Next Article in Journal
How Green Finance Affects Productivity: A Focus on the Yangtze River Delta
Next Article in Special Issue
A Study on Key Factors Affecting the Resilience of Emergency Logistics Supply Chains: A Hybrid Fuzzy DEMATEL-ISM-MICMAC Approach
Previous Article in Journal
Research on a Dynamic Correction Model for Electricity Carbon Emission Factors Based on Lifecycle Analysis and Power Exchange Networks
Previous Article in Special Issue
The Impact of Focal Firm Digitalization on Supply Chain Resilience: A Supply Chain Collaboration Perspective
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 18
Issue 3
10.3390/su18031151
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

The Anatomy of a Good Concept: A Systematic Review on Cyber Supply Chain Risk Management

by
Yasmine Afifi Mohamed Afifi
*,
Abd Elazez Abd Eltawab Hashem
and
Raghda Abulsaoud Ahmed Younis
Business Administration Department, Faculty of Commerce, Cairo University, Giza 12613, Egypt
*
Author to whom correspondence should be addressed.
Sustainability 2026, 18(3), 1151; https://doi.org/10.3390/su18031151
Submission received: 3 December 2025 / Revised: 21 December 2025 / Accepted: 26 December 2025 / Published: 23 January 2026
(This article belongs to the Special Issue Risk and Resilience in Sustainable Supply Chain Management)
Browse Figures
Versions Notes

Abstract

As contemporary global supply chains have become interconnected and exposed to diverse escalating cyber threats, Cyber Supply Chain Risk Management (C-SCRM) has rapidly evolved as a managerial imperative to safeguard security, robustness, and resilience, and hence ensure organizational sustainability and growth. While the concept of C-SCRM has recently received much attention among scholars, practitioners, and policymakers as an emerging field of study, its conceptual utility and theoretical foundation remain undeveloped. To address this gap, this paper provides a systematic literature review of C-SCRM using a hybrid approach that integrates bibliometric and concept evaluation analysis to ensure the goodness of the concept. A total of 175 relevant peer-reviewed scholarly articles from the Web of Science (WOS) Core Collection were collected and analyzed. The review reveals that the concept has many strengths, in terms of its interdisciplinary conceptual foundation and growing managerial relevance, but it also suffers from conceptual diffusion, overlapping terminology, and limited construct operationalization that inhibits theory development, hinders empirical accumulation, and limits practitioners’ ability to operationalize C-SCRM as a strategic resource. This review contributes to the C-SCRM literature by providing (1) a historical overview and intellectual structure of C-SCRM; (2) a synthesis and comparative analysis of the existing definitions; (3) an evaluation of the conceptual adequacy and theoretical relevance that underpin C-SCRM research based on established criteria and (4) conceptual and empirical research directions as well as an integrative framework. Based on the insights, our review might facilitate the improvement of multidimensional construct clarity and validation in future empirical studies and could be a useful tool for managers to benchmark C-SCRM maturity in practice.

1. Introduction

Have you ever heard about the global outage that occurred on 19 July 2024? Maybe you have heard about the disruptive event caused by the technical malfunction in CrowdStrike’s Falcon sensor software in the global news, which affected millions of devices and disrupted essential services across critical sectors [1,2]. The consequences of this global disruption were immediate and extensive, including, but not limited to, flight cancellations and delays in the airline industry, operational downtime in the banking sector, and service degradation in the telecommunications sector [2]. Beyond their immediate and extensive disruptions, these cyber incidents raise an important and intriguing question about the necessity of managing such cascading cyber risks throughout complex, volatile, and interconnected digital ecosystems [3].
In fact, today’s contemporary organizations have been operating within digital networks characterized by their interdependences, including firms, customers, developers, and suppliers, rather than through traditional linear buyer–supplier relationships [4]. These interconnected digital networks have also been known as cyber supply chain (C-SC) ecosystems, whereby diverse actors in the supply chain were more likely to generate innovation and new services through collaboration and value exchange [4,5,6]. In contrast, the heavy reliance on C-SCs has increased organizations’ exposures to diverse cyber risks [7]. As a result, these cyber risks jeopardize the integrity, confidentiality, and availability of supply chain assets, including systems and data beyond the focal organization, encompassing other stakeholders throughout the global supply chain network [7,8,9]. Accordingly, dealing with these risks no longer becomes a source of competitive advantage, but it has become a strategic necessity for business survival and growth [5].
The concept of C-SCRM has recently attracted scholarly attention that traces back to the original conceptual works by [10,11], who developed the strategic approach to managing cyber risks across the entire supply chain network. Since then, the concept C-SCRM has evolved into a multidisciplinary novel research domain, drawing from multiple disciplines, including engineering, management science, operations research, and others [12]. In this regard, some empirical studies reveal that C-SCRM practices achieve positive outcomes at multiple levels. At the organization level, one stream of studies found that effective practices were associated with enhanced financial and non-financial performance [3] and improved organizational resilience [13,14]. Another stream at the network level found that C-SCRM was associated with improved supply chain visibility, integration, and resilience [7,14,15,16] as well as strengthened internal security, external security, and overall supply chain performance [17]. However, to date, research on C-SCRM definitions, practices, antecedents, and outcomes remains fragmented and limited [3,5,18]. Several research gaps in the extant literature motivate this study to proceed.
First, prior research highlighted the absence of a unified and coherent concept of C-SCRM. Namely, scholars used a variety of interchangeable and overlapping terms in the existing literature to explore the phenomenon of interest including but not limited to cyber supply chain risk management (C-SCRM) [10,17,19,20], cyber supply chain security practices [21], cyber risk management in supply chain(CRM) [15], cyber-risks management in logistics firms for supply chain social sustainability [22], managing cyber risks in the supply chain [23,24], cybersecurity in supply chains [4,12,25], collaborative cybersecurity management capabilities along the supply chain [8], cybersecurity across the supply chain [26], cybersecurity risk management in supply chains [27], cybersecurity supply chain risk management [3], Supply chain cyber resilience/cyber resilience in supply chains [7,14], and supply chain cybersecurity management [18]. Consequently, this fragmentation and terminology inconsistency make it hard for scholars and practitioners to compare the findings across the studies and assess the coherence and maturity of the field of study [5,8,18,22,26].
Second, with respect to the authors’ best knowledge, the literature still lacks a comprehensive and theoretically grounded assessment of C-SCRM as an integrated management concept. Although there are some SLRs that examined specific isolated topics related to cyber risks in supply chains, such as cybersecurity behavior [28], information sharing [29,30], only few have explicitly addressed the conceptual adequacy, theoretical coherence and boundary conditions of an emerging construct of C-SCRM, e.g., [5,8,26]. As a result, C-SCRM still lacks an integrative framework that consolidates definitions, clarifies core attributes, and links C-SCRM to its underlying theoretical frameworks.
Third, recent years have witnessed a growing body of SLRs examining supply chain management trends and challenges, including but not limited to digitalization, resilience, sustainability, and risk management [31,32,33]. Yet, with the recent increase in academic reviews, SLRs on C-SCRM remain limited in number and demonstrate rigorous methodological shortcomings [8,26]. For instance, most prior SLRs focused on various review approaches, such as narrative or thematic synthesis, and did not systematically map the intellectual structure or the evolution of the field or provide an integrative framework, e.g., [5,12,24]. Furthermore, several reviews relied on a relatively small number of selected articles, which might limit their ability to capture the breadth and interdisciplinary nature of C-SCRM, e.g., [5,18,24]. Furthermore, scholars have increasingly called to adopt diverse science mapping techniques such as bibliometric methods besides SLRs to consolidate fragmented knowledge and advance cumulative academic discourse [26,32,34,35].
To fill these notable gaps and respond to prior calls, this review aims to synthesize and assess the concept of C-SCRM based on 175 articles published from 2014 to early 2025. This review addresses four research questions:
RQ1: How has C-SCRM research evolved in terms of bibliometric features, publication trends, and citation dynamics?
RQ2: How has C-SCRM conceptualization evolved in terms of the key intellectual and disciplinary perspectives?
RQ3: How has the conceptual adequacy of C-SCRM been assessed, and to what extent is the concept theoretically coherent?
RQ4: How could we advance the conceptual clarity of C-SCRM?
In doing so, this study can contribute to C-SCRM literature in several ways. First, to the best of the authors’ knowledge, this review is one of the first reviews that provides a rigorous conceptual clarification of C-SCRM by systematically synthesizing and evaluating existing definitions, boundary conditions, and core attributes using ref. [36]’s criteria. Second, it provides an integrated mapping of the field’s intellectual foundations and thematic evolution by combining bibliometric techniques and co-occurrence analysis to reveal the disciplinary roots, knowledge domains, developmental phases, and dominant research streams that have shaped C-SCRM scholarship between 2014 and early 2025. Third, it proposes an organizing framework that links antecedents, practices, mechanisms, and outcomes, thereby guiding future empirical research, survey design, and theoretical advancement. Finally, it offers a road map for future empirical studies and survey design in the measurement development of C-SCRM. Finally, the findings provide evidence-based insights into both theoretical development and practical implementation of C-SCRM in management and organizational studies.
The remainder of this paper is organized as follows. The following section provides the conceptual background of C-SCRM. This is followed by the systematic review methodology in Section 3. The results and discussion of the emerging thematic and conceptual patterns will be presented in Section 4. Finally, the theoretical and practical implications, limitations, and future research directions will be provided.

