Abstract
Contemporary supply chains operate as highly interconnected digital ecosystems wherein cyber incidents rarely remain confined to the initially compromised organisation. This literature synthesis examines how cyber-attacks propagate beyond victim organisations through information, financial, and physical flows, generating cascading second- and third-order effects across supply chain networks. Drawing upon twenty peer-reviewed sources spanning 2015 to 2025, this study analyses the mechanisms of cyber risk propagation, empirical evidence of spillover effects, and emerging governance frameworks for network-level resilience. The findings reveal that non-breached organisations suffer measurable revenue losses, profitability reductions, and behavioural adjustments when supply chain partners experience cyber incidents, with impacts amplified by supplier concentration and input specificity. Current risk management approaches remain predominantly firm-centric and technically oriented, inadequately addressing the inter-organisational dimensions of cyber vulnerability. The analysis demonstrates that effective mitigation requires transitioning from traditional cybersecurity paradigms to network-level cyber-resilience strategies encompassing collaborative governance, shared threat intelligence, cyber-aware supplier selection, and dynamic capabilities for anticipating and absorbing cascading shocks. These findings carry significant implications for supply chain management theory and practice in an increasingly digitised global economy.
Introduction
The digital transformation of global supply chains has fundamentally altered the landscape of organisational risk. Whilst technological integration has delivered unprecedented efficiencies in coordination, visibility, and responsiveness, it has simultaneously created new vectors for disruption that transcend traditional organisational boundaries. Cyber incidents, once conceptualised primarily as information technology failures affecting individual firms, now constitute systemic threats capable of propagating through interconnected networks with devastating consequences for multiple stakeholders.
The 2017 NotPetya attack exemplifies this phenomenon with stark clarity. What initially appeared as ransomware targeting Ukrainian organisations rapidly cascaded through global supply networks, paralysing operations at Maersk, Merck, FedEx, and countless smaller enterprises. Maersk alone reported losses exceeding $300 million, yet the aggregate impact across affected supply chains proved substantially greater, demonstrating how cyber incidents generate economic damage far exceeding direct costs borne by initially compromised organisations (Crosignani, Macchiavelli and Silva, 2020).
This propagation dynamic reflects deeper structural changes in supply chain architecture. Contemporary supply networks operate as tightly coupled systems characterised by just-in-time delivery, single-source dependencies, and extensive digital integration across organisational boundaries. Cloud computing, Internet of Things deployments, and third-party software dependencies have created shared digital infrastructure wherein vulnerability at any node potentially compromises the entire network (Hammi, Zeadally and Nebhen, 2023). Traditional cybersecurity approaches, predicated on defending organisational perimeters, prove inadequate when risks migrate freely across supply chain tiers through information flows, transactional relationships, and shared technological platforms.
The academic significance of this phenomenon extends across multiple disciplines. For supply chain management scholars, cyber risk represents a fundamentally distinct category of disruption requiring new theoretical frameworks and management approaches. For information systems researchers, supply chain propagation challenges assumptions about bounded organisational responsibility for cybersecurity. For economists and finance scholars, spillover effects on non-breached firms demand attention to systemic risk dynamics previously associated primarily with financial contagion. For policymakers, the societal implications of cyber-induced supply chain failures in critical infrastructure—healthcare, energy, food distribution—necessitate governance frameworks extending beyond individual organisational compliance.
Practically, this topic carries substantial urgency. Cyber-attacks targeting supply chains have increased in frequency and sophistication, with adversaries specifically exploiting inter-organisational trust relationships and shared infrastructure (Tan et al., 2025). The SolarWinds compromise of 2020, affecting thousands of organisations through a single software supply chain vector, demonstrated that even organisations with sophisticated internal security capabilities remain vulnerable to upstream compromises. Supply chain managers consequently face the challenge of securing not merely their own systems but entire ecosystems of suppliers, customers, and service providers whose security postures may be opaque and beyond direct control.
