An ISM Modeling of Barriers for Blockchain/Distributed Ledger Technology Adoption in Supply Chains towards Cybersecurity

: Over the last few years, the increasing level of cyber risks derived from the growing con-nectedness of Industry 4.0 has led to the emergence of blockchain technology as a major innovation in supply chain cybersecurity. The main purpose of this study is to identify and rank the signiﬁcant barriers affecting the implementation of blockchain technology as a key component of cyber supply chain risk management (CSCRM). This research relied on the “interpretive structural modeling (ISM)” technique in the structure of a hierarchical model to investigate the contextual relationships of identiﬁed challenges for blockchain adoption in CSCRM; it also classiﬁes the inﬂuential challenges based on their driving and dependence powers. The results highlight that “cryptocurrency volatility” is the challenge at the top level of the hierarchy, implying weak driving power but it is strongly dependent on the other challenges. “Poor regulatory provisions”, “technology immaturity”, “dependent on input information from external oracles”, “scalability and bandwidth issues”, and “smart contract issues” are signiﬁcant challenges for the adoption of blockchain in cyber supply chain risk management and are located at the bottom level of the hierarchy with higher driving power. The implications for theory and practice of the research are also highlighted.


Introduction
The vulnerability of international supply chains to cyber-attacks, such as the ones on Natanz uranium enrichment plant's controller in Iran in November 2010 [1] and Norsk Hydro's operations in the U.S. and Europe in 2019 [2], is becoming clear. "A cyberattack is any disturbance to this interdependent network that leads to loss of functionality, connectivity, or capacity" [3]. The cost of cyberattacks on Italian companies' data in 2018 has been estimated at an average of EUR 3 million for each cyber-attack [4].
The sources of cyber threats cover a lot of territories. The National Institute of Standards and Technology [5] reported several cyber concerns leading to disruption in the supply chain, such as the uncertainty of information security practices by lower-tier suppliers, vendors' software or hardware with some security vulnerabilities, risks of third-party data storage, and so on. Reference [6] also reported the first cyber victims of denial-ofservice attacks on the websites of corporations, such as eBay, Amazon, and CNN, designed to disrupt the data traffic of a targeted server. As an additional example, in summer of 2017, a major shipping line calculated the estimated cyber-attack cost up of to Dollar 300 million, leading to some challenges to their clients' operations [7].
In recent years, the components of the 4th industrial revolution, such as Internet of things (IoT), Cloud Computing (CC), Big Data Analytics (BDA), Cyber-Physical Systems (CPS), and other automation technologies have transformed the way of operations in the and the supply chain; none of these studies empirically address the linkage to challenges that impede the adoption of blockchain technology in cyber supply chain risk management.
To bridge the knowledge gap, the existing number of research articles indicate that there has been no study that has entirely focused on the various challenges that affect the adoption of blockchain connected to the concept of cyber supply chain risk management, which is something that is missing in the existing studies and that attempts to depict a conceptual model of the hierarchical structural relationship that is characterized by a twophase methodology, namely (i) a graph-based "Interpretive Structural Modeling" (ISM), to impose the linkage among the CSCRM challenges, and (ii) a complimentary analysis, namely "Cross-Impact Matrix Multiplication to Classification" (MICMAC), to classify the strength of the relationship between the CSCRM challenges based on their driving and dependence power. The findings of this study are discussed alongside unique insights into the theoretical and practical implications of the investigated topic.
In this sense, this study sets out some questions as follows: • What are the challenges of BDLT adoption for cyber supply chain risk management? • What hierarchical relationships exist among identified challenges? • Which challenges have more driving power and which challenges have more dependency power on the adoption of BDLT technologies in CSCRM?
To address these questions, the paper is structured as follows. Following the introduction and the literature review, the adopted research methodology and research design are presented. The findings obtained from the analysis, and the theoretical and managerial implications of the study are then discussed. Final remarks, limitations, and directions for future research conclude the paper.

Supply Chain Risk Management
Over the past decade, our knowledge and awareness of supply chain risk management (SCRM) have risen due to technological and market turbulence, volatile customer demand, along with competitive intensity [30]. A definition of supply chain risk is "the variation in the distribution of possible supply chain outcomes, their likelihoods, and their subjective values" [31]. According to [32][33][34], the most common disruption risks affecting the supply chain and, significantly, its performance are related to natural and manmade disasters (e.g., earthquakes, hurricanes and floods), cyber threats (human errors, failures and terrorism), while operational risks are related to a company's reduced ability to produce and supply products and services [35]. Operational risks also include capacity constraints, supply and demand uncertainty, information management risk, and business interruption [36].
Different innovative methods have been adopted to identify cyber threats in the supply chain, which is the first phase in the supply chain risk management approach [34,37]. Reference [38] states that a shift from the traditional information technology infrastructure to Industry 4.0 systems makes it possible to automate the identification of cyber risks and explore the effects of such systems. The fragility of the supply chain is evidenced by some cyber incidents, varying from counterfeiting, fraud, and data manipulation to the visibility of data across the supply chain.
The basis of these increased risks has led to the cyber supply chain risk management concepts that constitute the main objective of this paper.

Cyber Supply Chain Risk Management
Cyber supply chain risk management (CSCRM) is emerging as a new "management construct resulting from the fusion of approaches, methods, and practices from the fields of cybersecurity, information risk management, and supply chain management". Such approaches and practices lead to reshaping relationships between organizations and governments, improving the integration of cyber-physical systems, and establishing standards and protocols [39]. Building on the definition by [40], the term CSCRM was coined to refer to the policies, procedures, and controls to protect the operations of a supply chain from cyber and information risks. This concept requires a comprehensive assessment of dynamic capabilities, high-level technical skills, and human elements across the supply chain to prevent and deal with the outcome of disruptions deriving from the massive amount of connectivity of today's operational systems [41]. The aim of CSCRM is to gain security, reliability, and safety, along with the broader objectives of trustworthiness, integrity, and quality [42].
The challenges faced by global companies in successfully implementing CSCRM are linked to a large number of suppliers in an organization's supply base [43] (Bode and Wagner, 2015), to the growing technological change and evolving threats, and training programs for security and technical personnel to identify and mitigate risks [44]. To add to these growing complexities of CSCRM, standards and guidelines, regulatory frameworks, and non-transparent supply chain partners in the cyber space are constantly changing [39,45]. In this new area, a holistic approach through CSCRM, combining processes, people, and technology, is considered a necessity to deal with the challenges for enhancing cybersecurity.
In light of the abovementioned concept of CSCRM, cybersecurity models need to take into account the technological, organizational, or environmental requirements during long-term planning to confront cyber and information risks to achieve cybersecurity.

