain issues (Van Hoek, 2019).

As previously mentioned, the existing literature calls for further analysis of the management of CSCRM to collect empirical data, especially concerning vertical studies that concentrate on and examine a specific supply chain or sector (Colicchia et al., 2019). This would allow for overcoming the limitations of dyadic studies and to better understand the specific mechanisms of a certain supply chain. In addition, differences among industries make it sensible to concentrate on a particular industry at a time (Thun and Hoenig, 2011). For these reasons, in this study, we focus on a specific sector, specifically the FMCG industry in Italy. We decided to study this industry because it relies heavily on information sharing and is one of the main contributors to the gross domestic product of all countries. Also, the retail sector is among the top three in which cybercrime is spreading more rapidly. This sector shows a growing trend in IT violations, exceeded only by the health care industry (Clusit, 2017). The FMCG sector has considerably raised the attention of consumers and policymakers because it is vital for providing essential products at high quality and low cost (Bourlakis and Weightman, 2004). Increased competition creates considerable pressure on FMCG retailers to reduce costs and improve service levels at the same time (Fernie and Sparks, 2014). This is particularly challenging in the FMCG context because in the past few years consumers have expressed a clear demand for a higher service level, which has inevitably led to more frequent deliveries and smaller delivery batches, with resulting fragmentation of logistics flows (Fernie and Sparks, 2014). In turn, this has led to a dramatic growth of the quantity of data exchanged in cyber space and to an increase in the number of cyber violations. The Italian FMCG sector represents an appropriate context to be investigated given its international relevance. The Italian FMCG industry is placed among the top four markets in Europe for logistics flows and generated turnover, and it is one of the fastest-growing sectors across Europe, after Spain in 2016 (Nielsen, 2016). It is characterized by a level of fragmentation higher than other European markets, such as France, the UK, Spain and Germany (Fornari et al., 2013). In this sector, it is possible to isolate a few major retailers that hold the majority of market shares, as seen in other principal European markets (source: Nielsen, 2019). Similarly to what has happened across Europe, over the past few decades the Italian FMCG supply chain has gone through a deep transformation, leading to the adoption of the principles of efficient consumer response (ECR) and IT technologies, such as electronic data interchange systems, along with tools for exchanging data and information over the internet.

We built our sample for our research according to the principles proposed by Punch (1998) when conducting an exploratory study. Firstly, we wanted to access as many organizations as possible in a reasonable timescale. Consistent with the scope and aim of our research, the names of the target organizations were retrieved from the database of the most important FMCG trade association in Italy, i.e. Indicod-ECR GS1 Italy (available at: https://gs1it.org/) and from the database of the most important trade association for logistics in Italy, i.e. Assologistica (available at: www.assologistica.it – focusing on those logistics providers operating in the FMCG sector). The questionnaire was distributed to 524 companies, with the following representation: 321 manufacturers, 134 logistics service providers and 69 retailers. Secondly, the authors’ aim was not to make substantial claims in the first instance about the generalizability of the sample, as suggested by Croom (2005).

Managers in charge of supply chain management or logistics are chosen as potential respondents for this survey as they are expected to be the most appropriate professionals that can provide a supply chain perspective to the analysis and to overcome the traditional silo approach that IT departments have in the management of cyber and information risks in the supply chain. Consequently, their perception is deemed to be very significant to this aim. Similar to Tsai et al. (2008) and Golgeci and Ponomarov (2013), we selected participants in such a way so that they can offer global insights and comprehensive perception. A minimum working experience of five years in the industry at the middle to senior management level was consequently included as a further respondent selection criterion as we thought that having already experienced the supply chain mechanisms and challenges of the sector would provide a better level of understanding and a more pertinent perception of risks.

After contacting the organizations included in the sample database, 112 full questionnaires were returned and this constitutes the database of the final sample analysed, representing 21.4% of the overall target population. According to exploratory studies, such as the one presented by Croom (2005), this response rate provides a sufficiently significant sample to draw some insights about the study's representativeness.