This literature synthesis addresses a critical gap in consolidated understanding of cyber incident propagation mechanisms in supply chains. Whilst individual studies have examined specific aspects—financial spillovers, risk migration pathways, governance frameworks—no comprehensive synthesis has integrated these perspectives into a coherent analytical framework suitable for guiding both academic research and practitioner decision-making. By systematically analysing the evolving body of evidence, this study aims to clarify how cyber risks propagate, what factors amplify or attenuate these effects, and what strategies demonstrate effectiveness in building network-level resilience.
Aim and objectives
The primary aim of this study is to synthesise and critically analyse existing research on cyber incident propagation in supply chains, examining how disruptions extend beyond initially compromised organisations to affect partners, markets, and broader society, whilst identifying effective approaches for managing this systemic fragility.
To achieve this aim, the study pursues the following specific objectives:
1. To identify and categorise the primary mechanisms through which cyber incidents propagate across supply chain networks, distinguishing between information, financial, and physical flow disruptions.
2. To evaluate empirical evidence documenting spillover effects on non-breached organisations, including financial performance impacts, behavioural responses, and operational disruptions.
3. To analyse the structural and relational factors that amplify or attenuate cyber risk propagation, including supplier concentration, input specificity, and network topology.
4. To critically assess current modelling approaches and analytical frameworks for understanding cascading cyber risks in supply chain contexts.
5. To examine governance mechanisms, collaborative strategies, and resilience capabilities proposed for managing cyber risks at the network level rather than merely the firm level.
6. To identify gaps in existing research and articulate priorities for future investigation that would advance both theoretical understanding and practical management of supply chain cyber fragility.
Methodology
This study employs a structured literature synthesis methodology to consolidate and critically analyse existing research on cyber incident propagation in supply chains. Literature synthesis represents an appropriate methodological approach when the objective is to integrate findings across multiple studies to develop comprehensive understanding of a phenomenon, identify patterns and contradictions in existing knowledge, and establish foundations for future research (Tranfield, Denyer and Smart, 2003).
The synthesis draws primarily upon twenty peer-reviewed sources spanning 2015 to 2025, supplemented by additional high-quality academic and institutional sources where necessary to contextualise findings or address gaps. Source selection prioritised empirical studies examining cyber incident spillover effects, theoretical frameworks for understanding propagation mechanisms, and practitioner-oriented research on governance and resilience strategies. The temporal scope captures the evolution of research attention from initial conceptual recognition of supply chain cyber risks through to contemporary quantitative modelling and evidence-based frameworks.
The analytical approach involved several stages. Initially, sources were categorised according to their primary focus: propagation mechanisms, empirical evidence of spillover effects, modelling approaches, or governance and resilience strategies. Subsequently, within each category, findings were extracted systematically and compared to identify convergent conclusions, contradictory evidence, and gaps in existing knowledge. The synthesis then integrated findings across categories to develop a coherent analytical framework addressing the study objectives.
Quality assessment of sources considered methodological rigour, empirical grounding, theoretical contribution, and publication venue. Peer-reviewed journal articles from established outlets in supply chain management, information systems, operations management, and finance received priority. The synthesis acknowledges limitations inherent in the underlying literature, including potential publication bias toward significant findings and the challenge of generalising from specific incident case studies to broader populations of supply chain relationships.
The synthesised findings are presented thematically, organised to address each study objective systematically whilst highlighting connections across themes. This structure facilitates both comprehensive coverage and critical analysis of how individual research contributions relate to broader understanding of supply chain cyber fragility.
Literature review
Mechanisms of cyber incident propagation
Cyber incidents propagate through supply chains via multiple interconnected pathways that researchers have categorised with increasing precision over the past decade. Ghadge et al. (2019) distinguish three orders of propagation effects. Primary propagation involves direct operational disruption at the breached organisation, including system downtime, data compromise, and service interruption. Secondary propagation extends these effects to supply chain partners through information unavailability, reputational damage, and transactional disruption. Tertiary propagation encompasses broader societal harms, particularly when affected supply chains involve safety-critical products, healthcare delivery, or essential public services.
This multi-level conceptualisation highlights how cyber incidents differ fundamentally from traditional supply chain disruptions such as natural disasters or equipment failures. Whilst physical disruptions typically affect specific locations or assets, cyber incidents can simultaneously compromise geographically dispersed operations, corrupt information flows across multiple relationships, and undermine trust in digital systems upon which coordination depends.