Blockchain and Distributed Ledger Technologies
Distributed technologies are a database applied to share or record data based on various distributed ledgers across multiple nodes in different geographic areas, accessible by multiple participants, of which the blockchain is the most popular one. Each device or system in the network is called a node. Unlike centralized systems, distributed ledgers do not have any central location to store information [46]. The first attempt to implement the DLT was in aircraft operations, where the first primitive DLT with a consensus mechanism was applied to deal with the cyber risks derived from some automatic errors in the system's components clocks that would have led to an exchange of incorrect information and the likely inability to schedule internal aircraft tasks, and finally the loss of functionality of the aircraft systems [12].
The concept of blockchain was invented in 2008 as a platform entitled Bitcoin by Satoshi Nakamoto [47]. Blockchain technology is widely evolved from blockchain 1.0, which led to its first application for cryptocurrency purposes with Bitcoin; blockchain 2.0, which relied on the execution of smart contracts to the Ethereum for the transaction of digital assets; blockchain 3.0, which is based on DApps, a decentralized application that avoids centralized infrastructure and runs on a distributed network; to blockchain 4.0, making blockchain applicable in business cases [48][49][50][51][52]. Fundamentally, blockchain is a chain containing a growing list of data about transactions, called blocks, which are added in chronological order and cryptographically linked together. According to [53], blockchain "is a new organizing paradigm for the discovery, valuation, and transfer of all quanta (discrete units) of anything, and potentially for the coordination of all human activity on a much larger scale than has been possible before". Blockchain works by relying on a peer-topeer (P2P) topology, and new data records are added to the network through a consensus mechanism based on authentication and validation from multiple participants [54]. In the context of a block structure in the chain, each block is identified by three fundamental elements, which are as follows: the cryptographic hash algorithm on the header of the block, the timestamp which reports time for each transaction, and a Merkle tree to store all the transaction with authenticity, integrity, and consistency [55].
Transactions constitute the main core of the block records. When a user wants to add a new transaction to the ledger as a new block, the new block is received by all other nodes, which accept it according to a consensus mechanism. The accepted block is then generated to the whole network. Each new block contains a hash of its header and connects to the previous block in the chain through cryptography [56].
The concept of a Merkle tree based on the hashes was coined in 1987 with the publication of a paper entitled "A digital signature based on conventional encryption function" by [57]. Merkle trees are also one of the crucial components of blockchain technology and allow a huge amount of data to be stored in a single hash value, known as a Merkle root [58]. The root hash of the hash tree is used to detect tampered data and enables a secure and timely validation of the transactions [25]. Furthermore, the block header hash allows the transactions to connect to the chain by embedding the prior block hash in the current block header. In this way, every transaction remains tamper-proof and cannot be manipulated or removed, and with any change in a specific block, all subsequent blocks will be invalid in the chain [59].

BDLTs Key Capabilities for Cybersecurity
Blockchain and DLTs are a promising technology, predicted to span many more sectors over the next few years [60]. The prosperity of BDLTs pertains to their inherent features; the range of advantages in the realization of the cybersecurity properties they provide to their members is presented below.
• Decentralization: Unlike a traditional centralized transaction system where transactions are verified by a trusted centralized agency, such as a central bank or a government, in a decentralized infrastructure, two parties can access the database without the need for a third party to keep records or perform authorization. Within traditional systems, risks related to human error or criminal activity remain unidentified. Furthermore, such centralization can have several downsides, including more charges, lower overall performance, and various failures in the systems on the part of service providers [61,62]. Distributed ledgers record transactions without the association of a third party, which is helpful in the reduction of service costs, the improvement of the efficiency of the chain, and mitigation of the risk of system failures [63]. • Availability: The National Institute of Standards and Technology (NIST) defines availability as "ensuring timely and reliable access to and use of information" [64]. Cyberattacks start to impact availability of technology services with vulnerabilities, such as counterfeiting, theft, fraud, data manipulation, or falsification [65]. The DLT solution based on its decentralization and peer-to-peer characteristics makes it more difficult for criminals to disrupt. However, one of the most common attacks, known as distributed denial-of-service (DDoS) attacks, can target internet services and networks with more traffic than the server or network can handle and, hence, some disruptions to blockchain solutions. As a result, with the availability of information in decentralized platforms of DLTs, a rise in DDoS attacks could be observed [66]. • Data Access and Disclosure: According to reference [67], blockchain is a "secure public ledger platform shared by all parties through the Internet or an alternative distributed network of computers". Blocks with sets of information are shared between participants. The participants have the ability to share records and have limited access to their relevant transactions whenever they need them [68]. The decentralized nature of blockchain technology contributes to information sharing among relevant parties, helping transactions with high security from potentially targeted attacks or complex incidents [69]. • Traceability: BDLTs provide a wide range of capabilities, including traceable and tamper-resistant records, a high level of traceability with trusted information, accessibility, and the visibility of data provenance [70,71]. All blockchain transactions are given an exact timestamp when the transactions are added to the chain [46]. Such an inherited characteristic of blockchain enhances traceability and authenticity for the transaction of products, data, and interactions [72]. • Transparency: Current centralized systems in the supply chain deal with issues such as fraudulent activities, privacy and security errors, lack of transparency and trust [73]. Blockchain technologies are potential enablers of a trusted and efficient supply chain and can improve transparency and bring high visibility, authenticity, and availability to all the stakeholders in the network [74,75]. The secure and tamperresistant mechanism of blockchain paves the way for greater transparency, increasing the trustworthiness of transactions through interaction and access to the network among users [76]. • Privacy and Security: Blockchains or cryptographic-based distributed ledgers allow more integrity and information security than traditional databases because blockchain connects devices to the networks and members to devices, and encrypted transactions are added to the chain with the authorization of all participants without the need for data disclosure [23]. So, given the abovementioned advantage of the BDLTs, it is very difficult to hack this impenetrable technology. • Immutability: Immutability in the blockchain refers to the high ability of technology to remain censorship-resistant and indelible [77]. Immutability enables the transformation of each new transaction into the chain and approval by a consensus mechanism.
In addition, all the historical registered operations are immutable; therefore, any manipulation and forgery of data records would need a cyber-attacker to break most of a network's nodes [74]. • Reduced Overall Cost: Blockchain technologies help reduce the overall cost because of the direct transfer of transactions without the need for a bank or other third party.
Costs related to documentation, tax services, auditing, and governance can potentially be reduced. Subsequently, the reduction of transaction costs that can be supported by blockchain technology would lead to eliminating cybersecurity incidents [78,79]. • Data Quality: BDLT does not ensure the quality of data but any blocks that contain low accuracy and quality of data will not be allowed to add to the chain. Blockchain guarantees transformation of accurate and impenetrable data faster than any other system, and facilitates entities in exchanging information in a protected way [66]. • Distributed: The validated transactions and updated records are synchronized into blocks for processing and protocols and supporting infrastructures allow every node or participant in different locations to receive a real-time transaction [80].