Consistently with the adopted research methodology, we designed our data collection instrument in the form of a survey questionnaire. The questionnaire was developed with the aim to allow the collection of data able to provide an answer to the research questions of the study. As the research questions aim to investigate the elements composing the managerial construct of CSCRM and the related perceptions of supply chain managers, we decided to rely on the outcomes of the literature review as building blocks for the survey questionnaire. In particular, we referred to the work by Ghadge et al. (2020) and main related literature contributions for exploring the constituents of the “sources of cyber risk” element and the constituents of the “measures to manage cyber risk” element. This work was complemented by the taxonomies presented by Colicchia et al. (2019) and main related literature contributions, which were used also for exploring the constituents of the “ownership of the CSCRM process” element along with the constituents of the “cyber and information risks” element (in terms of probability and impact of risks – which we further complemented by newly developing a set of items to ascertain the occurrence of those risks). Finally, we relied on the work by Lee and Whang (2000) and Lotfi et al. (2013) for deriving the constituents of the “categories of information shared in the supply chain” element. Appendix reports the questions composing our data collection instruments along with the linked theoretical underpinnings. The resulting questionnaire consisted of six different sections, which asked for information regarding the demographics of the respondents and related companies (to generate the groups of respondents composing the FMCG supply chain and empower the evaluations of the alignment of their perceptions), as well as the key elements of CSCRM previously described in the literature review (i.e. cyber risks, sources of risks, ownership of the CSCRM process, information exchanged in the supply chain, measures to manage cyber risks). The questions were measured by five-point Likert scales, ranging from “very relevant” to “not relevant”, from “low impact” to “very high impact” (according to the assessment scale presented by Hallikas et al., 2004) or from “very low probability” to “very high probability” (according to the assessment scale presented by Hallikas et al., 2004). In this way, we ensured that the data collection instrument was capable of providing an answer to the research questions, i.e. assessing the perception of importance about the elements of CSCRM and evaluating the alignment of the recorded perceptions, based on the scores assigned by the respondents. The questionnaire was pre-tested in panel sessions with a sample of 10 senior academics and 13 industry professionals. The industry professionals were represented by supply chain managers and IT managers and Chief Information Officers, to ascertain that the “IT side” of the questions was also sufficiently precise and compliant with the technicalities. The panel members provided valuable comments and feedback that were incorporated into the final version of the survey questionnaire. It is worthwhile underlining that none of the panel members (industry professionals or academics) took part in the actual survey. We also conducted a pilot study before administering the questionnaire to the entire sample. The pilot study aimed to cross-verify the content, architecture and nature of the questions and enhance its validity (Mitchell, 1996). The pilot study was carried out through the administration of the questionnaire to 10 organizations. The collected responses and related data are not included in this paper as the pilot phase was undertaken with the aim to refine and validate the research instrument rather than to collect field evidence.

Given the objective of this study, which intends to examine the perceptions of supply chain managers operating in the FMCG supply chain, we decided to rely on a data analysis tool that allows for investigating differences among groups of data (Bourlakis et al., 2014). For this reason, we decided to analyse the responses to our survey questionnaire through a one-way analysis of variance (ANOVA), carried out with the precise aim to assess the differences in the responses obtained from the various categories of respondents in the FMCG supply chain, as indicated above (Manufacturers, Logistics Service Providers and Retailers). ANOVA is a well-established statistical method which complies with our research requirements and that has been adopted in many scientific contributions focused on the analysis of supply chains (Greer and Ford, 2009 and Lai et al., 2004). This method implies that a set of tests are performed on the variance of a population and the variability of results is scrutinized with reference to differences between groups (Dobroszek, 2020). The one-way ANOVA served to compare averages in groups and it was used to test the relevance of variations in the perceptions about CSCRM of the surveyed supply chain managers. As it is customary in similar studies (Zhu et al., 2007; Bourlakis et al., 2014), we adopted a p-value equal to 0.05 as a threshold for discriminating the statistical significance of differences in the responses among the groups of respondents in our survey (Manufacturers, Logistics Service Providers and Retailers). For each item composing our measurement scale (i.e. our questionnaire), we studied the mean value and the standard deviation value of the responses, subdivided in the three groups of supply chain players of the FMCG sector. We performed the ANOVA test to derive the F-statistics value, which, with a significance level of 5%, was compared to the value of F-crit. If the F-statistics value was higher than the F-crit value and the p-value was lower than 5%, then the null hypothesis (i.e. data from all groups are characterized by the same stochastic distribution) was rejected and significant differences among the groups of respondents were detected. Otherwise, no significant difference in the perception of supply chain managers was recorded. Based on the outcomes of the ANOVA tests, carried out for each item of the survey questionnaire, considerations on the level of alignment of perceptions about CSCRM across the FMCG supply chains were drawn, discussed and interpreted.