Network thinking provides complementary theoretical grounding for understanding propagation dynamics. Ojha et al. (2018) apply ripple effect concepts to demonstrate how node disruption cascades through interconnected supply networks, affecting fragility, service levels, and sales performance at downstream stages. The magnitude of cascading effects depends critically on network topology, with highly centralised networks containing critical hub nodes exhibiting greater vulnerability to targeted disruption than distributed architectures with redundant pathways.
Empirical cases illuminate these mechanisms in practice. The 2017 cyber-attack affecting the Port of Antwerp and Maersk’s global operations demonstrated how compromise of a logistics node can strand cargo and disrupt numerous firms that had no direct relationship with the breached entity. Colicchia, Creazza and Menachof (2019) and Boyes (2015) analyse these incidents to illustrate a critical insight: organisations may have effectively firewalled their own systems whilst remaining exposed through supply chain connections they neither controlled nor fully understood.
Attack vectors have evolved significantly as defensive capabilities have matured. Jeong, Rogers and Choi (2025) document a shift in adversary focus from internal users toward external suppliers and digital infrastructure. As organisations strengthen perimeter defences and employee training, attackers increasingly exploit trusted relationships with suppliers, managed service providers, and software vendors to bypass security controls. This evolution toward “chained vulnerability” represents a strategic adaptation by adversaries to defensive improvements, creating an ongoing arms race dynamic in supply chain security.
Third-party software and infrastructure constitute particularly significant propagation vectors. Cloud service providers, Internet of Things platforms, and managed service providers create shared dependencies wherein a single compromise can affect numerous downstream organisations simultaneously. Hammi, Zeadally and Nebhen (2023) and Tan et al. (2025) identify these shared infrastructure elements as core propagation pathways requiring continuous monitoring and collaborative threat intelligence sharing for effective defence.
Empirical evidence of spillover effects
The financial consequences of supply chain cyber incidents extend substantially beyond directly breached organisations. Crosignani, Macchiavelli and Silva (2020) provide compelling quantitative evidence through analysis of the NotPetya attack’s effects on customers of breached firms. Their findings demonstrate that non-breached customers suffered measurable reductions in revenues, profitability, and trade credit availability when their key suppliers experienced cyber incidents. These spillover effects proved particularly severe when affected customers had few alternative suppliers or relied upon highly specific inputs for which substitution proved difficult or impossible.
The magnitude of these effects challenges conventional approaches to cyber risk assessment that focus exclusively on direct costs to breached organisations. When spillover effects on supply chain partners are incorporated, the true economic impact of major cyber incidents may exceed narrowly measured direct losses by substantial multiples. This finding carries significant implications for insurance markets, regulatory cost-benefit analyses, and investment decisions regarding cybersecurity.
Beyond financial performance metrics, cyber incidents trigger behavioural responses among non-breached organisations that warrant attention. He, Huangfu and Walton (2022) document earnings management adjustments by firms whose supply chain partners experience breaches. Non-breached “targeted” firms—those connected to breach victims through supply relationships—adjust their real activities and financial reporting, particularly following customer breaches. These behavioural responses suggest that cyber incidents create uncertainty and reputational concerns extending beyond the directly affected party, influencing management decisions at connected organisations.
The banking system provides partial buffering of spillover effects. Crosignani, Macchiavelli and Silva (2020) find that access to bank credit lines helps non-breached firms maintain investment and employment levels despite revenue disruptions caused by supplier cyber incidents. This finding highlights the interconnection between financial system stability and supply chain cyber resilience, suggesting that liquidity constraints could amplify propagation effects during periods of financial stress.
Risk migration represents another documented phenomenon wherein cyber risks travel upstream and downstream across supply chain tiers. Colicchia, Creazza and Menachof (2019) and Ghadge et al. (2019) identify inadequate visibility, limited coordination, and lack of control as factors enabling risks to migrate across organisational boundaries and tier levels. Organisations may successfully manage risks within their direct operations whilst remaining exposed to vulnerabilities at second-tier suppliers, logistics providers, or other actors whose security postures remain opaque.