2. Research Background: Setting the Conceptual Stage

C-SCRM has been an important topic of interest in multiple fields, such as supply chain management, risk management, and cybersecurity/information management [10,37]. Its conceptual developments have been extensively discussed separately, where each field offers distinct perspectives regarding how cyber risks originate, propagate, and can be mitigated across the interconnected supply chain networks [20].
Existing definitions of C-SCRM vary due to differing disciplinary perspectives. Early scholarly work in this area tended to focus on the academic definitions of C-SCRM as a novel field that integrates diverse elements, theories, and methods to strategically control critical IT systems and digital assets across the supply chain lifecycle [10,37]. Others broadened the conceptualization to include the social perspective in terms of inter-organizational coordination and integration [15,20]. Thus, the distinction between C-SCRM policies, processes, and controls of the entire supply network rather than isolated firm-level initiatives has been extensively highlighted [5,17,20].
Furthermore, practitioners play a crucial role in shaping the conceptualization of C-SCRM. For instance, the National Institute of Standards and Technology (NIST) CSF 2.0 provides an overview of C-SCRM [3].The framework has conceptualized C-SCRM as a key integral element of governance function, which has become a separate function in the risk management process [3]. NIST emphasizes that managing supply chain cyber risks requires social and technical measures in terms of executive oversight, policy alignment, and organization-wide integration, rather than a sole operational activity. Even more importantly, it was found that the terms of cybersecurity supply chain management and cyber supply chain risk management have been used interchangeably in the NIST Cybersecurity Frameworks.
Moreover, Table 1 shows that prior SLRs differ in their scope, time span, and methodological rigor. First, most of them employed fragmented methodologies without proposing guiding frameworks, e.g., [8,12,24]. Second, most reviews focus on specific subtopics, such as cyber risk taxonomy, countermeasures, employee behavior, or collaborative practices, rather than providing a holistic conceptual evaluation of C-SCRM as an emerging management construct. Third, although earlier reviews employ established analytical frameworks (e.g., ADO or 2W+1H), none of them provide a comprehensive conceptual assessment or integrate bibliometric or science-mapping techniques to examine the field’s intellectual structure and evolution.
As previously highlighted, the conceptualization and measurement of C-SCRM remain a core challenge, which creates critical difficulties for both researchers and practitioners. For researchers, definitional ambiguity of the concept poses difficulties for coherent theoretical building, operationalization, and comparative empirical testing of relationships. Without conceptual clarity, researchers could examine different constructs under the same label, which hinders cumulative knowledge development and integrative research streams. For practitioners, the absence of a unified measurement of C-SCRM poses substantial managerial challenges to benchmark practices, such as defining organizational roles and responsibilities, identifying effective governance mechanisms, and addressing human-resource and capability gaps across firms and industries.
In response to the above discussion, this study aims to systematically synthesize the intellectual landscape, evaluate the conceptual adequacy of existing definitions, and clarify the interdisciplinary construct’s theoretical boundaries of C-SCRM. We seek to propose a framework that could advance conceptual clarity of how C-SCRM functions as a coordinated governance and control system within digitally interconnected supply chains.

3. Methodology

This review adopted a hybrid systematic design that was selected for two primary reasons. First, prior SLRs relied on thematic or narrative methods, which have limited their ability to map the intellectual structure and structural evolution of the field (for more details, see Table 1). Second, bibliometric techniques are insufficient on their own to address the conceptual ambiguity and theoretical coherence of C-SCRM [8,32,34,35]. Therefore, this review integrates bibliometric analysis with qualitative conceptual evaluation to enhance the robustness of the findings and support a theoretically meaningful synthesis. Furthermore, it adapted the established guidelines and protocols of conducting systematic literature reviews in management, e.g., [34,38].A detailed description of the steps is presented as follows.

3.1. Data Sources and Search Strategy

This review used Web of Science (WoS) Core Collection as the primary database for conducting high-quality systematic reviews in management [38]. WoS was selected because it has been widely characterized by its rigorous selection criteria, comprehensive citation indexing, and suitability for identifying relevant articles while reducing duplication [38].
Further, a search strategy was developed using specific keywords such as “cyber supply chain risk management” and other associated terms that were derived from the existing articles. These keywords were applied to the articles’ titles and abstracts (see Figure 1). As a result, the initial search yielded 4157 documents.

3.2. Inclusion and Exclusion Criteria

Following the initial database search, several inclusion criteria were defined as proposed by [39] to ensure conceptual and methodological relevance of the selected articles (for more details, see Figure 1). Only documents that met the following criteria were considered including: (1) peer-reviewed journal articles published between 2014 and early 2025; (2) English-language publications; (3) articles with a business and management focus rather than purely technical or engineering perspectives; (4) journals in the Social Science Citation Index with impact factors ≥ 1.0; (5) journals ranked A* or A in the Australian Business Deans Council (ABDC) list. This stage resulted in 318 articles that were ready for screening.

3.3. Screening and Sample Selection

After removing records that did not meet the predefined criteria (e.g., non-journal articles, non-English publications, and records outside the time frame), the dataset of 318 articles remained for initial screening. Study selection was conducted in two main screening phases. The first one focused on screening titles, abstracts, and keywords, and non-relevant records were removed. The second involved full-text screening of all remaining articles based on conceptual alignment with our research objectives. This resulted in 175 articles, which were retained for subsequent analysis (see Figure 1).

3.4. Data Preparation and Coding

The final dataset of 175 articles that were exported from WoS in full-record format, including bibliographic information, author names and affiliations, abstracts, keywords, cited references, etc. The processed dataset was subsequently ready for subsequent data analyses.

3.5. Data Analysis Techniques

The cleaned and extracted dataset was analyzed using bibliometric and conceptual analyses. Bibliometric analysis was conducted to map and visualize the intellectual landscape and thematic structures of C-SCRM research over time. The analysis was primarily conducted using VOS viewer (version 1.6.19), which provides comprehensive bibliometric mapping and visualization of co-occurrence and citation networks [40]. To enhance methodological rigor and reduce tool-specific bias in science-mapping studies, the results were cross-validated using Biblioshiny, the web-based interface of the Bibliometrix R package 5.2.1.
In addition, conceptual analysis was conducted and presented to assess the conceptual adequacy of C-SCRM, using ref. [36]’s eight criteria: familiarity, resonance, parsimony, differentiation, coherence, field utility, theoretical utility, and depth.

4. Publication Trends and Growth

This section addresses RQ1: How has C-SCRM research evolved in terms of bibliometric features, publication trends, and citation dynamics? The annual publication counts and citation patterns were analyzed using bibliometric data extracted from Web of Science and verified using Bibliometrix R package 5.2.1 [40,41].

