Risk in the enterprise

Managing Risk
Propagation
in Extended
Enterprise
Networks
C. Derrick Huang, Ravi S. Behara, and Qing Hu
Florida Atlantic University

The weakest link in an information supply chain can lead to

increased vulnerability for all partners in the network. Examining
and controlling risk propagation from the network and supply-chain
perspectives has become vital to overall network security.

ost goods and services today are

produced and delivered by networks of independent or semiindependent organizations. The
underlying interactions in all these extended enterprise networks produce information supply
chains (ISCs), and as result of globalization, specialization of knowledge, and increased adoption
of new technologies, securing the ISC has become
the central task of managing information security
in any extended enterprise.
Similar to the goods and services that flow in
physical supply chains, no single organization
controls the performance and reliability of information in an ISC. Connectivity renders the
entire network susceptible to security attacks
and disruptions at any node in the chain because
14

IT Pro July/August 2008

a networks strength is often determined by its

weakest link. The characteristics of such ISC
networkshow information systems interconnect with one anotherdetermine the spread of
security threats and vulnerabilities. Yet, the technical networking view doesnt paint the whole
picture of risk propagation; risks can cascade even
without attacks physically spreading through the
network. When a small merchant in a credit card
network loses customer data to an adversary, for
example, the issuing bank is impacted and can
incur losses due to liability.
Although recognizing how risks cascade is
fundamental to an extended-enterprise view of
information security, we can also examine risk
propagation in ISCs from the network and supplychain perspectives. In so doing, we learn key les-

Published by the IEEE Computer Society

1520-9202/08/$25.00 2008 IEEE

Information Security Risks: An Illustrative Example

We use an example offered by an anonymous
reviewer to illustrate the lessons learned from this
study. The containers were being unloaded from a
cargo ship that had just entered port. The mafia had
obtained the manifest in advance and knew that
one of the containers was filled with diamonds, but
only the port officials knew the order of offloading,
which was stored electronically. The mafia hacked
into the port computer system, obtained the offloading order, figured out which truck and driver would
receive the container, and drove away with the
diamonds, leaving the insurers of that cargo with $1
billion in losses.
The concepts we developed in this study point out
two lessons from this example. First, identifying and
protecting the hubs in an information supply chain
are vital steps. To secure the cargo, which is the node
in this supply chain, the officials failed to see that the
information system containing the offloading order
acted as the network hub and thus required focused
protection. As a result, heavy security placed to

sons by applying scale-free network theory and

process-management concepts to managing information security.

Nature of ISC Risk

Risk is the combination of the likelihood and
the consequence of a specified hazard being realized. Specifically, an information security risk is
the product of breach probability, which is determined by the security threat, systems vulnerability, and potential loss associated with
such a breach.1 Following the principles of risk
management, firms invest in securing their information systems or enforcing security policies
and procedures (risk prevention when breach
probability is high), purchase cyberinsurance
(risk transference when potential loss is high),
plan for disaster recovery (contingency planning
when overall risk is high), or some combination
thereof. Most security studies thus far have followed this framework of minimizing the information security risks.1,2
The security risk in an ISC, however, demands
different treatment. When firms are interconnected through ISCs, key risk componentsnamely,
threats, vulnerabilities, and potential lossesare

protect the diamond-containing cargo was rendered

useless because the port computer systems were
insufficiently secured.
Second, this example shows the significance as well
as the difficulty of coordinating security management.
The ship, cargo movement, and port information
systems were probably secured individually and independently. A breakdown in any of these components
could leave the whole chain vulnerable. To secure the
diamond cargo, all members must examine and agree
upon each others actions. Of course, such coordination is extremely difficult, especially when the key
stakeholder (the diamond cargo owner) isnt the supply chains operator (the port officials).
Lastly, this example illustrates that the concept of
securing an ISC aptly applies to securing a physical
supply chain. Moreover, as managing any physical
supply chain requires effective information movement, its protection increasingly depends on the
security of the information associated with such a
network.

no longer isolated to any individual firm. Threats

to any given firm in an ISC could become threats
to other member firms; one firms vulnerability
can affect others security, and a breach to one
firms systems can lead to losses at multiple firms
in the ISC. Understanding the nature of how
risks cascade is fundamental to the extendedenterprise view of information security.
For a real-world example of how risks propagate through interconnections, consider that
the National Federation of Independent Businesses 2007 survey of more than 600 merchants
with fewer than 250 people found that 52 percent
reported storing sensitive customer information
(such as credit card or social security numbers)
on their computers.3 As a result, more than 80
percent of the incidents that led to unauthorized
access to card data between 2005 and 2007 have
involved small businesses, despite heavy security
investments by Visa, Mastercard, and creditcard issuing banks.3 In the same way, a virus can
spread throughout an ISC after being introduced
at just one firm, and attackers can exploit vulnerabilities in local firms to access remote firms
systems. (See the sidebar for a more elaborate example scenario.)