Applications of BDLTs Adoption in CSCRM
This section provides a comprehensive identification of the specific supply chain functions that can be connected by the use of blockchain and cybersecurity. The prior contributions of blockchain technologies adoption in the supply chain management have been highlighted with notable examples, including improved data security and smart contracts; digital trust and supply chain relationship management; the tracking of the possession of goods and the identity of suppliers [81,82]; governance and legal frameworks for the execution of blockchain [83]; physical access control management based on Hyperledger Fabric platform and the security of IoT networks [84,85]; and integration with cutting edge technologies for storing and transferring encrypted data to the edge nodes [86]. Based on the most cybersecurity focused blockchain applications, "Internet of things" and "Transaction data" have received the most attention from scholars interested in the intersection of BDLT and cybersecurity and supply chain. In order to understand how the blockchain can be adapted to support the security of IoT devices, reference [87] presented a cloud-based IoT platform in the combination of blockchain for executing cryptographic transactions through smart contracts to securely track data management and prevent malware infections in IoT devices. Other applications of blockchain in the form of authorities management, secure communication sessions, access control, and prevention of bandwidth saturation are provided in some contributions [85,88,89]. However, apart from the integration advantages in the IoT with BDLTs, there are some challenges arising from different elements, such as the low computational power and scalability issues of IoT devices for a huge amount of data transmission, and the inherent latency of blockchain technology [90].
In another class of blockchain adoption in CSCRM, data management is one of the most promising features of the blockchain. The management and protection of transaction data have become increasingly uncontrollable in a distributed environment. Implementations and applications based on this technology improve secure data sharing among stakeholders in the supply chain and are aimed at secure and verifiable data management [91]. Although successful and interoperable communications have not yet reached a secure level between parties in the supply chain, there are some examples in the literature from the crossorganizational data management perspective. In the study, [92] designed a DLT with a certification or endorsement mechanism which allows the exchange of consumer data without revealing the information in the pharmaceutical supply chain. The result shows that blockchain has the potential to mitigate the counterfeiting issues with the cross-supply chain workflow management while maintaining transactional privacy.
Blockchain is also disrupting the human resource sector [93,94] by revolutionizing working procedures and employment document storage [94]. In the case of data storage in the form of decentralized and non-reversible platforms, [56] addressed the importance of information sharing by a governance model, considering blockchain architecture among parties in the supply chain. Additionally, access control mechanisms, metadata supporting key functions, and the encryption and decryption of data are the key concepts for their blockchain architectural design. Blockchain applications appear to offer significant trust to the participants or connected devices in a supply chain network. Reference [95] proposed and developed a decentralized microgrid model for distributing transactions between producer and consumer without the regulation of a central authorization. Their BDLT mechanism enables data distribution for certified and trusted parties by using attributebased signatures of multiple producers.
Collaborative IDS (CIDS) [101] is an intrusion detection system using smart contracts to address data privacy issues. Self Organizing Maps (SOMs) [102] are artificial networks consisting of thousands of nodes that can be applied in BDLT systems to cluster categorical data to the entire nodes for enhancing data privacy and confidentiality, as well as monitoring the blockchain. In [103], the authors proposed a cryptographic system known as Zerocoin to verify transactions with anonymity and user privacy. Zerocash [104] is a decentralized currency to guarantee privacy preservation by applying zero-knowledge proof variant (zkSNARKs) and provide user privacy by protecting details of the transaction. Reference [105] highlighted the fact that the capabilities of machine learning can be combined with blockchains to explore malware activities.
Despite multiple contributions highlighting the importance given to capabilities of blockchain technologies from the perspective of privacy and security concerns in different types of BDLTs, e.g., public, private, and smart contract, there is still a need to be cautious about the security challenges facing BDL adoption. In spite of the immutable nature of distributed ledger technologies, they are still vulnerable to cyberattacks. Transaction anonymity and transparency can be obtained by blockchain, but this technology cannot guarantee the privacy of data, and identity fraud and data breaches can occur anytime [106,107]. For example, anonymity and privacy concerns are rising in the blockchain due to the disclosure risk of users' identity. The users' transaction information, such as the sender and receiver address, even if pseudonymous, and the value can be publicly accessed and be visible to all network participants. In this case, all personal user information, such as transaction contents (e.g., amounts, account balance, and spending patterns), can be tracked under unexpected failures or malicious cyberattacks [108].
Several works also focused on the risk of privacy leakage in smart contracts, which poses some challenges for data confidentiality and privacy for sharing data [109,110]. Reference [111] focused on the privacy of transactions in the smart contract platforms and proposed Hawk, a decentralized smart contract system, which gives an efficient cryptographic protocol maintaining transactional privacy. ShadowEth [109] is a private smart contract on Ethereum to execute and store all metadata in an off-chain trusted execution environment called TEE-DS.
In the case of data privacy management, the European Union (EU) presented the general data protection regulation (GDPR) in May 2018, which addresses regulatory hurdles and contributes to the development of international guidelines and regulations to facilitate the use of BDLTs for all organizations.
Currently, BDLTs are applied to a wide range of digital and virtual financial markets, market predictions, and capital investments [112]. The numerous types of cybersecurity threats can occur during information, physical, and financial flows between supply chain stakeholders due to technical vulnerabilities in the systems [113]. Blockchain is expected to bring some advantages to customers, industrial and commercial institutions, and society as a whole [114]. For instance, to facilitate future market prediction, Augur [115] is a decentralized protocol for the global prediction market, enabling users to trade shares without the need for a single entity. Plasma [116] is a "proposed framework for incentivized and enforced execution of smart contracts, which is scalable to a significant amount of state updates per second (potentially billions) enabling the blockchain to be able to represent a significant amount of decentralized financial applications worldwide". Gnosis [117] is a platform that enables the trade of digital assets and cryptocurrencies on Ethereum's new market mechanisms, and it is claimed to be a reliable forecasting tool for increasing knowledge of upcoming events in finance, government, and among other sectors.
Despite the hype around different BDLT platforms, the studies confirm that the complexity of financial flows can lead to some difficulties in managing cyber supply chain risks. As a result, security violation and cryptocurrency volatility, such as volatile digital coins and hacking wallets of cryptocurrency exchange, have diverse effects on the reputation of BDLT platforms [118].