4.1. Temporal Evolution of C-SCRM Research

Figure 2 shows the annual distribution of C-SCRM publications and citations before applying the exclusion and inclusion criteria. It can be observed that there is a growing scholarly interest and impact over time, with a steady increase in the number of publications and citations.
Table 2 further reveals the four distinct phases in the development of C-SCRM research, which reflect the field’s maturation from a nascent conceptual idea into a multidisciplinary research domain shaped by escalating cyber incidents, digital transformation, and increasingly interconnected supply networks.
First, the foundational phase began, with two main articles published in a Technovation special issue [11]. That special issue had set the conceptual boundaries between C-SCRM and other related domains such as cybersecurity, risk management, and supply chain management [10,21]. It was found that these early works were primarily conceptual and descriptive in nature rather than empirical studies that tested specific hypotheses.
Second, the emerging phase, where articles sharply increased to 20 with a 115.4% compound annual growth rate (CAGR). This phase was marked by the 2017 NotPetya attack propagated globally through interconnected supply networks [42]. Consequently, researchers differentiated between cyber supply chain risks and traditional cybersecurity threats and supply chain disruptions [23]. It was found that most studies relied heavily on qualitative research methods, such as case studies.
Third, the expansion phase, where its articles surged to 60 with a CAGR of 44.2%. It was revealed that the annual output nearly tripled compared to the previous phase. This phase was characterized by three key factors, including COVID-19 pandemic disruptions, rapidly accelerated digital transformation initiatives, and high-profile breaches. It was found that methodological approaches in this phase were diverse, including quantitative modeling, survey-based studies, and theoretical frameworks [26].
Finally, the maturation phase, accounting for more than half of the total articles, with a CAGR of 24.5%. In this phase, researchers shifted toward more sophisticated analytical approaches, developing complex models that examine how multiple variables interact and build predictive frameworks for cyber risk assessment [3,23].
Overall, it can be concluded that C-SCRM remains an active research area, where the field is moving from exploration to theoretical refinement and integrative model development as depicted in Figure 3 and Figure 4.

4.2. Journal Distribution and Publication Landscape

There were 175 reviewed articles on C-SCRM published in 64 academic journals. We ranked journals based on total publications; those having more publications receive better rankings (see Appendix A Table A1). We found that the top 5 include: Computers and Security (n = 15), IEEE Transactions on Engineering Management (n = 11), International Journal of Accounting Information Systems (n = 9), MIS Quarterly Executive (n = 9), Technology in Society (n = 8).
Interestingly, based on the results, Computers and Security is the most prominent journal, which reflects the established field’s strong foundational roots in cybersecurity and information assurance, whereas IEEE Transactions on Engineering Management and MIS Quarterly Executive bridge the gap between technical systems design and managerial decision-making. Further, the presence of management-oriented outlets such as Technovation, Technology in Society, and the International Journal of Information Management demonstrates a gradual shift beyond the purely technical discussions toward strategic, organizational, and policy-oriented debates
Furthermore, we classified journals based on core research areas/fields. As C-SCRM is an interdisciplinary field that draws from information systems, supply chain management, and risk management. We found that most of the articles focused on Information systems (n = 115), risk management (n = 22), and supply chain management (n = 17), respectively. This shows that the field might skew more towards the technical perspective.

4.3. Domain Mapping and Conceptual Integration

The analysis reveals that the concept C-SCRM combines three terms, including cyber, supply chain, and risk management. Hence, it represents an interdisciplinary field that integrates technical and non-technical perspectives that address cyber threats along the entire supply chain networks. Table 3 shows the conceptual domain contributions across the developmental phases to understand and reveal important insights into the field’s intellectual development. According to Table 3, the most dominant field is the cyber/information security field (n = 115, 64.6%), followed by the risk management field (n = 22, 12.57%), other fields (n = 21, 12%), and supply chain management (n = 17, 9.71%), respectively. The findings imply that scholars mainly focused on the technical perspective of investing in systems infrastructure rather than the managerial perspective of dealing with cyber risks, e.g., [43,44]. Later, scholars found that dealing with cyber risks can be recognized as a continuous risk management process to ensure organizational sustainability and resilience, especially during times of uncertainty or crises, such as the COVID-19 pandemic, e.g., [45,46]. It was found that cyber supply chain risks cannot be addressed within one-sole field. Instead, it requires joint efforts across disciplines like management, information systems, engineering, and cybersecurity, e.g., [47,48]. In contrast, the supply chain management demonstrates the least contribution to C-SCRM research compared with other fields. SCM literature primarily sheds light on key roles of visibility, integration, coordination, and interdependence to manage and mitigate cyber risks across the entire supply chain network. SCM literature has particularly emphasized how to protect interconnected supply chain actors and ensure operational continuity under cyber threats, e.g., [3,15,19,23].

4.4. Most Influential Publications

Table 4 provides the list of the most influential articles based on citation impact. The most cited papers were found to be [49,50], who suggested the behavioral perspective to deal with cyber risks and found that employee awareness training was associated with positive cybersecurity outcomes by influencing employee behavior. Another top contribution was made by [10] who introduced a two-dimensional strategic control framework for cyber defense in depth and in breadth to manage cyber risks across extended enterprise networks. Similarly, ref. [51] advocated the importance of different strategies combining technical and non-technical to address cybersecurity risks. Furthermore, ref. [52] applied simulation-based modeling to examine decision-making biases in developing cybersecurity capabilities.
The results indicate that highly cited works increasingly adopt a human-centric approach in mitigating cyber risks. These results indicate that technical measures are no longer sufficient; this supports an important integrated management thematic shift and highlights the increasing recognition of managerial and organizational measures in C-SCRM.

4.5. Most Influential Countries

There are 20 countries where 175 articles have been published. As shown in Table 5, the top five cited countries based on number of articles include the United States (n = 74), United Kingdom (n = 18), China (n = 9), India (n = 6), Canada (n = 4), Italy (n = 4), and the Netherlands (n = 4). As expected, the United States holds a dominant position in C-SCRM research, accounting for 42.3% of the total highly cited publications. This domination can be attributed to the fact of sustained policy-driven initiatives and governmental investment that have fostered extensive academic industry collaboration, particularly through frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC).

5. Conceptualization Patterns

This section addresses RQ2: How has C-SCRM conceptualization evolved in terms of key intellectual and disciplinary perspectives? This includes examining definitional trends, core attributes, conceptual adequacy, and thematic structures.

5.1. Definitional Analysis of C-SCRM Concept

Over the past years, C-SCRM has evolved into a developing field of research. The early definition of C-SCRM was proposed by [10], who conceptualized it as organizational strategies and initiatives aimed at identifying, assessing, and mitigating cyber and information risks across end-to-end supply chain operations. This definition mainly reflects that C-SCRM is no longer purely a technical measure but has also become a strategic function. Building on this foundation, ref. [37] refined the concept as a strategic process that overlaps with the term cybersecurity risk management, with its response strategies, policies, and procedures grounded in the NIST Cybersecurity Framework.
Table 6 reports a list of representative definitions in C-SCRM research to distinguish foundational contributions from more recent or less diffused conceptualizations. Based on the results, we found two dominant synthesized definitions of C-SCRM. The first definition mainly reflects a systematic process of managing exposure to cybersecurity risks. This aligns with the NIST Cybersecurity five sequential functions, including identify, protect, detect, respond, and recover, which act as a continuous lifecycle for mitigating cyber threats [15,37]. The second mainly focused on a set of practices that firms implement to manage current and potential cybersecurity risks along the supply chain network [3,10,17,20]. This practice-oriented view highlighted the role of supply chain management in terms of systems integration and visibility as key antecedents of cyber-resilient supply chains.
According to the citation-based analysis, there are three influential definitions proposed by [10,19,26], each exceeding 50 citations. These definitions conceptualize C-SCRM either as a strategic resource or an adaptive capability. In this regard, recent studies introduce emerging terms such as dynamic capabilities and digital supply ecosystems [15,25]. While these definitions remain in the early stage of scholarly diffusion, they confirm the paradigmatic shift toward more integrated and capability-oriented perspectives on C-SCRM.

