Cover: Cybersecurity and Supply Chain Risk Management Are Not Simply Additive

Cybersecurity and Supply Chain Risk Management Are Not Simply Additive

Implications for Directions in Risk Assessment, Risk Mitigation, and Research to Secure the Supply of Defense Industrial Products

Published Dec 19, 2023

by Victoria A. Greenfield, Jonathan W. Welburn, Karen Schwindt, Daniel Ish, Andrew J. Lohn, Gavin S. Hartnett


Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 1.7 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Research Summary

FormatFile SizeNotes
PDF file 0.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback112 pages $38.00

Research Questions

  1. How do cyber-related risks differ from or compound other concerns about SCRM?
  2. What do, or could, these differences mean for risk assessment, risk mitigation, and research?

The Air Force Research Laboratory (AFRL) asked RAND Project AIR FORCE (PAF) for assistance understanding how cyber-related risks compare with other risks to its defense-industrial supply chains—a scope that included supply chains for hardware, not supply chains for software—and exploring implications for directions in risk assessment and mitigation and for research. AFRL was interested in how attackers might use supply chains to wage attacks, such as through malicious code, and how supply chains might, themselves, be targets of attack, such as through disruption.

To conduct the analysis, PAF drew insights from the literatures on cybersecurity, supply chain risk management (SCRM), game theory, and network analysis and worked with sets of stylized supply chains and fundamental principles of risk management. The report uses the phrase cyber SCRM broadly to refer to the cybersecurity of supply chains, including attacks through supply chains to reach a target and attacks on supply chains in which the target of the attack is the supply chain itself.

Key Findings

Cyber-related risks could be substantially worse than and different from other types of supply chain risks

  • Cyber events can present the worst of conventional hazards in terms of their onset, duration, visibility, and reach.
  • They can pose even greater challenges than nondigital threats, given the potential for strategic adversaries to inflict harm at low cost and without punishment of repeated attempts.

Preventive measures are not enough

  • Preventative measures cannot stand alone or be pursued at the expense of taking steps to facilitate response and recovery or build resilience.
  • Creating impenetrable defenses is infeasible, and attempting to create them would entail further risks and costs.

Cyber SCRM requires more than an amalgam of cyber and SCRM

  • Some conventional responses to supply chain risks might not hinder or might even elevate the risks cyberattacks present.
  • Absent any trade-offs, a fusion of cyber- and SCRM-based measures could be inadequate if conventional SCRM underestimates the potency of cyberattacks relative to other sources of risk.

Private-sector efforts to manage risk may not meet national security needs

  • Strategic interactions between suppliers and attackers could lead to underinvestment in security, especially without coordination among suppliers.
  • However, several compounding factors involving risk assessment, incentives, and supply chain visibility could make matters worse.


  • Frame the potential consequences of cyberattacks in terms of the availability, quality, and cost of defense industrial products that serve mission critical roles, not just or not primarily information security.
  • Establish priorities among the cyber and SCRM consequences based on what they could mean for mission attainment.
  • Set out terms for cyber SCRM strategies that give due attention to response, recovery, and resilience and account for concerns about information security and supply chain functionality, differences in DAF and private-sector interests, and potential trade-offs among risk-reduction objectives.

Research conducted by

This research was prepared for the Department of the Air Force and conducted within the Resource Management Program of RAND Project AIR FORCE.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.