Challenges for Blockchain/BDLT Adoption in CSCRM
In previous studies, researchers and practitioners have made an effort to point out the potential of BDLTs based on risk reduction, transparency, traceability, peer-to-peer transactions, data safety, and decentralization, which are the significant objectives of supply chain management [71,[119][120][121]. The main purpose of this paper lies at the intersection of cybersecurity and blockchoichain/BDLTs. Although the literature on cybersecurity is not entirely new, there is plenty of room to explore it in the context of supply chain literature. In the literature, cybersecurity and blockchain/BDLTs align to address barriers related to Internet of things, data sharing, the prediction marketplace, cryptocurrency, privacy, and security [122][123][124], whilst the implementation of BDLTs for cyber supply chain risk management is still at the pilot stage. Stakeholders have to deal with numerous challenges during the adoption process of blockchain disrupting the existing CSCRM. This should be a driving force for researchers and practitioners to be always ready to promote and regulate new technologies, as per the risk maturity models, interoperability capabilities, support of leadership, and different governance policies. Sixteen challenges identified from the literature review in the adoption process of BDLTs into a cyber secure supply chain are discussed as follows, and are shown in Table 1.

Immature, Early Stage of Development
The concept of technological maturity is defined as the readiness level for blockchain technology adoption since its first appearance. There is a potential for SMEs to understand the value of mature technology and adopt it to enrich their activities [125]. Despite the hype around the use of BDLTs, these technologies are still in the early stage of development. The immaturity of blockchain technology in the form of security vulnerabilities, a single point of failure, and the lack of experiential knowledge may lead to some ambiguities in adopting and implementing the technology [53].

Scalability and Bandwidth Issues
Scalability and bandwidth issues describe network throughput limitations. According to [126], "Scalability is the capability of blockchain calculating processes to apply in a vast range of potentialities and to fulfill these aims". Scalability has been described as becoming a major issue with the increasing number of entities, transactions, block sizes, and long latency, preventing large-scale blockchain implementation [127]. One example to consider is that if Bitcoin proceeded with the same amount of transaction volume as VISA, it would need to replicate data in the entire network, posing a massive challenge to the data capacity and bandwidth [128]. Next, from a technical perspective, scalability is considered to be one of the most critical constraints in BDLTs adoption. The scalability of BDLTs has not yet reached a mark with market demand. Indeed, scalability problems are ascribed to the large amounts of transactional data generated from multiple resources in the supply chain operations, including different geographical locations, types of goods, and various business members. The solution to managing scalability through increasing the size of the block is based on an assumption that the throughput will be higher, but at the same time, it conflicts with the security of the main chain due to generate and propagate slate blocks. Therefore, potential schemes need to be presented to enhance the scalability of blockchain systems, while preventing security concerns.

Wasted Resources or High Energy Consumption
One of the critical drawbacks impeding the adoption of blockchain technology is computational power and energy consumption [108,129,130] and refers to the energy consumed in handling transactions by all the miners [100]. In some consensus mechanisms, such as proof of work (PoW), all blockchain nodes perform a high computational power to mine the next blocks [108]. However, PoW is considered to consume an enormous level of electricity, because mining each block depends on intensive computations and lots of hashing and encryption by all blockchain miners. In this respect, researchers have proposed alternative mechanisms, such as proof of stake (PoS), to avoid high resource consumption, where the probability of successful mining with PoS depends on the invested stakes by nodes in the system. This consensus process relies on the hashing operation and a higher coin age, which refers to the amount of time to hold onto coins without spending or moving them, which will lead to a decrease in energy waste [131]. Another example is delegated proof of stake (DPoS) that contributes to obtain a higher speed of transactions and low electricity consumption [132]. However, the main criticism of PoS and DPoS is the lack of rigorous security analysis [108]. Practical byzantine fault tolerance (PBFT) algorithms depend on the honesty from different validator nodes of a network that may affect both speed and scalability and is not acceptable for systems with thousands of entities [133]. As a result of this, it is interesting to make more energy-efficient consensus mechanisms to make BDLTs more adoptable.

Throughput and Low Performance
Low transaction throughput and the limited rate for processing the transactions at the block are other important issues of blockchain adoption.
One example to consider is that in contrast to modern credit card platforms that handle 7000 transactions per second, the throughput of the Bitcoin blockchain is around 7 transactions per second and a decentralized open-source blockchain platform like Ethereum can only handle 20 transactions on average [130]. Moreover, by increasing the volume of the data, the propagation delay in blocks will be a considerable issue and the throughput will become more and more difficult. The time needed to synchronize transactions or obtain a consensus among all clients when involving and running the system is an issue [134]. This is critical for IoT devices and industries in the supply chain and their need for high-performance transaction processing with low computational resources [135]. Recently, new solutions have been proposed to avoid the aforementioned problems, such as consensus mechanisms applied in Hyperledger, Stellar, R3, and Ripple, to improve throughput and performance, reducing the block interval time. However, such limitations need to be considered by proper schemes so as to increase the throughput of blockchain systems.