5.2. Core Attributes of C-SCRM Definitions

Based on the existing definitions, the concept of C-SCRM is a multidimensional concept with several core attributes (see Table 7). First, all major definitions confirm that C-SCRM drew from the integration of cyber and supply chain risk management to address how cyber threats propagate through supplier networks, digital dependencies, and third-party relationships [19,23,24,26]. Second, nearly all the definitions revolved around the end-to-end supply chain scope that extends beyond internal IT systems to include external dependencies of suppliers, vendors, logistics partners, cloud service providers, third parties, and customers, which reflects a network perspective, e.g., [3,23]. Third, several definitions conceptualize C-SCRM as an enabler of resilience or a defensive risk practice. On one hand, some conceptualize C-SCRM as a dynamic capability to anticipate, withstand, recover, and adapt to cyber incidents [7]. On the other hand, others reflect the systematic risk management principles, such as identifying vulnerabilities, assessing cyber exposures, and implementing mitigation or control measures [10,15,20].

5.3. Critical Evaluation of C-SCRM Concept

This section addresses RQ3: How has the conceptual adequacy of C-SCRM been assessed, and to what extent is the concept theoretically coherent? As noted by [124], strong strategic concepts should balance academic rigor and practical relevance. We assessed the conceptual goodness of C-SCRM based on [36] eight established core criteria, including familiarity, resonance, parsimony, coherence, differentiation, field utility, theoretical utility, and depth.

5.3.1. Differentiation

Differentiation refers to the extent to which a concept can be clearly distinct from other overlapping concepts [36]. Our review reveals that several terms have been used interchangeably across the reviewed articles, including ICT Supply Chain Risk Management, Supply Chain Cybersecurity, and Cyber Supply Chain Risk Management [21]. This overlap arises because of the defining attributes of the multidisciplinary roots of the concept and the blurring of conceptual boundaries. Furthermore, ref. [19] differentiated the concept of C-SCRM based on a holistic approach that integrates processes, people, and technology, and social relational factors with supply chain partners. Dealings with cyber risks have historically evolved as distinct disciplines such as cybersecurity, risk management, and supply chain management, their integration into different concepts such as supply chain risk management [26,125], cyber risk management [27], or C-SCRM [10,37] remains conceptually fluid and sometimes elusive. As a result, the absence of a unified definition may result in inconsistencies in the interpretation and comparability of findings, as if the risk of comparing apples to oranges. We can suggest that C-SCRM evolved through the fusion of supply chain management (SCM), risk management (RM), and cyber/information security (INFOSEC) to supply chain risk management (SCRM) and cyber risk management (CRM), as illustrated in Figure 5. Based on the above findings, we assessed its differentiation as low due to the definitional ambiguity and concept stretching debate. This can imply the need for sharper conceptual boundaries that specify how both traditional approaches of SCRM mainly focus on physical flows and operational risks, and CRM that mainly focus on internal IT systems vulnerabilities.

5.3.2. Resonance

Resonance indicates the idea of the concept connects with intended audiences in a meaningful way [36]. As previously highlighted, the term C-SCRM combines three widely used terms: cyber, supply chain, and risk management. Each component draws upon a distinct disciplinary foundation: “cyber” originates from information technology and security; “supply chain” from supply chain management; and “risk management” derives from business governance and compliance. When integrating these elements together to form C-SCRM, it has intuitively become relevant to diverse stakeholders, including but not limited to infosec, IT, procurement, and enterprise risk managers. In addition, the concept has become meaningful as it aligns with cyber supply chain incidents that occurred, such as SolarWinds, CrowdStrike disruption, and other attacks. Based on these findings, we assessed the resonance of the concept as high.

5.3.3. Field Utility and Practical Relevance

Field utility assesses the usefulness of the concept across the fields [36]. In this regard, some studies have operationalized C-SCRM practices and measured scales that align with risk management field and adapted practices from the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the International Organization for Standardization (ISO) across various industrial contexts [15,37]. Other empirical studies started to adapt the practices from the perspective of supply chain management [3,20].
However, to date, scholars have operationalized, measured and compared C-SCRM in diverse ways. Based on the above findings, we assessed the field utility as high, because they are used in multiple domains with different scales and contexts (for more details, see Table 8 and Table 9).

5.3.4. Theoretical Utility and Depth

Theoretical utility reflects the concept’s ability to generate, test, or develop theories [36]. In this review, several theoretical perspectives have been employed, including maturity models, institutional theory, and dynamic capabilities theory (DCT) in C-SCRM research. For instance, DCT has been particularly used to sense vulnerabilities, seize mitigation opportunities, and reconfigure processes [3,15,47]. Therefore, these studies support that C-SCRM acts as resources to build information-security resilience capabilities [47], improve operational/financial outcomes [3], and create internal–external cybersecurity integration and build resilience and robustness to cyber risks [15]. Based on the above findings, we assessed the theoretical utility of C-SCRM as moderate to high.

5.3.5. Parsimony and Conceptual Complexity

Parsimony means its defining attributes or dimensions are simple, precise, clearly articulated, and non-redundant while retaining explanatory depth [36]. C-SCRM adopts a holistic and interdisciplinary concept that integrates people, processes, technology, and inter-organizational relationships across extended supply networks.
Nevertheless, scholars have not yet reached a global unified conceptualization. For example, ref. [37] aligned their scale with the five functional phases of the NIST Cybersecurity Framework. Building on this, ref. [20] developed and validated a three-dimensional scale, including governance, systems integration, and operations. Similarly, ref. [15] introduced the term Supply Chain Cyber Risk Management Strategies (SC-CRM) and adapted the NIST framework to reflect external supply chain risk management strategies. In contrast, ref. [15] employed two core dimensions, including internal organizational practices, strategy, objectives, policies, and integration with enterprise risk management, and external supply chain practices, including supplier prioritization, cybersecurity requirements, and joint incident response planning.
This diversity reveals persistent disagreement regarding its core dimensions (see Appendix A Table A2). Some studies emphasize the NIST’s six cybersecurity phases, including govern, identify, protect, detect, respond, and recover [37]. Other studies adapted the scale from the NIST framework to only focus on the external relational perspective of managing cybersecurity risks and developed the scale of supply chain cybersecurity risk management strategies [15]. This inconsistency indicates that researchers are conceptualizing different aspects of the same concept. Furthermore, each dimension requires multiple indicators to create a measurement scale with extensive items. For instance, the multidimensional nature of the construct was divided into internal and external practices [3], governance, system integration, and operations [5,10,20,126] and five core NIST functions [10,15]. Given its extensive scope, we assessed the parsimony of C-SCRM as low.

5.3.6. Coherence and Theoretical Integration

Coherence refers to the different features or attributes that make up the concept logically fit together [36]. It is evident that there is persistent terminological overlap among different terms in the existing literature, such as cybersecurity across the supply chain [26], cybersecurity supply chain risk management [3], supply chain cyber risk management [15], managing cyber risks in supply chains [19,23], and cybersecurity risk management in supply chains [27], cyber risk management in supply chains [22]. However, to date, there is a lack of consensus on conceptual scope and disciplinary ownership. Accordingly, we assessed the coherence of C-SCRM as low.

6. Thematic Evolution and Knowledge Domains

This section presents a systematic co-occurrence analysis to identify the thematic clusters that have evolved over time in C-SCRM research. We analyzed keywords and phrases extracted using VOS viewer software [40]. After applying a minimum occurrence threshold of 10 appearances, we found 1340 qualified terms. and 408,734 linkages with a total link strength of 165,626. In this regard, Figure 6 and Figure 7 were generated using VOSviewer (https://www.vosviewer.com/) to visualize keyword co-occurrence networks and their temporal evolution.
An additional analysis was conducted using Biblioshiny (Bibliometrix package in R) to ensure the robustness and validity of the VOSviewer-based visualizations. Using multiple tools could be considered as recommended practice to enhance the reliability and validity of the findings [13]. Accordingly, Figure 8 and Figure 9 were produced using Biblioshiny to validate the conceptual structure and thematic stability of the identified clusters.
Based on the above analyses and visualization, Table 10 summarizes five distinct clusters, where each one is characterized by its research focus, theoretical orientations, and evolutionary characteristics.

