IDEAS home Printed from https://ideas.repec.org/p/arx/papers/2210.15785.html
   My bibliography  Save this paper

Supply Chain Characteristics as Predictors of Cyber Risk: A Machine-Learning Assessment

Author

Listed:
  • Kevin Hu

    (Massachusetts Institute of Technology)

  • Retsef Levi

    (Massachusetts Institute of Technology)

  • Raphael Yahalom

    (Massachusetts Institute of Technology)

  • El Ghali Zerhouni

    (Massachusetts Institute of Technology)

Abstract

This paper provides the first large-scale data-driven analysis to evaluate the predictive power of different attributes for assessing risk of cyberattack data breaches. Furthermore, motivated by rapid increase in third party enabled cyberattacks, the paper provides the first quantitative empirical evidence that digital supply-chain attributes are significant predictors of enterprise cyber risk. The paper leverages outside-in cyber risk scores that aim to capture the quality of the enterprise internal cybersecurity management, but augment these with supply chain features that are inspired by observed third party cyberattack scenarios, as well as concepts from network science research. The main quantitative result of the paper is to show that supply chain network features add significant detection power to predicting enterprise cyber risk, relative to merely using enterprise-only attributes. Particularly, compared to a base model that relies only on internal enterprise features, the supply chain network features improve the out-of-sample AUC by 2.3\%. Given that each cyber data breach is a low probability high impact risk event, these improvements in the prediction power have significant value. Additionally, the model highlights several cybersecurity risk drivers related to third party cyberattack and breach mechanisms and provides important insights as to what interventions might be effective to mitigate these risks.

Suggested Citation

  • Kevin Hu & Retsef Levi & Raphael Yahalom & El Ghali Zerhouni, 2022. "Supply Chain Characteristics as Predictors of Cyber Risk: A Machine-Learning Assessment," Papers 2210.15785, arXiv.org, revised Nov 2023.
    • Handle: RePEc:arx:papers:2210.15785
    as

    Download full text from publisher

    File URL: http://arxiv.org/pdf/2210.15785
    File Function: Latest version
    Download Restriction: no
    ---><---

    More about this item

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:arx:papers:2210.15785. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: arXiv administrators (email available below). General contact details of provider: http://arxiv.org/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.