Lack of Standardization and Interoperability
Another major challenge is the lack of interoperability with other organizations' databases, which often leads to multiple risks of errors and failures of various blockchain platforms.
The Institute of Electrical and Electronics Engineers (IEEE) defines interoperability as "the ability of two or more systems or components to exchange information and to use the information that has been exchanged" [136]. It is considered a determinant factor affecting the adoption of blockchain-based CSCRM technologies. Therefore, more efforts are needed to enable the interoperability of innovative BDLTs with legacy systems and to make the system compatible with the existing IT systems. Furthermore, it is recommended to follow the standards to make the interoperability of different infrastructures easier; this allows a better assessment of the interface between blockchain and the real world.

Privacy and Information Disclosure Issues
Privacy concerns refer to the anonymity of counterparts to the extent to which information can be shared with a particular entity [137]. For example, anonymity and privacy concerns are rising in the blockchain due to the disclosure risk of users' identities. The user's transaction information, such as the sender and receiver address, even if pseudonymous, and the value, can be publicly accessed and be visible to all network participants. In this case, all personal user information, such as transaction contents (e.g., amounts, account balance, and spending patterns), can be tracked under unexpected failures or malicious cyberattacks [108]. As a result, privacy data can be conducted and achieved with the legal and regulatory frameworks, along with laws for data privacy.

Criminal Activity, Malicious Attacks
Criminal activities and malicious attacks were found to be challenges in the technological context. Different types of attacks, such as denial-of-service (DoS), spoofing attacks, security threats, Sybil attacks, and double-spending attacks, can affect the performance of BDLT networks [138][139][140]. In this case, the best security and privacy policies must be included as an integral part of the design and implementation of industrial BDLT applications by designers and developers [141]. In addition, within the scope of these applications, provisions, including different levels of protection, must be provided [142].

Dependent on Input Information from External Oracles
The blockchain oracle problem is one of the most significant challenges triggering difficulties for the trustworthiness of information written in smart contracts [45,143]. "Oracles are centralized and trusted third parties that constitute the interface between blockchains and the real world" [144]. A smart contract often relies on information from external oracles that collect data from different sources, such as big data applications, Internet of things, and RFID sensors [24]. Indeed, it is likely that these external oracles will be most attractive to criminals. Users' credential loss [118,174] 3. 16 Poor clarity regulatory provisions [108,147,163,[175][176][177]

Poor User Experience
Another concern in the adoption of BDLTs in the supply chain is in terms of the lack of support to end-users and sufficient platforms and tools. Blockchain platforms run under standards that are different from the defined way for existing systems, which poses some challenges for users [128]. An application programming interface (API) is a set of rules and protocols that allows applications to integrate with each other; this needs to be developed to make BDLTs easier to adopt for users [178]. Therefore, to make blockchain more successful, the users' acceptance should be considered during blockchain implementation. Furthermore, customer awareness and understanding of blockchain technology by providing professional training programs may be the key to moving forward with the productivity in organizations' supply chains, as well as securely control them against cyber risks [179,180].

Suitability of Blockchain
BDLTs do not cover all facets of the supply chain operations in terms of cybersecurity solutions. On the other hand, blockchain technology may not add any value to all core business use cases or processes. Blockchain or cryptographic-based distributed ledgers are a viable solution for trusted transactions among trustless entities or a permanent historical record [181]. Therefore, before adopting BDLT-enabled solutions, practitioners should assess the suitability of applying blockchain using the use-case requirements [182]. Different blockchain types (i.e., permissioned or permissionless) have been leveraged over the last couple of years, allowing industries to use them for their specific domains.

Cryptocurrency Volatility
An additional weakness is the volatility in crypto markets, which can be a challenge in terms of blockchain adoption in a short time [24]. For example, security violation and cryptocurrency volatility, such as volatile digital coins and hacking wallets of cryptocurrency exchange, have diverse effects on the reputation of BDLTs platforms [118]. Thus, it will take years for payment merchants based on blockchain platforms to be accepted by a large number of users [166,167].

Smart Contract Issues
A smart contract is "a piece of code that executes a specific business logic when a certain condition is met" [183]. This means that smart contracts are automatically executed when certain conditions in a contract or an agreement are met. Relying on the programming languages, a smart contract could describe all conditions in the contract and the characteristics of blockchain [168]. The complexity of programming languages and challenges of writing correct smart contracts are among the difficulties that face researchers and developers during blockchain adoption. For example, it has been reported that there was an average financial loss of USD 60 million due to the distributed autonomous organization (DAO) attack, which led to the transfer of money to an adversary account in 2016 [184]. Thus, more research is necessary to tackle the aforementioned issues.

Quantum Resilience
Cryptographic primitives in blockchain are classified into two basic functions, including hashes and public-key encryption for signing transactions [123]. With the advent of quantum computers, it may already be time to start worrying about the breaking of hashing algorithms. The performance and security in the blockchain are affected by this due to the ease of cracking the cryptographic keys using a brute force algorithm [107]. Significant efforts are currently being made to make the cryptographic keys stronger. For example, on the topic of post-quantum cryptography, research institutions such as NIST are calling for proposals, and expect to launch the early report between 2022 and 2024 [185].

Lack of Trust
Trust is another critical obstacle to success for future growth in BDLT adoption. Trust refers to the "reliability of information provided by trade partners, or the safety and security of the data managed by a central authority" [82]. Therefore, the challenge of trust is broader than just a lack of trust in the blockchain technology suppliers; there is also the problem of loss or breach of data during the distribution of the technology.
Although several studies have been carried out to solve the barrier of trust in supply chain management, the problems that are arising are still difficult problems for the BDLTs used nowadays [152,172,186].

Users' Credential Loss
BDLTs have the potential to create trust within the network with the confirmation of the validity of the user's credentials and the identity issuer to attest the data inside the credential, without revealing the actual data. However, another major issue that can occur when applying BDLTs is in the case of users' credentials loss, e.g., wallet, keys, and some private/public information due to loss, theft, and expiration [174]. Therefore, a high volume of data, e.g., conditions of products and the expected date of delivery, could be exposed when a cryptographic key is compromised. Alternatively, a criminal party could appear to modify data to gain the benefit, e.g., manipulation of the main liable party to refuse the penalties. Ultimately, this scenario indicates how important it is to securitize these keys across BDLTs [118].