6.1. Red Cluster: Strategic-Organizational Perspective (38.9%)

The red cluster was the dominant cluster, which had grown rapidly since 2020. This reflects the paradigm shift in addressing cyber risks from purely technical measures to an integrated management that focuses on people, processes, and technologies. Representative terms within this cluster include governance, cybersecurity awareness, employee behavior, cybersecurity investment, supply chain resilience, organizational culture, cybersecurity policy, frameworks, and decision-making processes.
Two theories are drawn from this cluster: the Resource-Based View (RBV) and the Institutional Theory, emphasizing how organizations develop and deploy practices as strategic resources while responding to institutional pressures for cyber supply chain security and resilience. Dealing with cyber risks has widely been recognized as a key strategic priority for organizations across all industries [5,8,26,127,128,129,130,131,132,133,134,135,136].
This cluster highlights some strategies adopted by senior management that generally align with the organization’s broader business strategies. One prominent research stream mainly focused on strategic cyber defense in breadth and in depth [5,17,20,126,137]. Governance requires the execution of information security policies and security procedures [14,31] and embedding cybersecurity into core business strategy and coordinating governance mechanisms that align with different stakeholders [5,17,20,126]. Another prominent research stream primarily focused on cyber risk management controls in supply chains as antecedents for achieving security and resilience [14,15,31,138]. A third research stream investigated the role of human factors in managing cyber risks. For instance, several studies highlight the critical role of senior management commitment, participation, and ethical leadership as vital antecedents for cultivating a strong information security culture and ensuring compliance [31,39,139,140]. Human capital further influences cybersecurity outcomes: CIO experience and tenure have been shown to affect cybersecurity performance [74,141]. More broadly, employee awareness, training, and behavior are essential in mitigating risks, particularly since human error accounts for over 90% of cyberattacks [142,143,144,145,146,147,148,149,150]. In addition, trust issues between supply chain partners can help to manage cyber risks in supply chains, as organizations may be reluctant to share sensitive information or become dependent on partners’ systems [151]. Building the necessary trust relationships requires time and sustained effort from all parties involved [152]. Despite this, many organizations continue to prioritize technical controls while underestimating the crucial role of psychological factors [153,154,155,156].

6.2. Green Cluster: Operational-Analytical Perspective (36.6%)

This cluster is grounded in the technical perspective of addressing cyber risks that might emerge from any nodes in the fragmented and globally dispersed supply chains [24,151]. Previous studies employed quantitative and simulation models to support decision-making under higher uncertainty [157,158,159,160,161,162,163], whereas others developed advanced algorithms for real-time recovery, predictive analysis, and adaptive defense [54,164,165,166,167,168,169,170,171,172,173]. Representative terms include threat detection, performance metrics, incident response, IoT security, threat intelligence, and system monitoring.

6.3. Blue Cluster: Technical/System Integration (23.4%)

This cluster mainly captures the idea of integration, which refers to the technical and organizational process of making different systems, data, applications, and processes work together seamlessly across inter and intra firms to enable seamless information flow and improve the decision making process, which could lead to increased C-SC security and resilience [5,10,20,126]. In the context of C-SCRM, systems integration has become one of the key components of managing cyber supply chain risks to ensure the secure and efficient flow of information across an organization’s various functions and with other stakeholders [5,10,20,126,174]. While ref. [10] framework for C-SCRM focused primarily on supplier control and threat modeling to achieve C-SC resilience, it did not explicitly mention customer integration in the systems integration. Gani and colleagues adopted a broader relational view of integration with partners and suppliers, as well as internal integration [5,20,126].
According to [15], systems integration includes both internal and external integration, which was one of the outcomes of C-SCRM rather than a component itself, and was then used as a mediating mechanism to enhance resilience and robustness of the supply chain. Most of the literature was focused on technological infrastructure integration, such as linking hardware, software, and networks (e.g., ERP, IoT, cloud platforms) [127].

6.4. Yellow Cluster: Emerging Technologies & Innovation (1.0%)

This cluster highlights the role of digital transformation and growing interest in emerging technologies. However, this small cluster size reflects the nascent nature of these applications within the field. Representative terms include artificial intelligence, machine learning, innovation processes, rapid development, and emerging technology integration. Some raised concerns about the role of emerging technologies in addressing cybersecurity issues [84,91,107,175,176,177,178,179]. Others introduced the framework of digital supply chain management to address cyber threats [25]. However, to date, the role of emerging technologies adoption has not been well investigated.

6.5. Purple Cluster: Cross-Domain Integration (0.1%)

This cluster represents the emerging interdisciplinary approaches that combine multiple cluster perspectives [9,180,181,182,183,184,185]. This nascent cluster suggests early recognition of the need for integrated management approaches that extend individual domain boundaries [186]. Rather than dealing with each dimension separately, C-SCRM can be viewed from an integrated management approach that combines organizational, managerial, and technical aspects [142,186].

7. Discussion

C-SCRM has been an area of interest for academic researchers, practitioners, and policy makers. This section presents the main insights derived from the bibliometric and conceptual analyses. It begins by providing a summary of a substantial number of findings that emerged from bibliometric analysis

7.1. Summary of Key Findings

This review provides a comprehensive synthesis of the C-SCRM literature by integrating bibliometric analysis with qualitative conceptual evaluation. The findings reveal that the thematic evolution of C-SCRM has had a paradigm shift from technical-centric to an integrated management-centric and interdisciplinary perspective. The thematic map identified five dominant knowledge domains that highlight the growing importance of governance, systems integration, human factors, and strategic coordination across supply networks.
Furthermore, the conceptual evaluation further found that C-SCRM continues to suffer from semantic conceptual confusion. This finding is consistent with previous research, which highlighted that the concept of C-SCRM remains underdeveloped [3,8,14]. Scholars have been debating how the concept of C-SCRM was defined, operationalized, and measured [3,8,14]. Although strong arguments exist in favor of adopting NIST-based risk management frameworks, e.g., [3], this review identifies several unresolved questions regarding what makes a “good” concept of C-SCRM. According to this perspective, overlapping definitions, internal contradictions among a concept’s defining attributes, and imprecise operationalizations were among the most common sources of conceptual confusion in this review. The findings also indicate that the concept formation of C-SCRM could be viewed as a dynamic and evolving process. Hence, good conceptualization requires a balance between eight core criteria that support its conceptual development as a vital construct in both supply chain and cybersecurity research.