computer.org/ITPro

15

Risk in the enterprise

Figure 1. Network topologies. (a) A randomly connected network and (b) a scale-free network.
( 2000, Macmillan Publishers. Adapted by permission.7 )

Information networks highly interconnected

nature makes even physically remote threats pertinent as well. For example, the US Navy considers the capture of a single Army wheeled vehicle
equivalent to having an enemy inside the Navys
tactical network. This is because these networks
include Marine Corps ground networks, which
are closely linked to the Armys, whose network
is accessible from combat vehicles.4 Furthermore,
the latest E-Crime Watch Survey (www.cert.org/
archive/pdf/ecrimesummary07.pdf) found that
27 percent of the adverse security events that
companies have experienced were known or suspected to be by insiders; any insider in any member firm of the business network can potentially
become an insider for any other firm in the ISC.
In addition to the business challenges that arise
from security risks, a potential regulatory threat
is also on the horizon. Currently, more than 35
states in the US have data-breach and customerprotection laws, most of which are weak and only
require firms to warn customers of possible information theft when their computer systems are
breached. However, a bill pending in Massachusetts, which would apply to any company doing
business in that state, regardless of where its
based, would hold the operator of the hacked system liable for losses.5 Such legislation exposes the
nature of extended risks.
16

IT Pro July/August 2008

A Network Perspective
Much like the spread of epidemics among living
organisms, the cascading of attacks is characterized by the network connectivity and the defense
mechanisms taken up by the nodes. Researchers
have proposed adopting epidemic models such as
susceptible-infected-removal (SIR) and susceptibleinfected-removal-susceptible (SIRS) to study such
phenomena. Understanding an ISCs network topology is the key to applying these models to examine its network-interconnection risk.
Rather than follow random connection patterns,
computer networks often resemble common social
networks or even the metabolic pathways found in
living mechanisms; although the majority of the
nodes have only few direct links, a small number
of highly connected nodes (called hubs) directly
connect to many nodes (see Figure 1).6 In an ISC
that serves as a retail network, for instance, most
vendors and suppliers connect only to their customers and perhaps a few other vendors, whereas a
few large retailers and wholesalers have direct connections to many of the vendors and thus act as
hubs. Compared to a distributed network in which
nodes connect randomly to others, such a topology exhibits two key differences:6,7

The network diameterdefined as the average

number of connections between any two ran-

dom nodes in the networkis small. For instance, one study6 calculated that the Webs
diameter is 19, a remarkably small number
considering the Internets hundreds of millions
of nodes.
The connectivity follows a power-law distribution, such that the probability that a node
connects with k other nodes is proportional to
k, where is between 2 and 3 for most real
networks such as the Internet; this distribution
doesnt change as new nodes are added.
Such a small-world (the former point), scalefree (the latter point) network topology best represents the networking attributes of the Internet
and its variations, such as peer-to-peer file sharing networks and ISCs.
Small-world, scale-free ISCs exhibit interesting behaviors with respect to the spread of security attacks. A key characteristic of a randomly
connected network under threat is the existence
of an epidemic threshold, below which the attacks
wouldnt spread throughout the network, even
when defensive mechanisms were absent. However, such a threshold doesnt exist in a scale-free
network.8 This implies that even an attack with a
low epidemic rate on one nodesuch as a badly
designed worm that doesnt replicate itself very
effectivelycan eventually affect every node in
an ISC if most of the nodes have little or no information security measures. On the other hand,
a scale-free network as a whole demonstrates a
high degree of tolerance against random failure
of its nodes, a property that randomly interconnected networks dont share. However, when
just a few highly connected nodes are down, the
networks diameter increases dramatically as the
whole network quickly collapses into many isolated fragments.9 In other words, a scale-free network is robust against random attacks but highly
susceptible to targeted attacks against its hubs.
We can identify a few lessons on managing the
ISC network-interconnection risks. To prevent
even the most impotent attack from spreading,
all firms in an extended enterprise network must
have a minimal level of information security.
Although an ISC with properly protected nodes
is resilient to common opportunistic attacks
such as viruses and worms, however, informed
adversaries attempting to damage such an ISC
probably wouldnt direct their attacks randomly.