Poor Clarity Regulatory Provisions
Poor clarity regulatory provisions have been considered determinants among the main barriers affecting the adoption of blockchain [187,188]. This challenge is defined as "the policies and regulations provided by government to regulate and monitor the industries for the usage of new technology" [177]. It was identified as a means to overcome the organizational readiness barrier. Given the necessity for guidance and support from the government during the adoption of blockchain in CSCRM in different ways and capacities, in the form of providing proper infrastructures, capabilities, and the definition of laws and regulations to authenticate digital records, executive departments and agencies could be able to monitor and validate transactions, determine the validity of contracts and agreements between parties, and, lastly, define and develop the standards to track the processes under the blockchain platforms [142].

Methodology and Research Design
The aim of this research is to identify key challenges of BDLT adoption and provide a hierarchical framework of challenges identified in the field of cyber supply chain risk management. Firstly, through an extensive literature survey and consensus from a group of experts' opinions, the challenges affecting BDLT adoption are identified; secondly, an integrated "ISM-MICMAC" approach is used to identify the most significant of the sixteen challenges extracted from the literature and discussed with practitioners and academics. The proposed methodology consists of two steps: interpretive structural modeling (ISM) and cross impact matrix multiplication applied to classification (MICMAC), and is described in detail in the Sections 4.2 and 5.5. The methodology proposed in this research is depicted and described in Figure 1.

Data Collection
The ISM methodology is built on the consensus from a group of experts' opinions through different techniques, such as nominal technique, questioner, face-to-face discussion, etc., to establish pairwise contextual relationships among variables [189,190]. With this in mind, a questionnaire was designed to collect each experts' opinions on the contextual and mutual relationships among the BDLT challenges listed in Table 1. The first section of the questionnaire contained general information about the experts' profiles and the professional roles and backgrounds they belong to, and the second section examined the contextual interactions between the identified challenges. The experts were requested to give their written opinions individually to avoid the influence of one opinion on another and were then aggregated and analyzed to develop the final contextual and mutual relationships matrix. The selected group of suitable experts who are conversant in the field of BDLT technologies and CSCRM was found to be small. However, the number of respondents participating in the ISM methodology should not be too many [191,192]. Thus, a total number of five experts (two academics and three industrial operators) from the field of cybersecurity and blockchain technology were involved in answering the questions by identifying what challenges lead to other challenges during the adoption of BDLTs in CSCRM. In the present study, two of the participating experts have a minimum of ten years of academic experience in the university: one has about 15 years of research experience in supply chain management, supply chain risk management, logistics 4.0, Industry 4.0, and management of cyber risks in supply chains, and the other has researched uncertainty analysis, safety and security, sustainability, and innovation for the last 20 years. Both professors are authors of over 90 publications at the international and national levels. They have combined academic qualifications with professional experience in research and consulting projects, and have participated in the implementation of several research projects funded by the government and industry. The other three experts are supply chain executives in different industrial sectors, working in positions, such as supply chain manager, operation manager, and plant quality manager, in manufacturing industries for 10-15 years. They are currently collaborating on several projects concerning the use of blockchain technology for the automation of transactions and processes, leading to a transparent and responsible global supply chain.

ISM Methodology
ISM is a mathematically derived methodology that was first proposed in 1973 by Professor Walter Felter. It can analyze a complex system into smaller sub-units with the use of experts' practical experience and knowledge and construct a structural multilevel model [193]. As stated by [194], "ISM is an interactive learning process where a set of directly and indirectly associated variables are structured into a comprehensive and systematic model". Based on another definition by [195], "ISM is a popular method of solving complex decision-making problems and for identifying relationships among elements or variables".
In the literature, ISM has been adopted by some researchers as a methodology to support blockchain adoption in various fields. Reference [196] proposed a TISM-based methodology to develop a hierarchical model for the factors facilitating the success of blockchain adoption in the cloud service industry, and to study the mutual interrelationship among critical success factors. Reference [197] used an integrated ISM-DEMATEL approach in an Indian agriculture supply chain (ASC) to model the significant challenges for blockchain implementation. Reference [173] deployed ISM methodology to analyze the technological, organizational, and environmental factors/elements influencing blockchain adoption in the supply chain. Reference [63] applied a combined Fuzzy-ANP and Fuzzy-ISM approach to identify blockchain enablers in a sustainable supply chain.
In this paper, the ISM was applied to envision the contextual relationship among identified challenges for BDLT adoption in a cyber-secure supply chain and cluster them according to their driver and dependence power. The following steps of the ISM process have been adopted in detail, contributing to developing the diagraph and final ISM model.

Structural Self-Interaction Matrix (SSIM)
For developing a contextual relationship, the connection between a pair of challenges and the associated path of the relation is questioned to analyze the variables, and the contextual relationship among the identified challenges are hypothesized based on the concept of one challenge leads to another challenge. In this way, the experts were asked to complete pairwise contextual relationships between challenges using four alphabetical codes in a 16 * 16 SSIM. Keeping this in mind, the following symbols (V, A, X, O) have been used to denote the direction of relationships between challenges (i and j): V: Challenges i enable/impact on challenges j. A: Challenges j enable/impact on challenges i. X: Challenges i and j are mutually interdependent (i.e., either will enable or influence the other).
O: No relationship between challenges i and j.
A final "Structural Self-Interaction Matrix (SSIM)" (Table 2) is developed by aggregating five SSIM gathered from the experts.
Wasted resources or high energy consumption 0

Reachability Matrix
An "Initial reachability matrix (IRM)" is developed by converting the symbols "V, A, X, O" into binary elements (i.e., 1, 0) to get IRM. To construct an initial reachability matrix, shown in Table 3, some rules are adopted as follows: i.
If the symbol of V is shown in the cell of (i, j) in the SSIM matrix, then in the IRM, the value of cell (i, j) will become 1, and the corresponding cell (j, i) is replaced with the value '0'. ii. If the symbol of A is shown in the cell of (i, j) in the SSIM matrix, then in the IRM, the value of cell (i, j) will become 0, and the corresponding cell (j, i) is replaced with the value '1'.
iii. If the symbol of X is shown in the cell of (i, j) in the SSIM matrix, then in the IRM, the value of cell (i, j) will become 1, and the corresponding cell (j, i) is replaced with the value '1'. iv. If the symbol of O is shown in the cell of (i, j) in the SSIM matrix, then in the IRM, the value of cell (i, j) will become 0, and the corresponding cell (j, i) is replaced with the value '0'.
Subsequently, the "Final reachability matrix (FRM)" is achieved by incorporating transitivity rules in the IRM. The transitivity rules suggest that if factor X affects factor Y and factor Y affects factor Z, then factor X automatically affects factor Z. The FRM is shown in Table 4. The transitive links are highlighted using a yellow shade. Table 3. Initial reachability matrix of relationships among BDLT adoption challenges in CSCRM.