7.2. Theoretical Contributions

This review has made several contributions to C-SCRM literature. First, this review provides a systematic examination of the often-muddy conceptualization of C-SCRM. Rather than focusing on descriptive comparison of definitions in extant literature, this study rigorously evaluates the conceptual adequacy of C-SCRM using [36] criteria, including differentiation, coherence, parsimony, and theoretical utility. Hence, this clarification contributes to theory-building of C-SCRM since it strengthens construct validity, which is considered a prerequisite for cumulative research (clearer boundaries vs. cybersecurity risk management, traditional SCRM, CRM; clearer “what it is” and “what it is not”).
Second, this review proposes an integrated management lens for dealing with cyber risks (See Figure 10). Rather than dealing with cyber risks as a common interesting area across different isolated disciplines, it situates C-SCRM as an integrated management construct by addressing the conceptual diffusion and overlap with different disciplines.
Third, it provides a comprehensive definition of C-SCRM as an integrated cross-organization governance and operational capability through which a focal firm and its supply network partners identify, assess, mitigate, and adapt to cyber threats that propagate through digital interdependencies, information flows, and multi-tier supplier relationships. C-SCRM consists of a coordinated set of technical, managerial, and relational practices that could ensure the internal and external security of interconnected supply-chain assets and sustain supply network resilience and continuity. This definition captures its multidisciplinary nature and distinguishes it from traditional constructs by emphasizing its relational, network-based, and cross-organizational characteristics. Similarly, existing studies have measured the construct in a fragmented manner through three dimensions: governance, systems integration, or operations. The proposed definition provides a clear conceptual root for specifying C-SCRM as a multidimensional construct comprising governance, systems-integration, and operations.
Fourth, we present the proposed model that was built upon the proposed definition and thematic analysis (see Figure 11). This framework links antecedents, practices, and outcomes of C-SCRM and highlights the behavioral, psychological, and socio-technical mechanisms that shape their interrelationships. Some key antecedents identified from the occurrence analysis include digital transformation, organizational investments in cybersecurity, the evolving cyber risks, and pressures from key stakeholders. These antecedents set the foundational conditions that motivate focal firms to strengthen cybersecurity capabilities across their supply networks. The framework also identifies the mechanisms through which C-SCRM creates value. Governance, systems integration, and operations together act as resource-capability-building processes that translate antecedents into cyber preparedness across the supply network. These mechanisms are shaped by behavioral and psychological factors that explain how and why C-SCRM relationships operate across organizations. Furthermore, the sociotechnical moderators determine the strength and directions of C-SCRM effects. These factors capture the interplay between technological factors and organizational behavior within the broader network. The framework also integrates supplier and customer relationship management as contextual conditions that could strengthen or weaken C-SCRM effectiveness across the supply network. Moreover, the framework identifies some C-SCRM outcomes. At the individual level, C-SCRM practices could turn into enhanced awareness and secure behavior. At the organizational level, C-SCRM capabilities lead to improved security performance. At the network level, C-SCRM practices could improve internal and external security and strengthen ecosystem resilience and robustness against cyber threats. The framework also proposes feedback loops, where achieving these outcomes could reshape the antecedents (e.g., investment priorities), suggesting a potential element of reverse causality in the system, which means that C-SCRM is a dynamic and evolving process.
This review also contributes to theoretical building and theory testing by providing the theoretical framework to understand C-SCRM from new integrative theoretical frameworks. For instance, the Dynamic Capability theory has primarily been used to explain how organizations sense, seize, and reconfigure resources to respond to turbulence. Recent research has begun to conceptualize security resilience and incident response agility as dynamic capabilities that organizations aim to achieve through continuous learning, information processing, and adaptive reconfiguration [47,187]. Hence, it extends the lens of managing cyber risks from a focal firm-centric to a network-level perspective [7,15]. It can be used to specify (i) how cyber threats propagate through inter-firm digital dependencies, and (ii) which organizational and relational mechanisms translate sensing/seizing/reconfiguring into supply network security and resilience. It conceptualizes C-SCRM as a distributed, cross-organizational capability enacted through governance, systems integration, and operations across multi-tier relationships. In doing so, it explores the mechanisms through which dynamic cyber-risk capabilities convert antecedent conditions (e.g., digital transformation, cyber incidents, investment) into preparedness, continuity, and resilience outcomes at the ecosystem level.
Also, institutional theory and stakeholder theories could be used to understand how institutional factors (e.g., global digital sovereignty requirements) and customer-driven normative pressures encourage the adoption of C-SCRM practices [92,123,188,189,190,191]. In fact, these two theories could be integrated to distinguish between (a) institutional and stakeholder pressures as antecedents, (b) governance and inter-organizational coordination as the mechanisms, and (c) contingent moderators (e.g., relationship management conditions and sociotechnical context) that influence effectiveness. This extends institutional theorizing beyond adoption toward the design, alignment, and performance of C-SCRM across partners.
Sociotechnical systems theory posits that effective management of cyber risks requires socio-technical coordination mechanisms that align people, processes, and technologies into a coherent management system [142,192]. Governance structures, systems integration, and operational controls must be incorporated into the C-SCRM system and can be complemented by behavioral and cultural mechanisms (e.g., digital skills, training, awareness, and compliance routines) to improve security, resilience, and robustness across the entire supply chain [99,116,147,193,194]. Thus, sociotechnical theory helps explain why purely technical measures may be insufficient unless they are supported by aligned organizational routines and human-centered practices [31,78].

7.3. Practical Contributions

This review provides several implications. First, it provides business and technology leaders, as well as professionals, with a strategic necessity to navigate the complexities of cyber threats from an integrated management perspective. Rather than treating cybersecurity threats as a purely technical or IT-driven function, the framework underscores the need for designing a C-SCRM system that involves managing processes, people, technologies, and cross-coordination and integration.
Second, the proposed framework provides actionable guidance to benchmark C-SCRM maturity across organizations along the interconnected supply chain. Senior executives and managers should, therefore, ensure cross-functional ownership of cyber risks, clear accountability structures, and alignment between cybersecurity and supply chain strategies.
Third, this review has important implications for policymakers and regulatory bodies as it encourages the integration of I.4 technologies adoption into C-SCRM principles to achieve cyber supply chain security and digital resilience. Policymakers, in their turn, can also encourage business investments in adopting advanced digital and I4.0 technologies, such as AI-enabled risk monitoring, threat intelligence sharing platforms, and automated supplier risk assessment tools. In addition, regulatory guidance and incentive mechanisms like public–private partnership programs can stimulate organizational investment in data-driven cybersecurity governance and cross-organizational risk transparency. Embedding such technologies within cybersecurity and supply chain governance frameworks can enhance visibility, accountability, and coordinated response across multi-tier supply networks, thereby reducing the systemic impacts of cyber risk and improving ecosystem-level resilience. In doing so, this review informs regulatory design and supports policy initiatives aimed at strengthening resilient and responsible digital innovation across critical supply chains.

8. Future Research Directions

This section addresses RQ4: How could we advance the conceptual clarity of C-SCRM? Drawing from the conceptual, methodological, and thematic gaps identified in this review, we propose five interrelated research agendas as follows:

8.1. Strengthening Conceptual Clarity and Boundary Conditions

Existing research on C-SCRM presents similar definitions between diverse terms. The concept remains fragmented with overlapping labels, inconsistent scopes, and weak differentiation from adjacent constructs. Modern researchers can investigate the topic of dealing with cyber risks from an integrated perspective rather than from a fragmented perspective (see Figure 10). Questions about C-SCRM and other related terms, such as SCRM, have directed efforts toward gaining a more subtle understanding of their nature. Researchers can conduct conceptual mapping and network analysis to understand in detail the meaning and measurement of the C-SCRM practices. Similarly, comparative meta-analysis studies can compare the relationship of C-SCRM and other overlapped terms, such as traditional supply chain risk management and cyber risk management, and their existing scales and the rationale behind them. Furthermore, future research can explore the moderating effect of nationality, taking into account contextual/cultural influences in order to disentangle similarities and differences between the constructs.
This leads us to some research questions: FRQ8.1.1: How are C-SCRM, traditional supply chain risk management, and cyber risk management similar? How are they different? FRQ8.1.2: How do definitional variations influence the interpretation of empirical findings? FRQ8.1.3: What boundaries most clearly distinguish C-SCRM from related constructs?

8.2. Advancing Measurement and Psychometric Rigor

Improving the psychometric validity of C-SCRM measurement subscales has become necessary for cumulative and comparable knowledge in the field. In this regard, future studies can develop and validate a multidimensional scale of C-SCRM aligned with the definition proposed in this review. This process may include specifying measurement items, testing dimensionality through exploratory factor analysis, confirmatory factor analysis, and validating constructs across industries, firm sizes, and national contexts. Furthermore, researchers could investigate the higher-order construct measurement of the C-SCRM system that comprises governance, systems integration, and operations, which were conceptualized and measured in prior studies as reflective lower-order components [20]. This process could involve specifying, using Tetrad Analysis to evaluate dimensionality, and testing whether a set of indicators reflects a latent construct or should instead be modeled as multiple distinct constructs [195]. Subsequently, researchers could estimate and validate the higher-order constructs of C-SCRM using rigorous statistical and psychometric procedures, including reliability assessment and confirmatory validity testing [196]. It is also important to examine statistical heterogeneity in the associations between C-SCRM and outcomes and, if these associations turn out to be heterogeneous, determine whether variables, such as organizational, sectoral, supply chain, or technological characteristics, explain this variation. This can lead to some future research questions FRQ8.2.1: How can C-SCRM be operationalized and validated as a multidimensional construct that either reflects or composes governance, systems integration, and operations? FRQ8.2.2: Does a higher-order C-SCRM construct better improve performance outcomes?