Structural factors amplifying fragility
Several structural characteristics of supply chain relationships amplify cyber risk propagation and associated fragility. Supplier concentration emerges as a critical factor, with greater losses documented when breached suppliers serve as sole sources or dominant providers for critical inputs (Crosignani, Macchiavelli and Silva, 2020). The efficiency gains from supplier consolidation thus create corresponding vulnerability to disruption, representing a classic risk-return trade-off that many organisations have inadequately assessed in their sourcing decisions.
Input specificity compounds concentration effects. When inputs require specialised tooling, proprietary knowledge, or extensive qualification processes, substitution following supplier disruption becomes costly and time-consuming. Industries characterised by high asset specificity, such as semiconductor manufacturing, aerospace, and pharmaceutical production, consequently face elevated propagation risks from cyber incidents affecting key suppliers.
Network topology influences propagation patterns and overall system fragility. Ojha et al. (2018) demonstrate through Bayesian network modelling that supply networks with critical hub nodes exhibit greater vulnerability to cascading failures than distributed architectures. The drive toward supply chain efficiency has frequently produced network structures optimised for cost and speed under normal operations but poorly suited to absorbing and recovering from disruption events.
Digital integration depth represents an increasingly important structural factor. As supply chain operations become more tightly coupled through electronic data interchange, shared platforms, and automated transactions, cyber incidents at one node more readily propagate to connected nodes. The same information technology investments that enable real-time visibility and coordination simultaneously create pathways for malicious code transmission, credential compromise, and data exfiltration across organisational boundaries.
Geographic concentration of suppliers, whilst primarily a physical disruption risk factor, intersects with cyber vulnerability when regional infrastructure—power grids, telecommunications networks, cloud data centres—faces attack or failure. The growing dependence on cloud service providers concentrated in specific geographic regions creates correlated cyber exposure across nominally independent organisations.
Modelling approaches and analytical frameworks
Researchers have developed increasingly sophisticated approaches to modelling cyber risk propagation in supply chains. Early work focused on conceptual frameworks identifying risk categories and propagation pathways without quantitative specification. More recent contributions employ probabilistic methods, network analysis, and simulation to estimate conditional probabilities of attack spread and cascading effects.
Yeboah-Ofori and Islam (2019) propose threat modelling approaches for supply chain environments incorporating STIX-based representations of threat actors, attack patterns, and potential impacts. These structured threat intelligence formats enable systematic assessment of vulnerabilities across multi-organisation environments and support scenario analysis for understanding potential propagation pathways.
Bayesian network methodologies offer particular promise for supply chain cyber risk modelling. Ojha et al. (2018) demonstrate how Bayesian networks can capture conditional dependencies among supply chain nodes and estimate cascading failure probabilities. This approach accommodates the uncertainty inherent in cyber risk assessment whilst providing actionable probability estimates for risk management decision-making.
Integrated optimisation models represent another modelling frontier. Kaur, Gupta and Singh (2024) develop models that jointly optimise supplier selection and cybersecurity investment decisions, explicitly incorporating partner cyber-resilience as a selection criterion. Their findings demonstrate that coordinated optimisation of sourcing and cyber investments can materially increase overall supply chain resilience compared to approaches treating these decisions independently.
Quantitative modelling faces inherent challenges in the cyber domain. Attack probabilities prove difficult to estimate from limited historical data, adversary capabilities evolve rapidly, and novel attack vectors regularly emerge. Models relying heavily on historical frequencies may substantially underestimate risks from unprecedented attack types or newly discovered vulnerabilities. Researchers consequently emphasise combining quantitative approaches with qualitative expert assessment and scenario analysis to capture risks that historical data alone cannot illuminate.
Governance mechanisms and resilience strategies
Systematic reviews consistently identify a significant gap between technical security controls, which dominate current practice, and the behavioural and inter-organisational factors critical for managing propagation across supply chains. Ghadge et al. (2019), Melnyk et al. (2021), and Kumar and Mallipeddi (2022) all note that research and practice remain heavily oriented toward technical solutions—firewalls, intrusion detection, encryption—whilst inadequately addressing people, contracts, coordination mechanisms, and shared standards that ultimately determine whether cyber risks propagate or are contained at organisational boundaries.
