TY - BOOK ID - 143046157 TI - Cybersecurity and Supply Chain Risk Management Are Not Simply Additive: Implications for Directions in Risk Assessment, Risk Mitigation, and Research to Secure the Supply of Defense Industrial Products AU - Greenfield, Victoria A. AU - Hartnett, Gavin S. AU - Ish, Daniel AU - Lohn, Andrew J. AU - Schwindt, Karen AU - Welburn, Jonathan W. PY - 2023 PB - RAND Corporation DB - UniCat UR - https://www.unicat.be/uniCat?func=search&query=sysid:143046157 AB - The Air Force Research Laboratory (AFRL) asked RAND Project AIR FORCE (PAF) for assistance understanding how cyber-related risks compare with other risks to its defense-industrial supply chains—a scope that included supply chains for hardware, not supply chains for software—and exploring implications for directions in risk assessment and mitigation and for research. AFRL was interested in how attackers might use supply chains to wage attacks, such as through malicious code, and how supply chains might, themselves, be targets of attack, such as through disruption. To conduct the analysis, PAF drew insights from the literatures on cybersecurity, supply chain risk management (SCRM), game theory, and network analysis and worked with sets of stylized supply chains and fundamental principles of risk management. The report uses the phrase cyber SCRM broadly to refer to the cybersecurity of supply chains, including attacks through supply chains to reach a target and attacks on supply chains in which the target of the attack is the supply chain itself. ER -