8.3. Strengthening Theoretical Foundations and Mechanisms

As mentioned above, several theories to explain how C-SCRM develops and why it can generate value are still under development. For instance, future research would benefit from integrative theoretical perspectives, such as dynamic capabilities theory (DCT) and the resource-based view (RBV), to gain a comprehensive understanding of C-SCRM, mediators, and outcomes. These frameworks would enable us to identify mechanisms through which C-SCRM could develop capabilities that impact outcomes. Another example, institutional theory and stakeholders’ theory could be used to explore the role of institutional pressures in the adoption and maturity of C-SCRM practices. Some research questions include FRQ8.3.1: Through what mechanisms do C-SCRM capabilities evolve into resilience and robustness? FRQ8.3.2: How do institutional pressures shape C-SCRM practices? FRQ8.3.3: Are there conditions that buffer or strengthen the associations of C-SCRM and different outcomes?

8.4. Broadening Methodological Approaches

The findings reveal that the scope of empirical studies on C-SCRM remains limited. Most of the empirical studies used survey methods for collecting the data. Future studies should adopt experimental methods, longitudinal designs, simulation modeling, agent-based models, and network analytics. For instance, the application of experimental studies to test some of the proposed relationships related to the adoption of emerging technologies in improving C-SCRM outcomes could deepen the causality, as in prior studies [16,197]. Modern researchers can conduct laboratory experiments to study how psychological factors such as perceived managerial trust shape employees’ security behavior. Future studies can adopt cross-level research designs that integrate individual, organizational, and network-level. Such designs may investigate individual security behaviors and inter-firm relationships that collectively interact shape overall supply network resilience. Furthermore, future studies could use longitudinal studies to measure CEOs’ reactions during and post cyber security incidents, and how the previous awareness, knowledge, and experience of past cyber incidents could influence future C-SCRM capabilities. FRQ: What causal effects do C-SCRM interventions have on employee and supplier behaviors? How do managerial cognition, trust, and experience influence cyber-risk decision-making?

8.5. Expanding Outcomes and Multi-Level Perspectives

The findings reveal that empirical studies focused on investigating C-SCRM outcomes are still limited. Hence, future work may focus on developing different performance outcomes at different levels, including but not limited to operational outcomes. Cross-level designs could also examine how individual behaviors aggregate into supply network capabilities. Some research questions still need to be addressed FRQ8.5.1: How do C-SCRM practices influence financial, operational, environmental, or relational outcomes? RQ8.5.2: How do security behaviors shape supply network resilience? RQ8.5.3: What role would I.4 technologies adoption play in increasing or decreasing the cyber supply chain external security, internal security, robustness, and resilience? RQ8.5.4: How would a secure and resilient cyber supply chain system model be designed based on different factors to mitigate the effects of cybersecurity risks? How can I.4 technology adoption be integrated to strengthen the security and resilience of the ecosystem?

9. Limitations

While this paper adopted an objective, systematic, and transparent systematic literature review (SLR) protocol, there are some limitations that need to be acknowledged.
First, this review relied on the Web of Science (WoS) Core Collection as the main database for conducting the literature process. While WoS was widely chosen in management reviews for its advantages of conducting SLRs due to its rigorous indexing standards and suitability of a manageable number of relevant articles, it might not provide the comprehensive coverage of all scholarly output. As a result, some relevant articles may have been unintentionally excluded, and thus, this study may be subject to potential database coverage bias.
Second, this review considered only peer-reviewed journal articles. Hence, this review did not include published gray literature, including but not limited to books, book chapters, conference proceedings, working papers, institutional reports, and dissertations.
Third, the review was restricted to English-language journal articles. This restriction enhances methodological consistency and quality control; however, it also introduces language bias. Given the international nature of research in this field, the exclusion of studies published in other languages may limit geographical and cultural diversity.
Finally, to ensure academic rigor and relevance, this review exclusively included articles published in journals ranked A* or A in the Australian Business Deans Council (ABDC) journal list. While this criterion strengthens quality assurance, it may also introduce publication bias by excluding relevant studies published in high-quality engineering, information systems, and cybersecurity outlets that fall outside the ABDC classification. This restriction may partially constrain the interdisciplinary scope of the review, particularly given the technical foundations of cyber supply chain risk management.
Therefore, future research could address the above-mentioned limitations by incorporating additional databases (e.g., Scopus, IEEE Xplore, etc.), reputable outlets from engineering and security disciplines, and extending the search to non-English and gray literature. Such efforts would enable a more comprehensive and interdisciplinary understanding of C-SCRM and further strengthen cumulative theory building in this field.

10. Concluding Remarks

This paper has provided an intellectual overview of existing literature and a comprehensive conceptual assessment of C-SCRM. It has addressed four research questions by systematically reviewing 175 articles published between 2014 and early 2025. In response to RQ1, C-SCRM has progressed over the last 11 years from a nascent concept into a rapidly expanding and increasingly impactful research domain. C-SCRM research remains strongly rooted in cybersecurity and information systems outlets, whereas its dispersion across multiple disciplines highlights its interdisciplinary nature. Notwithstanding, this shift shed light on the multidisciplinary nature of C-SCRM, drawing on diverse intellectual foundations, including cybersecurity, risk management, and supply chain management. Addressing RQ2, the definitional analysis indicates that C-SCRM has developed through multiple intellectual and disciplinary lenses. Yet, conceptual development remains fragmented, where different measures were used in extant literature. With respect to RQ3, using Gerring’s conceptual criteria, this review shows that the concept of C-SCRM demonstrates limited theoretical coherence, unclear boundaries, and inconsistent levels of analysis. Existing research often adopted diverse isolated theoretical frameworks (e.g., dynamic capabilities, institutional, stakeholder, and sociotechnical perspectives) without integrating them to capture the comprehensive C-SCRM system. The evidence suggests that C-SCRM remains an important but conceptually fluid construct whose theoretical coherence is still developing, requiring the integration of multiple theories.
Finally, in response to RQ4, this study suggests that there is a need to improve the conceptual clarity of C-SCRM to advance the research stream in three ways. It conceptualizes C-SCRM as a coordinated governance and control system across digitally interconnected supply chains. Second, it proposes that there is a need to clearly distinguish between different measures of C-SCRM practices, thereby helping to enhance the validity of results and ultimately contributing to the accumulation of knowledge in the area. In this regard, C-SCRM could be operationalized as a multidimensional construct comprising governance, systems integration, and operations, thereby providing a clearer basis for future measurement development and comparative empirical research. Third, the proposed dynamic integrative framework links antecedents, practices, mechanisms, moderators, and outcomes. These advancements provide a more coherent area for theory building and for developing valid and reliable measurement scales that offer insightful avenues for management scholarships that help bridge the theory–practice gap.

Author Contributions

Conceptualization, Y.A.M.A., A.E.A.E.H. and R.A.A.Y.; data curation, Y.A.M.A.; formal analysis, Y.A.M.A., A.E.A.E.H. and R.A.A.Y.; investigation, Y.A.M.A., A.E.A.E.H. and R.A.A.Y.; methodology, Y.A.M.A., A.E.A.E.H. and R.A.A.Y.; software, Y.A.M.A.; supervision, A.E.A.E.H. and R.A.A.Y.; validation, Y.A.M.A., A.E.A.E.H. and R.A.A.Y.; visualization, Y.A.M.A.; writing—original draft preparation, Y.A.M.A.; writing—review and editing, A.E.A.E.H. and R.A.A.Y. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The data presented in this review are available upon request from the corresponding author.