Dynamic capabilities theory provides a useful lens for understanding organisational requirements for supply chain cyber resilience. Herburger, Wieland and Hochstrasser (2024) identify sensing, seizing, and transforming capabilities as essential for building resilience that extends beyond individual firm defences. Sensing capabilities enable organisations to detect emerging threats across the supply network. Seizing capabilities allow rapid mobilisation of resources to address identified vulnerabilities. Transforming capabilities support adaptive reconfiguration of supply chain relationships in response to changing threat landscapes.
Managerial awareness significantly influences adoption of resilience strategies. Gaudenzi and Baldi (2024) find that managers’ perception of potential supply chain disruption from cyber risk strongly predicts implementation of cyber-resilience measures including collaboration with partners, redundancy investments, and incident response planning. This finding suggests that executive education and risk communication represent important levers for improving supply chain cyber preparedness.
Cyber supply chain risk management (C-SCRM) practices aligned with the NIST framework demonstrate measurable effectiveness. Boyson, Corsi and Paraskevas (2021) report empirical evidence that specific framework activities correlate with reduced frequencies of particular breach types, supporting targeted, evidence-based defence strategies in digital supply chains. Their decade-long research programme provides one of the most sustained empirical investigations of C-SCRM effectiveness, offering practitioners guidance on which specific controls yield greatest protective value.
Network-oriented governance approaches remain underdeveloped despite their theoretical importance. Creazza et al. (2021) and Colicchia, Creazza and Menachof (2019) call for moving beyond dyadic supplier-buyer relationships toward orchestrated network approaches involving multiple supply chain tiers. Logistics service providers, given their positioning across multiple supply chains, potentially serve orchestrating roles in cyber-resilience governance, though this potential remains largely unrealised in practice.
Continuous monitoring and shared threat intelligence emerge as practical requirements for managing third-party software and infrastructure risks. Hammi, Zeadally and Nebhen (2023), Tan et al. (2025), Ibiyemi and Olutimehin (2024), and Alshammari and Singh (2025) all highlight advanced persistent threats exploiting supply chain vulnerabilities as requiring collaborative detection and response capabilities extending beyond individual organisational boundaries. Information sharing arrangements, whilst facing legal and competitive obstacles, represent essential components of effective network-level defence.
Evolution of research over time
Research attention to supply chain cyber propagation has evolved substantially over the past decade, progressing from initial conceptual recognition toward empirical evidence and quantitative modelling. Boyes (2015) provided early articulation of cybersecurity and cyber-resilience concepts in supply chain contexts, establishing foundational vocabulary and risk categories. The period from 2018 to 2019 witnessed significant expansion, with contributions from Ojha et al. (2018) on Bayesian network modelling, Yeboah-Ofori and Islam (2019) on threat modelling, Ghadge et al. (2019) on systematic risk review, and Colicchia, Creazza and Menachof (2019) on exploratory empirical analysis.
The early 2020s brought increased empirical sophistication. Crosignani, Macchiavelli and Silva (2020) provided rigorous quantitative evidence of financial spillovers, whilst subsequent work by Melnyk et al. (2021), Creazza et al. (2021), and Boyson, Corsi and Paraskevas (2021) advanced understanding of management challenges and effective practices. He, Huangfu and Walton (2022) and Kumar and Mallipeddi (2022) extended empirical evidence to behavioural responses and broader operations management implications.
Recent work from 2024 and 2025 demonstrates continued research momentum with contributions addressing integrated optimisation models (Kaur, Gupta and Singh, 2024), dynamic capabilities (Herburger, Wieland and Hochstrasser, 2024), managerial perceptions (Gaudenzi and Baldi, 2024), evolving attack patterns (Jeong, Rogers and Choi, 2025), and advanced persistent threats (Tan et al., 2025; Alshammari and Singh, 2025). This evolution reflects both growing recognition of supply chain cyber fragility as a significant management challenge and accumulating methodological capabilities for rigorous investigation.