4. Results from the survey study

In the present section, the results of the survey study on the selected sample of companies operating in the FMCG supply chain in Italy are shown. The items analysed regard the main components of the CSCRM process, as outlined in the literature review.

5. Discussion

An overview of our survey results allows for generating interesting insights on the main dimensions of the analysis carried out, as shown in Table 8, which reports in an aggregated fashion the results of the survey and qualitatively classifies them to elaborate and interpret the outcomes of the analysis.

First of all, by looking at the perceived relevance of the different elements composing CSCRM across the whole sample, it appears that our respondents confirm the significance of the investigated topic (i.e. no element has been assigned an overall low value of relevance). It is interesting to note that among the elements, high relevance is assigned to initiatives and countermeasures and medium-high relevance to the involved business departments, impacts of risk events and information shared: this shows that respondents think that taking actions towards CSCRM is essential to secure the information shared across the supply chain and that this should involve the business departments within the organization to confront the effects that risk events can have on business operations. In terms of alignment of perceptions, also, in this case, an overall medium-high level of alignment is confirmed by the responses across the whole sample and for all the CSCRM elements. However, the only elements that show a medium level of alignment are related to information shared and to initiatives and countermeasures. This suggests that, notwithstanding the strong perception of the sample about these elements in terms of relevance, some items are perceived differently by the groups of respondents (i.e. Manufacturers, Logistics Service Providers and Retailers).

More in details, as far as the perceptions of risk events are concerned, it appears that impacts on business are seen as more relevant than probability, which confirms the empirical evidence discussed by Colicchia et al. (2019). Even though all categories of players in the FMCG supply chain reported a similar occurrence of the different investigated risk events and related incidents, it seems that Logistics Service Providers have a broader perception of the risk events compared to Manufacturers and Retailers. Their focus spans in a way that appears to combine Manufacturers’ and Retailers’ attitudes towards risk – see also Figure 1, where the bubbles in the Logistics Service Providers’ chart are spread across the area from left to right. In contrast, the charts of Manufacturers and Retailers show more concentrated bubbles. The concurrent examination of the perception of the impact of the risk events along with their probability and the actual occurrence of those events also raises the important concern related to the effect of incident awareness on the perception of risk, something that has been widely discussed in the literature. For example, Volpentesta et al. (2011) discuss the positive impact for organizations of incident reporting to generate widespread awareness in their employees, which can affect perceptions and, in turn, drive more coordinated actions in terms of information security policies and strategies. Our analysis seems to confirm the link between occurrence and perception, as it appears that those risks with higher occurrence are perceived more vividly compared to other risk with lower values of occurrence and this might be due also to the way incidents are reported within single organizations but also across the supply chain. It seems that little awareness leads to underestimating the importance of risk events (and the other way around). This leads to inferring that there should be a clear policy regarding incident reporting and management to build a correct level of awareness on cyber threats and risk events in organizations, which is consistent with the findings of Volpentesta et al. (2011). Other authors refer to this as “shared knowledge” or “mutually created knowledge” (Tao et al., 2016; Scholten and Schilder, 2015), and this “knowledge” becomes more and more effective in building resilience when widely shared not only across the departments of the single organizations but along the whole chain of supply (Radanliev et al., 2020).

As far as the sources of risk are concerned, it is interesting to note that the so-called “human factor” is seen as one of the predominant threats to cyber security in supply chains and this is in line with previous literature (Ghadge et al., 2020). Surprisingly, if looked at concurrently with the perception of the other elements of CSCRM that regard human resources within the business operations, as it will be discussed in the following paragraphs, departments and initiatives related to human resources are perceived as less important compared to other items of the same categories. It appears that all groups of players of the FMCG supply chain give smaller importance to those countermeasures aimed at dealing with the human factor as a source of risk and this is something that seems contradictory and which companies should address, as suggested by the existing literature (Smith et al., 2007; Boyson, 2014; Windelberg, 2016). It also seems that Logistics Service Providers are more concerned about technical problems that could undermine the continuity of their business operations – a fear that is consistent with their role as a critical link in the FMCG supply chain between Manufacturers and Retailers.