Level Partitions
The final reachability matrix obtained is then divided into different levels of partition to construct the hierarchy graph. Three sets for each challenge are processed, namely "reachability set, antecedent set, and intersection set". The reachability set of each challenge comprises itself as well as the other challenges that it may drive and can be found as the set of elements that contain 1 in that particular row. Similarly, the antecedent set includes the challenge itself and the other challenge that may support in achieving it, and is the set of elements that contain 1 in that particular column. The challenges that are considered at level 1 or the top level in the ISM model are removed from the table for the next iteration set when both the reachability set and the intersection set are similar. This process of assigning the level of each challenge continues up to the defining of the last challenge. Table 5 shows the details of level partitions for sixteen challenges with six levels. Table 5. Intersection of reachability and antecedent sets and presentation of the levels.

Building an ISM Model
The hierarchical framework is obtained as an ISM model using the inputs from the final reachability matrix as per the partition level. The relationship between the variables i and j is indicated by an arrow from i to j or vice versa. A final ISM model is also developed after removing the indirect links. This ISM model was checked with the experts for any conceptual inconsistency. Figure 2 shows the final diagraph without any conceptual inconsistency for blockchain adoption in a cyber secure supply chain. The level I challenges are at the top of the model, level II challenges appear in the second position and so on, and finally, level VI challenges come at the base of the ISM hierarchy.

MICMAC Analysis
A MICMAC ("Matrice d'Impacts Croisé Multiplication Appliquée à un Classement") analysis was developed by [198]. It provides better comprehension of the relationships among the challenges of blockchain adoption in a cyber-secure supply chain. The MIC-MAC analysis is conducted to analyze the driving and dependence power of the variables and classification into four different categories ( Figure 3).
From Figure 3, it could be observed that the dependance variables are graphed on the x-axis, while driving variables are generally plotted on the y-axis. The first category presents the variables with weak dependence and driving powers and has been clustered as "autonomous or excluded variables", which signifies that all types of these variables are incoherent with the system because they do not have any effect on the adoption of blockchain technology in CSCRM. No variable is identified in this category, which means that all the variables have high influence levels with each other. The second category consists of measures with strong dependence powers and weak driving powers, known as the "dependent variables". The dependent variables appear on the top levels of the ISM hierarchy model. In the present study, "cryptocurrency volatility" is a dependent variable. Then, the third category is known as "linkage or rely variables" and have high dependence as well as driving powers; any action on them will affect on other variables in the higher level.
In our case, challenges of "throughput and low performance", "lack of standardization and interoperability", "privacy and information disclosure issues", "criminal activity and malicious attacks", "poor user experience", "suitability of blockchain", "lack of trust in new technology suppliers", "quantum resilience", "wasted resources or high energy consumption" and "users' credential loss" fall into the third cluster of linkage and any action on these challenges will affect others. The remaining challenges of "technology immaturity", "poor clarity regulatory provisions", "dependent on input information from external oracles", "scalability and bandwidth issues", and "smart contract issues" are those that fall under the fourth cluster and are named "Driving factors". Related to weak

MICMAC Analysis
A MICMAC ("Matrice d'Impacts Croisé Multiplication Appliquée à un Classement") analysis was developed by [198]. It provides better comprehension of the relationships among the challenges of blockchain adoption in a cyber-secure supply chain. The MICMAC analysis is conducted to analyze the driving and dependence power of the variables and classification into four different categories ( Figure 3).
From Figure 3, it could be observed that the dependance variables are graphed on the x-axis, while driving variables are generally plotted on the y-axis. The first category presents the variables with weak dependence and driving powers and has been clustered as "autonomous or excluded variables", which signifies that all types of these variables are incoherent with the system because they do not have any effect on the adoption of blockchain technology in CSCRM. No variable is identified in this category, which means that all the variables have high influence levels with each other. The second category consists of measures with strong dependence powers and weak driving powers, known as the "dependent variables". The dependent variables appear on the top levels of the ISM hierarchy model. In the present study, "cryptocurrency volatility" is a dependent variable. Then, the third category is known as "linkage or rely variables" and have high dependence as well as driving powers; any action on them will affect on other variables in the higher level.
In our case, challenges of "throughput and low performance", "lack of standardization and interoperability", "privacy and information disclosure issues", "criminal activity and malicious attacks", "poor user experience", "suitability of blockchain", "lack of trust in new technology suppliers", "quantum resilience", "wasted resources or high energy consumption" and "users' credential loss" fall into the third cluster of linkage and any action on these challenges will affect others. The remaining challenges of "technology immaturity", "poor clarity regulatory provisions", "dependent on input information from external oracles", "scalability and bandwidth issues", and "smart contract issues" are those that fall under the fourth cluster and are named "Driving factors". Related to weak dependence and strong driving powers, these challenges are the most significant factors that the CSCRM sees as an impediment at the point of adoption of BDLT technologies. regulatory provisions, dependent on input information from external oracles, scalability and bandwidth issues, and smart contract issues). This enables them to have more incentives for transiting into the digital operation phase.