Discussion
The synthesised literature provides compelling evidence that cyber incidents propagate well beyond initially breached organisations through the tightly coupled digital, logistical, and financial ties characterising contemporary supply chains. This finding fundamentally challenges traditional conceptualisations of cybersecurity as an organisational perimeter defence problem and demands reconceptualisation as a network-level resilience challenge.
Addressing the first objective regarding propagation mechanisms, the literature reveals multiple interconnected pathways through which cyber effects cascade across supply chain boundaries. Information flows, transactional relationships, shared infrastructure, and trust relationships all serve as propagation vectors, with their relative importance varying according to attack type and supply chain characteristics. The primary, secondary, and tertiary propagation framework offered by Ghadge et al. (2019) provides useful analytical structure, though empirical work suggests these categories interact in complex ways rather than proceeding in linear sequence.
The second objective concerning spillover evidence finds substantial empirical support. Crosignani, Macchiavelli and Silva’s (2020) documentation of revenue and profitability losses at non-breached firms demonstrates that cyber incidents impose real economic costs extending far beyond direct victims. He, Huangfu and Walton’s (2022) findings on behavioural adjustments suggest additional indirect effects as connected organisations manage uncertainty and reputational concerns. These documented spillovers carry significant implications for risk assessment, suggesting that conventional approaches substantially underestimate true economic costs of cyber incidents.
Regarding the third objective on amplifying factors, the literature consistently identifies supplier concentration, input specificity, and network topology as critical determinants of propagation magnitude. These findings imply that sourcing decisions carry cyber risk implications often inadequately considered in supplier selection processes. Organisations optimising solely for cost and efficiency may inadvertently create fragile supply configurations highly vulnerable to cascading cyber disruptions. The growing dominance of concentrated cloud service providers and shared software platforms creates systemic exposure that individual organisational defences cannot address.
The fourth objective concerning modelling approaches reveals both progress and limitations. Bayesian network methods, threat modelling frameworks, and integrated optimisation models offer increasingly sophisticated tools for risk assessment and decision support. However, fundamental challenges persist in estimating attack probabilities, capturing adversary adaptation, and modelling unprecedented threat scenarios. The combination of quantitative and qualitative approaches appears necessary given irreducible uncertainties in the cyber domain.
The fifth objective examining governance mechanisms identifies a significant gap between current practice and theoretical requirements. Technical controls dominate whilst inter-organisational factors—contracts, coordination, shared standards, collaborative governance—remain underdeveloped despite their critical importance for propagation control. The persistence of firm-centric approaches likely reflects organisational boundaries in authority, accountability, and information access that impede network-level action. Overcoming these barriers requires governance innovations that align incentives, establish shared visibility, and create accountability for ecosystem-wide resilience.
Dynamic capabilities theory offers promising conceptual grounding for resilience strategy development. The sensing, seizing, and transforming capabilities framework articulated by Herburger, Wieland and Hochstrasser (2024) provides actionable guidance for building adaptive capacity. However, developing these capabilities at network level, rather than merely organisational level, presents substantial coordination challenges. Identifying appropriate orchestrating entities—whether lead firms, industry associations, or regulatory bodies—remains an open question with context-dependent answers.
The empirical evidence supporting NIST framework alignment from Boyson, Corsi and Paraskevas (2021) suggests that standardised approaches can deliver measurable risk reduction. This finding supports policy efforts to promote framework adoption whilst recognising that framework compliance represents necessary but insufficient response to evolving threats. Frameworks require continuous updating as adversary tactics evolve and new vulnerabilities emerge.
The temporal evolution of research reveals a maturing field progressing from conceptual foundations toward empirical evidence and practical guidance. However, significant gaps remain. Longitudinal studies tracking organisations through cyber incidents and their aftermaths would enhance understanding of recovery dynamics and resilience factors. Cross-industry comparative analysis could identify sector-specific vulnerabilities and transferable best practices. Research examining supply chain cyber incidents in developing economy contexts, where institutional supports may differ substantially, would extend geographic scope beyond predominantly Western samples.