As far as the ownership of the CSCRM process is concerned, it appears that, from an overall perspective, the medium-high scores assigned to the majority of the business departments indicate that respondents recognize the importance of involving different business departments in the CSCRM process, in line with the literature (Trombley, 2015; Boone, 2017). Existing studies suggest that CSCRM should be organization-wide and not “silo-focused”. However, our results show that the IT department emerges as the owner of the process according to all categories of players. This is something that one could expect, but it looks in contrast with the literature that suggests that cyber security should be led from the top (Boone, 2017). A striking finding is that the human resources department is at the bottom of the list and this again shows a contradiction in terms of approach to the “human factor” in the CSCRM process: if this is perceived as one of the most critical sources of risk, then the department dealing with human resources should be involved much more in the CSCRM process and the perception of its relevance should be stronger. Likewise, the supply chain department is not perceived as one of the top departments that should own or lead the CSCRM process for driving a supply chain view into the CSCRM process – so that the other involved departments could benefit from a perspective that goes beyond the boundaries of the organization and desirably beyond the dyad or Tier 1.

The concurrent view of the perception of the level of criticality of the different categories of information shared across a supply chain shows a certain degree of awareness that protecting the whole range of information shared across the supply chain is critical, as demonstrated by the scores assigned by our respondents (Tables 7 and 9). This seems in contrast with the existing literature, which posits that information leakages are not perceived as a security risk by organizations (Tran et al., 2016). As it emerges from Table 7, while all the respondents recognize the relevance of some information (e.g. invoices), it seems that different groups of respondents focus on different categories of information shared, and in particular, on those types of information that are more specific and critical for their stage of the supply chain and the continuity of their business operations: Manufacturers focus on sales, invoices and master data; Logistics Service Providers put transport data in the first place, but they also give a balanced level of weight to the majority of the information exchanged; Retailers, instead, seem to focus more on the downstream side of the supply chain and related exchanged data, including discounts and promotional plans and inventory. So, once more, it appears that Logistics Service Providers can play a role as a bridge connecting the views of Manufacturers and Retailers. This is in line with previous literature, which affirms that Logistics Service Providers are in the middle of relationships among the partners of a supply chain and they can foster collaboration across the supply chain (Zacharia et al., 2011; Sanchez Rodrigues et al., 2015). However, this view has not been applied to the context of supply chain risk management or CSCRM yet. Furthermore, our results suggest that the role of Logistics Service Providers can be critical not only for promoting collaboration but also for driving alignment for a consistent approach to CSCRM across the supply chain – eventually contributing to coordinated investments in information security in a networked environment (Bandyopadhyay et al., 2010; Li and Xu, 2020).

As far as the countermeasures to mitigating cyber risks are concerned, Table 9 reports an overall high level of relevance assigned to the set of initiatives but a medium level of alignment of the respondents’ perceptions related to them. Also, in this case, the collected evidence seems to indicate that, while there is an overall awareness of the importance of taking actions to tackle cyber risks, Retailers have a generally weaker perception about the countermeasures (Table 8). This is probably due to their position in the supply chain: the literature affirms that a large number of players in the upstream side of their supply chain makes it complicated to implement measures other than internal actions on the internal IT and organizational sides (Colicchia et al., 2019). Instead, it emerges that Logistics Service Providers perceive protection initiatives as potential tools to drive supply chain actions given the level of importance allocated to those initiatives that go beyond the boundaries of the single organizations. This constitutes interesting evidence as the literature has found that organizations are usually more concentrated on those actions that instead seldom go beyond the focal firm or the dyad in the best case (Colicchia et al., 2019). Perceiving those initiatives as very important shows a significant level of awareness by Logistics Service Providers about the necessity to go beyond the traditional view of risk management as a “business-related” process rather than as a “supply chain” issue. If we analyse the countermeasures according to the taxonomy presented by Ghadge et al. (2020), which distinguishes among pre-, trans- and post-attack countermeasures, it appears that the level of importance given to the different initiatives does not depend on the time phase of the actions themselves. Our respondents have allocated considerable relevance to pre-attack but also trans- and post-attack measures, assigning high scores to the perception of their importance. On the contrary, the literature shows little focus on the trans-, and especially the post-attack, actions, while a better balance of proactive and reactive approaches to CSCRM would be opportune (Ghadge et al., 2020). Eventually, this could also lead to better resilience in terms of preparedness and the ability to respond and maintain (Ribeiro and Barbosa-Povoa, 2018). Looking at the categories of actors in the FMCG supply chain, but taking for granted the importance allocated to those actions that fall in the category of IT technical initiatives, it seems that Logistics Service Providers are even more inclined towards a balance of proactive and reactive measures compared to Manufacturers and Retailers, especially as far as business continuity and event management actions are concerned. This leads to inferring that Logistics Service Providers could play an important role in the FMCG supply chain in promoting the adoption of initiatives for a proactive and reactive approach to CSCRM across the supply chain.