Instead, an attacker could target the hubsand

the connectivity of nodes is very hard to hide
with a real likelihood of bringing down the whole
ISC with a just few successful targeted attacks.
To guard against such potential vulnerabilities,
highly connected firms in an ISC must be significantly more protected against such attacks than
other members in the same ISC.

A Supply-Chain Perspective
Businesses of member firms are unavoidably interconnected via ISCswhether for collaboration
network, information-sharing arrangement, or
supply and logistics coordinationas are their
risks. Two main classes of risks, disruption and
coordination, often cascade through such business
interconnections. A physical supply chain expe-

Businesses of member firms are

unavoidably interconnected via
information supply chains, as are
their risks.
riences a disruption risk when natural disasters,
accidents, system failures, or purposeful human
activities interrupt one or more member firms
operations, disrupting the whole chain.
Such disruption risks also exist in all ISCs,
when the communication, coordination, or
collaboration activities are crippled due to the
breakdown of one or more information systems.
Because of the ISCs interconnecting nature,
good crisis management on the part of individual
firms isnt enough; assessing and managing security risks for the whole network is fundamentally important to understanding the potential
for harm to member firms from supply-chain
disruptions and for evaluating and undertaking
prudent mitigation. In addition, the disruptions
severity is greater when it occurs at a critical node
in a complex network, due to the propensity to
propagate.10 Because such critical nodes are often
highly connected in an ISC, protecting the hubs
is an effective way to minimize an ISCs disruption risks.
Coordination risks occur in physical supply
chains when supply and demand are mismatched
among member firms. Worse, when such dis-

computer.org/ITPro

17

Risk in the enterprise

Table 1. Information security implications for information supply chains.
Theory

Principle

ISC action

Challenge

Scale-free
Lack of epidemic threshold
All nodes in ISC need minimal
Mechanism for setting standards
networks
level of security measures
and enforcing and monitoring

security measures of all nodes

Resilience against random Highly connected nodes need Incentive for hubs to spend extra

attacks, but susceptible to
higher level of security protection
on information security

targeted attacks
than the rest of the nodes
Supply-chain Minimizing disruption risks
Critical members need to be
management
protected from failure

Minimizing coordination risks Member firms share security Infrastructure and incentive for

information and coordinate activities coordination

parities propagate in the supply chain and get

amplified in the process, the bullwhip effect leads
to such operational problems as excessive inventories, missed production schedules, lost revenue,
and poor customer service.11 Similar coordination risks and the ensuing bullwhip effect can
occur in an ISC when erroneous or poor-quality
information propagates throughout the network,
leading to misguided planning, flawed decision
making, and so on. In particular, saboteurs can
plant information errors that adversely impact
some or all firms in an ISC.
Firms in physical supply chains attempt to
minimize the bullwhip effect by sharing operational information such as inventory and capacity data and improving operational efficiency
such as coordinated production activities. A similar approach can help control coordination risk
propagation in an ISC and thus improve overall
ISC security. Such activities include sharing information among partner firms on the nature
and frequency of attacks, coordinating responses
to specific threats, and jointly planning information security investments.
Though seemingly intuitive, such coordination
efforts dont come without challenges. At very
least, they require organizational trust beyond
simple information sharing, as well as an effective
incentive and measurement system for coordination. On the other hand, we can expect resistance
from member firms because of the sensitive nature
of information security. A new governance model
among extended enterprises might be required to
implement these coordinated activities effectively.

Lessons for Securing an ISC

Table 1 summarizes the lessons learned from
applying and extending established theories of
scale-free networks and supply-chain management to ISC security.
18

IT Pro July/August 2008

First, firms in an ISC should recognize that

information security management cant be done
individually because their risks are interlinked,
shared, and can propagate from one to another.
Using traditional economic analysis for security
investment and established technical analysis of
information security requirements on the basis
of a single firm could produce suboptimal results
or even misleading guidelines.1,2 Firms need to
understand that measures taken up by other
member firms can be just as important as their
own because of their network and business interconnections, and they must plan accordingly.
Therefore, its crucial for firms in an ISC to coordinate information security management. Such
coordination ranges from sharing security data
to enforcing minimal protection standards and
coordinating security investments. This seemingly rational measure can, however, prove difficult to execute. With few exceptions, most ISCs
are loosely arranged with no central command
and control infrastructure. How should member
firms share security information? Who sets the
standards and enforces and monitors the minimal security measures for all the ISC nodes? All
ISC member firms must address these questions,
not just a few large players in the network.
Lastly, both network and supply-chain analyses point to the importance of securing the critical and highly connected nodes. These are likely
to be the larger firms in an ISC. Doing so often
requires these firms to spend heavily on information securityperhaps more than they would
have individually, and more than other member
firms in the same ISC. In other words, firms that
are highly connected nodes need to invest extra
in information security for the greater good of
the ISC. Again, this idea can be problematic to
implement. The information security risk associated with an ISC for the smaller, less-connected

