Understanding security challenges in the software supply chain through causal relationships

In recent years, the Software Supply Chain (SSC) has become a key target for cyberattacks due to its complex structure and dependence on third-party and open-source components. These attacks pose serious risks to the integrity and security of software systems. While many studies have explored solutions to specific security issues in the SSC, the relationships among the barriers to achieving robust security have not been comprehensively analyzed—particularly in the context of SSC security challenges using the Decision-Making Trial and Evaluation Laboratory (DEMATEL) technique. This study addresses this gap by identifying and analyzing the major challenges that weaken SSC security. To do this, the DEMATEL method was used to explore how different security challenges affect each other. Ten key challenges were identified based on a detailed literature review. The findings indicated that the three most significant challenges are insecure software distribution mechanisms, inadequate continuous monitoring and incident response capabilities, and the growing complexity and diversity of cyber-attacks. By visualizing the relationships between these challenges, this study clarifies where to focus security efforts. Solving root causes can lead to broader improvements across the entire software supply chain. The findings offer practical insights for decision-makers seeking to improve cybersecurity strategies in software development environments.