As discussed, it seems that, overall, a certain level of alignment of the perception about the elements composing the CSCRM process among the various actors of the FMCG supply chain exists, especially as far as the “classical” technical issues and actions are concerned. All the actors, in fact, seem to allocate a high level of importance to those elements. Instead, a certain misalignment seems to exist when the data exchanged in a supply chain is regarded. In this case, it appears that Manufacturers and Retailers are more focused on their domain rather than on the supply chain. On the contrary, it seems that Logistics Service Providers can overcome this limitation and have a broader perception of the risks, sources of risks and criticality of information and data exchanged that span across the different stages of the supply chain. This is also reflected in their attitude towards the various initiatives and countermeasures. While the technical area is still regarded as important, it seems that Logistics Service Providers emphasize the importance of external initiatives and initiatives that can balance proactive and reactive approaches to CSCRM. Consequently, it seems that the Logistics Service Providers could be promoters of a stronger supply chain approach to CSCRM in the FMCG industry. They could further improve the level of awareness of cyber risks across the whole chain (Volpentesta et al., 2011; Linton et al., 2014), with the creation of a common basis of shared knowledge that could also help in evaluating the level of riskiness of the supply chain (Colicchia et al., 2019). In fact, according to the literature, it is important to have a coordinated approach to information sharing and information security across the supply chain, otherwise, the benefits of collaboration will be outweighed by the detrimental effect of misalignment in the protection initiatives (Bandyopadhyay et al., 2010). As coordination can be challenging across the supply chain, a pivotal role would help drive alignment, coordination and integration for cyber resilience. The Logistics Service Providers could be the pivot of this process, leading to joint decisions and better coordination in the investments to be made in terms of cyber security, according to the literature (Li and Xu, 2020). This is also in line with the role of Logistics Service Providers in fostering collaboration across the supply chain, which has been recognized by previous research on supply chain collaboration initiatives (Zacharia et al., 2011; Sanchez Rodrigues et al., 2015). This pivotal role in driving alignment across the supply chain would allow for conducting appraisals to devise consistent security policies and CSCRM measures towards achieving the cyber supply chain balanced resilience (Gualandris and Kalchschmidt, 2015; Colicchia et al., 2019).

6. Conclusions

In the present paper, we conducted an empirical analysis focused on the perception of supply chain managers working in the FMCG supply chain about the items composing the CSCRM process. This analysis aimed to shed light on the level of alignment of perception regarding CSCRM to understand what kind of policies, actions and initiatives should be undertaken to secure the entire supply chain, rather than just the single organizations. In doing this, we carried out an exploratory survey in the Italian FMCG supply chain.

As mentioned in the discussion of our findings, the outcomes of the survey allow understanding the perceptions of supply chain managers about the elements of CSCRM and the numerical results highlight those elements being perceived as the most important/relevant. In this way, we succeeded in providing an answer to RQ1 (How relevant are the elements of CSCRM perceived by companies in a supply chain?). In doing this, we have segmented our analysis based on the groups of respondents identified in the FMCG supply chain (i.e. Manufacturers, Logistics Service Providers and Retailers) and this has permitted us to evaluate the level of alignment of the perceptions of supply chain managers across the board. In this way, an answer to RQ2 (How aligned are the perceptions about CSCRM of companies in a supply chain?) was provided.