The sixth objective regarding research gaps identifies several priorities. First, network-level interventions require systematic evaluation comparing collaborative approaches against firm-centric alternatives. Second, the role of regulatory frameworks and liability regimes in shaping supply chain cyber behaviour warrants investigation. Third, small and medium enterprises, which frequently lack resources for sophisticated cybersecurity, may represent weak links in otherwise robust supply chains, yet receive limited research attention. Fourth, the intersection of cyber risk with other supply chain disruption types—natural disasters, geopolitical conflicts, pandemics—deserves exploration given real-world co-occurrence possibilities.
Conclusions
This literature synthesis has examined how cyber incidents propagate beyond victim organisations through supply chain networks, achieving the stated objectives whilst identifying both established knowledge and significant research gaps.
The study confirms that cyber incident propagation operates through multiple mechanisms spanning information, financial, and physical flows. Primary effects at breached organisations generate secondary impacts on partners through transactional disruption, information unavailability, and reputational damage, whilst tertiary effects extend to broader society particularly for critical infrastructure supply chains. These propagation dynamics distinguish cyber risks from traditional supply chain disruptions and demand management approaches accounting for network-level vulnerabilities.
Empirical evidence demonstrates measurable spillover effects on non-breached organisations, including revenue reductions, profitability losses, constrained trade credit, and behavioural adjustments. These findings establish that cyber incidents impose economic costs substantially exceeding direct losses at breached organisations, carrying significant implications for risk assessment and management investment decisions.
Structural factors including supplier concentration, input specificity, and network topology amplify propagation effects. Organisations pursuing supply chain efficiency through consolidation and tight integration may inadvertently create fragile configurations highly vulnerable to cascading cyber disruptions. Balancing efficiency against resilience requires explicit consideration of cyber risk implications in sourcing and network design decisions.
Modelling approaches have advanced significantly, with Bayesian networks, threat modelling frameworks, and integrated optimisation models offering increasingly sophisticated analytical tools. However, inherent uncertainties in the cyber domain necessitate combining quantitative methods with qualitative assessment and scenario analysis to capture risks that historical data cannot illuminate.
Current governance approaches remain predominantly firm-centric and technically oriented, inadequately addressing the inter-organisational dimensions of cyber vulnerability. Effective management of supply chain cyber fragility requires transitioning to network-level resilience strategies encompassing collaborative governance, shared threat intelligence, cyber-aware supplier selection, and dynamic capabilities for anticipating and absorbing cascading shocks.
The significance of these findings extends across multiple domains. For supply chain management practice, they establish that cybersecurity cannot be treated as an isolated information technology function but must be integrated into supply chain strategy, supplier relationship management, and risk governance. For policymakers, they highlight systemic risks that individual organisational compliance cannot address, suggesting potential roles for regulatory coordination and information sharing facilitation. For academic research, they identify a maturing field with substantial remaining opportunities for empirical investigation and theoretical development.
Future research priorities include longitudinal studies of cyber incident recovery, cross-industry comparative analysis, investigation of small and medium enterprise vulnerabilities, and examination of regulatory and liability framework effects. Research addressing network-level interventions and their effectiveness compared to firm-centric approaches would particularly advance both theoretical understanding and practical guidance. As supply chains continue digitising and adversary capabilities continue evolving, sustained research attention to cyber propagation and resilience remains essential for both academic advancement and societal protection.
