Search for: All records

Abstract The security risks posed by electronics are numerous. There are typically a variety of risk‐reducing countermeasures for a given system or across an enterprise. Each countermeasure is associated with both a level of risk reduction and its lifecycle costs. Given budgetary constraints, risk managers and systems engineers must determine what combinations of countermeasures cost‐effectively maximize risk reduction, and what metrics best guide the investment process. In this paper, we seek to answer these questions through exploration of risk reduction metrics from the field of security economics, including the benefit/cost ratio, return on security investment (ROSI), expected benefit of information security (EBIS), and expected net benefit of information security (ENBIS). The results suggest that ratio‐based metrics are not strongly correlated with risk reduction, while EBIS is equivalent to risk reduction and ENBIS is equal to risk reduction minus cost. 

The supply chains of semiconductors and integrated devices supports industry across all economic sectors. Globally, the supply chain is experiencing a variety of stressors and disruptions, with effects that cascade across the economy, causing product delays and enterprise losses. However, quantitative models that support an understanding of how stressors influence supply chain performance are needed. Here we show how stress testing can be used for assessing the impact of disruptions on supply chain performance metrics and for characterizing system resilience. We demonstrate a framework that utilizes discrete event simulation for stress testing the resilience of a semiconductor supply chain. Our results include a comparison of resilience curves with and without risk management countermeasures, showing the resilience-enhancing benefits of various supply chain management strategies such as maintaining safety stock and sourcing from multiple suppliers. Supply chain managers can utilize stress testing principles and methodologies to configure their supply chain and engage in practices that contribute to system resilience. 

Purpose In the buyer-supplier relationship of a high-technology enterprise, the concepts of trust and risk are closely intertwined. Entering into a buyer-supplier relationship inherently involves a degree of risk, since there is always an opportunity for one of the parties to act opportunistically. Purchasing and supply managers play an important role in reducing the firm's risk profile, and must make decisions about whether or not to enter into, or remain in, a relationship with a supplier based on a subjective assessment of trust and risk. Design/methodology/approach In this paper, the authors seek to explore how trust in the buyer-supplier relationship can be quantitatively modeled in the presence of risk. The authors develop a model of trust between a buyer and supplier as a risk-based decision, in which a buyer decides to place trust in a supplier, who may either act cooperatively or opportunistically. The authors use a case study of intellectual property (IP) piracy in the electronics industry to illustrate the conceptual discussion and model development. Findings The authors produce a generalizable model that can be used to aid in decision-making and risk analysis for potential supply-chain partnerships, and is both a theoretical and practical innovation. However, the model can benefit a variety of high-technology enterprises. Originality/value While the topic of trust is widely discussed, few studies have attempted to derive a quantitative model to support trust-based decision making. This paper advanced the field of supply chain management by developing a model which relates risk and trust in the buyer-supplier relationship. 

This paper addresses security and risk management of hardware and embedded systems across several applications. There are three companies involved in the research. First is an energy technology company that aims to leverage electric- vehicle batteries through vehicle to grid (V2G) services in order to provide energy storage for electric grids. Second is a defense contracting company that provides acquisition support for the DOD's conventional prompt global strike program (CPGS). These systems need protections in their production and supply chains, as well as throughout their system life cycles. Third is a company that deals with trust and security in advanced logistics systems generally. The rise of interconnected devices has led to growth in systems security issues such as privacy, authentication, and secure storage of data. A risk analysis via scenario-based preferences is aided by a literature review and industry experts. The analysis is divided into various sections of Criteria, Initiatives, C-I Assessment, Emergent Conditions (EC), Criteria-Scenario (C-S) relevance and EC Grouping. System success criteria, research initiatives, and risks to the system are compiled. In the C-I Assessment, a rating is assigned to signify the degree to which criteria are addressed by initiatives, including research and development, government programs, industry resources, security countermeasures, education and training, etc. To understand risks of emergent conditions, a list of Potential Scenarios is developed across innovations, environments, missions, populations and workforce behaviors, obsolescence, adversaries, etc. The C-S Relevance rates how the scenarios affect the relevance of the success criteria, including cost, schedule, security, return on investment, and cascading effects. The Emergent Condition Grouping (ECG) collates the emergent conditions with the scenarios. The generated results focus on ranking Initiatives based on their ability to negate the effects of Emergent Conditions, as well as producing a disruption score to compare a Potential Scenario's impacts to the ranking of Initiatives. The results presented in this paper are applicable to the testing and evaluation of security and risk for a variety of embedded smart devices and should be of interest to developers, owners, and operators of critical infrastructure systems. 

Modern cyber-physical systems are enabled by electronic hardware and embedded systems. The security of these sub-components is a concern during the design and operational phases of cyber-physical system life cycles. Compromised electronics can result in mission-critical failures, unauthorized access, and other severe consequences. As systems become more complex and feature greater connectivity, system owners must make decisions regarding how to mitigate risks and ensure resilience and trust. This paper provides an overview of research efforts related to assessing and managing risks, resilience, and trust with an emphasis on electronic hardware and embedded systems. The research takes a decision-oriented perspective, drawing from the perspectives of scenario planning and portfolio analysis, and describes examples related to the risk-based prioritization of cyber assets in large-scale systems.