firms can be disproportionately large because of

the potential impact on their businesses. For instance, if a retail ISC breaks down, the small suppliers could suffer greatly if they depend on their
connection to the large retailers, whereas those
large retailers (the hubs) are likely to experience
only minimal business interruption. To protect
the ISC and mitigate the risks to other member
firms, the hub firms might have to spend more
than theyve identified as their optimal security
investment based on their individual risk profiles
logic that they might find unacceptable.
One economically viable option would be to
set up an investment pool among all ISC member
firms and allocate resources to those needing the
investment the most. Firms with the most to lose
from an ISC breakdown (the smaller, nonhub
firms) could thus protect themselves by contributing to the security of those that were most susceptible to targeted attacks and disruption risks
(the larger hub firms). Of course, this mechanism
would amount to a transfer of money from small
firms to large ones in an ISC, which could prove
to be an even more difficult proposition to sell.

n ISCs information security requires new

thinking by member firms. Todays business environment calls for a high level of
situation awareness to understand and manage information security in the technology and business
networks in which firms participate. Our analysis
shows a critical need for some type of coordination
policy in ISCs to monitor and direct information
security activities among member firms. But such
policies are lacking in most, if not all, current ISCs
and can be difficult to establish. A key transition
might lie in firms rethinking information security
not as a means to individual safety but rather to
minimizing risks to the business environment, in
which firms interact with one another and their
surroundings. This will be a radical shift from the
dominant mindset, but its necessary for successful
participation in any ISC, which is a required business activity for most firms today.

Reference
1.

C.D. Huang, R.S. Behara, and Q. Hu, Economics of

Information Security Investment, National Security
Handbooks in Information Systems, vol. 2, H. Chen et al.,
eds., Elsevier, 2007, pp. 5369.

2.

H. Cavusoglu, B. Mishra, and S. Raghunathan, A

Model for Evaluating IT Security Investments,
Comm. ACM, vol. 47, no. 7, 2004, pp. 8792.
3. R. Sidel, In Data Leaks, Culprits often are Mom,
Pop, Wall Street J., 2223 Sept. 2007, p. B1.
4. Network-Centric Naval Forces: A Transition Strategy for
Enhancing Operational Capabilities Committee on Network-Centric Naval Forces, tech. report, US Naval Studies Board, Natl Research Council, 2000.
5. J. Pereira, Bill Would Punish Retailers for Leaks of
Personal Data, Wall Street J., 27 Feb. 2007, p. B1.
6. R. Albert, H. Jeong, and A.L. Barabsi, Diameter
of the World-Wide Web, Nature, vol. 401, no. 6749,
1999, pp. 130131.
7. R. Albert, H. Jeong, and A.L. Barabsi, Error and
Attack Tolerance of Complex Networks, Nature, vol.
406, no. 6794, 2000, pp. 378382.
8. D.B. Chang, and C.S. Young, Infection Dynamics
on the Internet, Computer & Security, vol. 24, 2005,
pp. 280286.
9. A.L. Barabsi and R. Albert, Emergence of Scaling
in Random Networks, Science, vol. 286, no. 5439,
1999, pp. 509512.
10. C.W. Craighead et al., The Severity of Supply Chain
Disruptions: Design Characteristics and Mitigation
Capabilities, Decision Sciences, vol. 38, no. 1, 2007, pp.
131156.
11. H.L. Lee, V. Padmanabhan, and S. Whang, The
Bullwhip Effect in Supply Chains, Sloan Management
Rev., vol. 38, no. 3, 1997, pp. 93102.

C. Derrick Huang is an assistant professor of information

systems in the Barry Kaye College of Business at Florida
Atlantic University. He has a PhD in computer science from
Harvard University. He is a member of the Association of
Information Systems. Contact him at dhuang@fau.edu.
Ravi S. Behara is an assistant professor of operations
management in the Barry Kaye College of Business at
Florida Atlantic University. Behara has a PhD in service
operations management from Manchester Metropolitan
University (UK). He is a member of the Decision Sciences
Institute. Contact him at rbehara@fau.edu.
Qing Hu is a professor of information systems and chair
of the Department of Information Technology and Operations Management in the Barry Kaye College of Business
at Florida Atlantic University. He has a PhD in computer
information systems from University of Miami. Hu is a
member of the Association for Information Systems. Contact him at qhu@fau.edu.

computer.org/ITPro

19