References
Alshammari, B. and Singh, M., 2025. A systematic literature review on tackling cyber threats for cyber logistic chain and conceptual frameworks for robust detection mechanisms. *IEEE Access*, 13, pp. 67661-67692. https://doi.org/10.1109/access.2025.3552689
Boyes, H., 2015. Cybersecurity and cyber-resilient supply chains. *Technology Innovation Management Review*, 5, pp. 28-34. https://doi.org/10.22215/timreview888
Boyson, S., Corsi, T. and Paraskevas, J., 2021. Defending digital supply chains: Evidence from a decade-long research program. *Technovation*. https://doi.org/10.1016/j.technovation.2021.102380
Colicchia, C., Creazza, A. and Menachof, D., 2019. Managing cyber and information risks in supply chains: insights from an exploratory analysis. *Supply Chain Management: An International Journal*. https://doi.org/10.1108/scm-09-2017-0289
Creazza, A., Colicchia, C., Spiezia, S. and Dallari, F., 2021. Who cares? Supply chain managers’ perceptions regarding cyber supply chain risk management in the digital transformation era. *Supply Chain Management: An International Journal*. https://doi.org/10.1108/scm-02-2020-0073
Crosignani, M., Macchiavelli, M. and Silva, A., 2020. Pirates without borders: the propagation of cyberattacks through firms’ supply chains. *Federal Reserve Bank of New York Staff Reports*. https://doi.org/10.2139/ssrn.3664772
Gaudenzi, B. and Baldi, B., 2024. Cyber resilience in organisations and supply chains: from perceptions to actions. *The International Journal of Logistics Management*. https://doi.org/10.1108/ijlm-09-2023-0372
Ghadge, A., Weib, M., Caldwell, N. and Wilding, R., 2019. Managing cyber risk in supply chains: a review and research agenda. *Supply Chain Management: An International Journal*. https://doi.org/10.2139/ssrn.3426030
Hammi, B., Zeadally, S. and Nebhen, J., 2023. Security threats, countermeasures, and challenges of digital supply chains. *ACM Computing Surveys*, 55, pp. 1-40. https://doi.org/10.1145/3588999
He, Z., Huangfu, J. and Walton, S., 2022. Cybersecurity breaches in the supply chain and earnings management. *Journal of Information Systems*, 36, pp. 83-113. https://doi.org/10.2308/isys-2021-042
Herburger, M., Wieland, A. and Hochstrasser, C., 2024. Building supply chain resilience to cyber risks: a dynamic capabilities perspective. *Supply Chain Management: An International Journal*. https://doi.org/10.1108/scm-01-2023-0016
Ibiyemi, M. and Olutimehin, D., 2024. Cybersecurity in supply chains: Addressing emerging threats with strategic measures. *International Journal of Management & Entrepreneurship Research*. https://doi.org/10.51594/ijmer.v6i6.1241
Jeong, S., Rogers, Z. and Choi, T., 2025. Strange dance partners: supply chain cyberattacks and chained vulnerability. *Journal of Operations Management*. https://doi.org/10.1002/joom.1374
Kaur, H., Gupta, M. and Singh, S., 2024. Integrated model to optimize supplier selection and investments for cyber resilience in digital supply chains. *International Journal of Production Economics*. https://doi.org/10.1016/j.ijpe.2024.109338
Kumar, S. and Mallipeddi, R., 2022. Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions. *Production and Operations Management*, 31, pp. 4488-4500. https://doi.org/10.1111/poms.13859
Melnyk, S., Schoenherr, T., Speier, C., Peters, C., Chang, J. and Friday, D., 2021. New challenges in supply chain management: cybersecurity across the supply chain. *International Journal of Production Research*, 60, pp. 162-183. https://doi.org/10.1080/00207543.2021.1984606
National Institute of Standards and Technology, 2018. *Cybersecurity supply chain risk management practices for systems and organizations*. Gaithersburg, MD: U.S. Department of Commerce.
Ojha, R., Ghadge, A., Tiwari, M. and Bititci, U., 2018. Bayesian network modelling for supply chain risk propagation. *International Journal of Production Research*, 56, pp. 5795-5819. https://doi.org/10.1080/00207543.2018.1467059
Pérez-Morón, J., 2021. Eleven years of cyberattacks on Chinese supply chains in an era of cyber warfare, a review and future research agenda. *Journal of Asia Business Studies*. https://doi.org/10.1108/jabs-11-2020-0444
Tan, Z., Parambath, S., Anagnostopoulos, C., Singer, J. and Marnerides, A., 2025. Advanced persistent threats based on supply chain vulnerabilities: challenges, solutions, and future directions. *IEEE Internet of Things Journal*, 12, pp. 6371-6395. https://doi.org/10.1109/jiot.2025.3528744
Tranfield, D., Denyer, D. and Smart, P., 2003. Towards a methodology for developing evidence-informed management knowledge by means of systematic review. *British Journal of Management*, 14(3), pp. 207-222.
Yeboah-Ofori, A. and Islam, S., 2019. Cyber security threat modeling for supply chain organizational environments. *Future Internet*, 11, pp. 63. https://doi.org/10.3390/fi11030063