Conclusions, Discussion of Findings, and Scope for Future Research
The adoption of BDLTs in the cyber secure supply chain is in its nascent stage, and there are numerous challenges that must be overcome before these innovative technologies proceed to the next phase. BDLTs have enormous potential to enhance the cybersecurity of a supply chain if the issues to its adoption are reinforced with favorable regulations and methods. To achieve this objective, this research conducted an analytical hierarchy "ISM-based model" approach to analyze the interactions among the identified BDLT challenges and to partition the challenges into levels based on their driving and dependency powers. In line with the previous literature, sixteen key BDLT challenges of CSCRM were identified and validated with a group of experts in academics and in the industries. Furthermore, our findings classified each challenge into one of four different kinds of power.
The findings from the study suggest that the challenges "technology immaturity", "poor clarity regulatory provisions", "dependent on input information from external oracles", "scalability and bandwidth issues", and "smart contract issues" with high driving and low dependence powers are the major challenges for adoption of blockchain in CSCRM and are placed at the bottom of the ISM model. The challenges "throughput and

Implications for Theory
The primary objective of this paper is to identify and rank the challenges affecting BDLT adoption in CSCRM and to unravel the causal relationships between them. From a theoretical point of view, the contribution of this paper is four-fold. First, this research adopted a comprehensive literature review and the opinion of experts with knowledge of blockchain to extract challenges of blockchain adoption in the CSCRM context. Second, this is one of the first studies of its type focusing on the challenges of BDLT adoption in CSCRM, modeling them using an ISM methodology in the structure of a hierarchical framework to envision the contextual relationships among the identified challenges. Third, using the MICMAC diagram, the influential challenges were clustered according to their driving and dependence powers. This research is expected to contribute to enabling researchers to propose and test theoretical models and different hypotheses based on the critical determinants of blockchain adoption in different supply chain contexts. Finally, the developed framework with the priority of the sixteen influencing challenges helps researchers and practitioners to get insights into a long-term capacity towards BDLTs adoption to achieve cybersecurity at a supply chain level.

Implications for Practice
The emergence of the imbalance towards the practical side of CSCRM in the realworld leads to a significant incentive for organizations to look at BDLTs from a cyber secure supply chain perspective, given the negative effects of cyber events that affect supply chain operations. For example, concerns include a lack of confidentiality during information sharing while maintaining data visibility and transparency between supply chain partners. Therefore, managers and employees are those who need to reach outside their "silo" activities and adopt a holistic view of cyber risks, as well as innovative solutions to deal with these risks. The most vital link problem from a cyber perspective in the supply chain could be identified via technologies, such as blockchain for leveraging the CSCRM process. However, the adoption of BDLTs comes with several challenges, including a lack of technology maturity, users' credential loss (e.g., wallet), and in some scenarios, being subject to cryptocurrency volatility; so, attention to them constitutes the main objective of this paper.
In this vein, the current study offers meaningful contributions for practitioners, consulting companies, and leading enterprises to be aware of the criticality and interplay of different influencing challenges and inter-relationships among them while implementing BDLTs in the CSCRM.
In this study, MICMAC analysis has been adopted to help the analysis of the driving and dependence powers of the challenges and their classification into four different clusters. The identified challenges in the "Drivers" cluster should be considered to guarantee the long-term success of BDLT-based cybersecurity in the industries since this is the early stage of development for BDLT technologies. These challenges are a pre-requisite to obtaining other challenges, which are the topmost reasons for an organization to make a decision for BDLT adoption and are reflected under the "dependent cluster" (cryptocurrency volatility). In this context, it is worth noting that the challenges in the "dependent cluster" are important because they need all the other challenges to reduce the impact of these challenges during the adoption of blockchain. However, a lot of focus on these challenges with high dependence and less driving power without considering a strong set of "driver" challenges will not be useful to manage the adoption of blockchain in CSCRM.
Therefore, for the sustained success of BDLT in CSCRM activities, decision-makers should also be aware of "driver" challenges (such as technology immaturity, poor clarity regulatory provisions, dependent on input information from external oracles, scalability and bandwidth issues, and smart contract issues). This enables them to have more incentives for transiting into the digital operation phase.

Conclusions, Discussion of Findings, and Scope for Future Research
The adoption of BDLTs in the cyber secure supply chain is in its nascent stage, and there are numerous challenges that must be overcome before these innovative technologies proceed to the next phase. BDLTs have enormous potential to enhance the cybersecurity of a supply chain if the issues to its adoption are reinforced with favorable regulations and methods. To achieve this objective, this research conducted an analytical hierarchy "ISMbased model" approach to analyze the interactions among the identified BDLT challenges and to partition the challenges into levels based on their driving and dependency powers. In line with the previous literature, sixteen key BDLT challenges of CSCRM were identified and validated with a group of experts in academics and in the industries. Furthermore, our findings classified each challenge into one of four different kinds of power.
The findings from the study suggest that the challenges "technology immaturity", "poor clarity regulatory provisions", "dependent on input information from external oracles", "scalability and bandwidth issues", and "smart contract issues" with high driving and low dependence powers are the major challenges for adoption of blockchain in CSCRM and are placed at the bottom of the ISM model. The challenges "throughput and low performance", "lack of standardization and interoperability", "privacy and information disclosure issues", "criminal activity and malicious attacks", "poor user experience", "suitability of blockchain", "lack of trust in new technology suppliers", "quantum resilience", "wasted resources or high energy consumption" and "users' credential loss" imply both strong powers; they play a key function in the tendency to adopt blockchain in CSCRM, and they need more attention. The challenge "cryptocurrency volatility" with high dependence and low driving power is located at the top of the ISM framework. No factor is identified as an autonomous factor, indicating that all the selected challenges should be paid attention to by policymakers. Given that BDLT adoption for cyber supply chain risk management is in its infancy, there are still a number of challenges behind the 16 barriers identified in this paper, which must be explored for their structural relationships that can be used to develop plans to overcome obstacles in the implementation of a BDLT-based cyber secure supply chain. Therefore, similar type of research can also be recommended in the future to eradicate any important obstacle that might have been affected in BDLTs' adoption in CSCRM. Despite the significance of the study, the current study was not without its limitations, one of which are the interdependencies among the selected challenges, which were developed based on judgments from academics and practitioners, which can be included the chosen experts' personal biases. To refuse the aforementioned problems in the outcomes of the study, further empirical studies could be conducted to quantity the effects of the explored challenges on blockchain adoption in the CSCRM and also examine the intensity of the causal relationship between them. Additionally, the use of empirical researches is recommended, such as confirmatory factor analysis (CFA) and structural equation modeling (SEM), to test and validate this proposed ISM-based model.