The work carried out has theoretical and practical implications.

In terms of theoretical implications, this study provides the scientific community with a vertical analysis of a supply chain, something that extends the existing theory on CSCRM, which only provides analyses of isolated and often disconnected cases and provides empirical data at a supply chain level. Besides going beyond the dyad, it also contributes to extending the current theory with the proposal of a paradigm that highlights the role of Logistics Service Providers as “orchestrators” of the CSCRM process. As a result, our study combines different existing classifications of CSCRM initiatives. It embraces the views of theories outside the traditional supply chain literature, such as the theory on information risk perception, to leverage the fundamental concept of alignment to achieve better cyber resilience. Our research also contributes to the theoretical debate regarding the role of the human factor in the management of risks in general and cyber and information risks, in particular, highlighting the necessity to embrace the perspective of people as critical elements to be leveraged for improving cyber resilience in the supply chain.

In terms of practical implications, our study provides the industrial community with an analysis of empirical data coming from a supply chain where the exchange of information in cyberspace is an essential process for adequately managing a large amount of generated logistics flows. It also provides the community of supply chain professionals with better awareness of the role of Logistics Service Providers in orchestrating the efforts towards the establishment of more “supply chain oriented” CSCRM policies. This could help practitioners streamlining the design of cyber security strategies and actions that could span across the different layers of the supply chain and allow for better alignment, resulting in better resilience and better visibility and more coordination of efforts. This, in turn, could mean more targeted/accurate investments in CSCRM initiatives in line with the concept of cyber supply chain balanced resilience. It also offers the industrial community an assessment of the level of importance given to the various items of the CSCRM process. It consequently unveils some elements of “common thinking” regarding risk management that could be a wake-up call for many organizations to overcome those traditional (and ineffective) approaches based on “firewalling themselves” from the IT technical perspective only. Our study also provides the industrial community with thought-provoking insights on the misalignment between the perceived relevance of the human factor as a source of risk (high) and the perceived importance of countermeasures to mitigate the risk events stemming from that source (low). This invites companies to rethink their approach to the mitigation of risks coming from employees. Finally, it also invites companies to assess their level of awareness about their supply chain's riskiness regarding the relationship between the occurrence of events and the perceived level of risk connected to those events. This could help organizations devise procedures and policies to report incidents and create common and shared knowledge about risks that could help them assess the level of risk in their supply chains more closely, moving beyond the boundaries of their companies.

Our study’s main limitation lies in the relatively small sample analysed in our survey, which belongs to one supply chain only (i.e. the FMCG sector). This industry was selected as the object of the present investigation because of its great relevance in terms of economic impact, generated revenues and market size. As explained, it represents a very interesting field of investigation given the amount of shared data in the cyber space – so it constitutes a relevant testbed. Likewise, the Italian FMCG industry was selected because of its role in the European scenario, being the second fastest-growing market in the continent and being Italy one of the countries members of the Group of Seven (G7). Therefore, we believe that our empirical investigation’s object provides results that are representative of the phenomenon under study. However, in terms of the generalizability of this research’s outcomes, some of the findings are inevitably related to the industry investigated (e.g. the supply chain structure, which affects the architecture of the relationships among the various players operating in the industry). It would be interesting to apply the developed survey to other sectors, such as the pharmaceutical or automotive sectors, where data sensitivity is paramount and the level of complexity is extremely high. Additionally, it would be interesting to broaden the analysis by conducting more focused case studies to delve deeper into the mechanisms that Logistics Service Providers could put in place as “orchestrators” to foster the adoption of a supply chain perspective to CSCRM along the supply chain. It would be interesting to investigate the motivations leading to certain CSCRM decisions, actions and outcomes. Another development of this study could be represented by comparing the perceptions of supply chain managers and IT managers/chief information officers to evaluate their level of alignment and the related consequences on the decisions made, the consequent actions undertaken and the level of resilience attained. A final direction for future research is represented by the investigation of the adoption of technologies such as Blockchain or distributed ledger systems as tools to mitigate cyber risks. These technologies could improve the CSCRM process outcomes, given their potential ability to secure transactions and data storage/transmission over different layers of the supply chain beyond the boundaries of the focal company.