Acknowledgments

The authors would like to express their deepest appreciation to the editors and two anonymous reviewers who have invested their considerable effort and time to provide constructive comments to improve the quality of our paper.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Table A1. Classification of C-SCRM Research across academic fields and time.
Table A1. Classification of C-SCRM Research across academic fields and time.
Core Research
Areas/Field		JournalNFoundational PhaseEmerging PhaseExpansion PhaseMaturation
Phase
Supply Chain Management (N = 17)Supply Chain Management: An International Journal5-122
International Journal of Physical Distribution & Logistics Management2-2--
Transportation Research Part E: Logistics and Transportation Review1--1-
Transport Policy2-11-
Production and Operations Management2-11-
International Journal of Production Research2-2--
European Journal of Operational Research1-1--
Industrial Management & Data Systems2---2
Information systems (N = 115)Computers & Security16-412-
Information & Management6-33-
Information Systems Frontiers3--3-
Information Systems Journal1--1-
Information Systems Research1--1-
European Journal of Information Systems3-12-
International Journal of Information Management4121-
Journal of Computer Information Systems2--2-
Journal of Enterprise Information Management4-13-
Journal of Information Systems2--2-
Journal of Management Information Systems3--3-
Journal of Organizational Computing and Electronic Commerce2-11-
Journal of Strategic Information Systems2-11-
Journal of the Association for Information Systems1--1-
MIS Quarterly4-22-
MIS Quarterly Executive9-27-
Data Base for Advances in Information Systems2--2-
Electronic Commerce Research1--1-
Internet Research1--1-
Technology in Society8---8
International Journal of Accounting Information Systems9135-
Reliability Engineering and System Safety3--3-
Safety Science2-11-
IEEE Transactions on Engineering Management10--55
Technovation4-22-
Technological Forecasting and Social Change6-33-
Industrial Management & Data Systems2---2
Journal of Innovation & Knowledge2-11-
Computers in Human Behavior2---2
risk management (N = 22)Accident Analysis and Prevention11---
Decision Analysis2-11-
Decision Support Systems2--2-
Finance Research Letters2--2-
International Journal of Forecasting1--1-
International Review of Financial Analysis5-14-
Journal of Accounting and Public Policy1---1
Journal of Banking & Finance1--1-
Journal of Corporate Finance1--1-
Journal of Business Finance & Accounting1--1-
Managerial Auditing Journal3--3-
Pacific-Basin Finance Journal1--1-
International Journal of Auditing1--1-
Others (N = 21)
Legal & RegulatoryAmerican Business Law Journal11---
International & Comparative Law Quarterly
Policy & International AffairsInternational Affairs6---6
Journal of European Public Policy3---3
Public Administration Review1---1
Pacific Review1---1
Marine Policy1---1
Business & ManagementBusiness Strategy and the Environment1--1-
Journal of Business Ethics1---1
Journal of Business and Psychology3---3
Small Business Economics1---1
Management Science1---1
Knowledge ManagementKnowledge Management Research & Practice1---1
Total 175
Source: Authors’ own elaboration.
Table A2. Descriptive overview of C-SCRM instruments.
Table A2. Descriptive overview of C-SCRM instruments.
Author(s)/
Year		No. of
Dimensions		DimensionsSettingInstrument TypeFramework BasisRespondents (n)Main Findings
[10]3Governance, Systems Integration, and OperationsConceptualConceptual—proposed multidimensional modelNIST CSF (implicit)NAProposed multidimensional framework, but not operationalized into validated survey items.
[37]1NIST Risk Management Functions (Identify–Protect–Detect–Respond–Recover)ConceptualConceptual—theoretical mappingNIST CSF; ERMNAValidated measurement scale that emphasizes cyber risk lifecycle.
[20]3Governance, Systems Integration, and OperationsMalaysia—Manufacturing sectorEmpirical—5-point LikertNIST, ISO 27001, ISO 28000Managers (130)Provide balanced validated organizational and operational practice-level scale.
[17] 3Governance, Systems Integration, and OperationsMalaysia—Manufacturing sectorEmpirical—5-point LikertNIST CSF, COBIT 5, ISO 27001Managers (105)Validated multidimensional behavioral scale across managerial and operational levels.
[14]4Cyber Risk Governance, Cybersecurity Training, Cyber Risk Control, and Cyber Risk InsuranceItaly—multi-sectoral organizationsEmpirical—5-point LikertNIST-aligned principlesManagers (304)Focused on technical and control-oriented practices.
[15]1Strategic Cyber Risk Management (Identify–Protect–Detect–Respond–Recover)United States—Manufacturing sectorEmpirical—5-point LikertNIST CSF alignmentManagers (388)Mainly focused on lifecycle-based cyber risks.
[3] 2Internal (intra-organizational) and External (inter-organizational) SCRM practicesDenmark—SMEsEmpirical—5-point Likert NIST CSF 2.0Managers (248)Combine organizational and inter-organizational practices.
Note: NA = Not applicable. Source: Authors’ synthesis based on extant C-SCRM literature.

References

  1. Grylls, B. CrowdStrike outage impact on F&B supply chains. Food Manufacture. 2024. Available online: https://www.foodmanufacture.co.uk/Article/2024/07/19/Crowdstrike-outage-impact-on-F-B-supply-chains/ (accessed on 24 January 2025).
  2. Roush, T. CrowdStrike’s Massive Global Tech Outage: Airlines, Banks, 911 & State Services Impacted. Forbes, 19 July 2024. Available online: https://www.forbes.com/sites/tylerroush/2024/07/19/crowdstrikes-massive-global-tech-outage-airlines-banks-911-state-services-impacted/ (accessed on 24 January 2025).
  3. Stentoft, J.; Peressotti, M.; Mayer, P.; Wickstrøm, K.A.; Schmitt, O.; Keating, V.C.; Kankam-Boateng, J. The relationship between cybersecurity awareness, cybersecurity supply chain risk management, and firm performance. Supply Chain. Manag. Int. J. 2025, 30, 497–517. [Google Scholar] [CrossRef]
  4. Pandey, S.; Singh, R.K.; Gunasekaran, A.; Kaushik, A. Cyber security risks in globalized supply chains: A conceptual framework. J. Glob. Oper. Strateg. Sourc. 2020, 13, 103–128. [Google Scholar] [CrossRef]
  5. Gani, A.B.D.; Fernando, Y. Ten-year review of cyber supply chain security: Driving productivity with visibility. Int. J. Product. Qual. Manag. 2024, 42, 153–169. [Google Scholar] [CrossRef]
  6. Ivanov, D. Digital supply chain management and technology to enhance resilience by building and using end-to-end visibility during the COVID-19 pandemic. IEEE Trans. Eng. Manag. 2021, 71, 10485–10495. [Google Scholar] [CrossRef]
  7. Herburger, M.; Wankmüller, A.; Hüttner, C. Building supply chain resilience to cyber risks: A dynamic capabilities perspective. Supply Chain Manag. Int. J. 2024, 29, 28–50. [Google Scholar] [CrossRef]
  8. Friday, D.; Melnyk, S.A.; Altman, M.; Harrison, N.; Ryan, S. An inductive analysis of collaborative cybersecurity management capabilities, relational antecedents and supply chain cybersecurity parameters. Int. J. Phys. Distrib. Logist. Manag. 2024, 54, 476–500. [Google Scholar] [CrossRef]
  9. Wang, J.; Ho, C.Y.C.; Shan, Y.G. Does cybersecurity risk stifle corporate innovation activities? Int. Rev. Financ. Anal. 2024, 91, 103028. [Google Scholar] [CrossRef]
  10. Boyson, S. Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation 2014, 34, 342–353. [Google Scholar] [CrossRef]
  11. Linton, J.D.; Boyson, S.; Aje, J. The challenge of cyber supply chain security to research and practice: An introduction. Technovation 2014, 34, 339–341. [Google Scholar] [CrossRef]
  12. Cheung, K.F.; Bell, M.G.H.; Bhattacharjya, J. Cybersecurity in logistics and supply chain management: An overview and future research directions. Transp. Res. Part E Logist. Transp. Rev. 2021, 146, 102217. [Google Scholar] [CrossRef]
  13. Carayannis, E.G.; Grigoroudis, E.; Rehman, S.S.; Samarakoon, N. Ambidextrous cybersecurity: The seven pillars (7Ps) of cyber resilience. IEEE Trans. Eng. Manag. 2021, 68, 223–234. [Google Scholar] [CrossRef]
  14. Gaudenzi, B.; Baldi, B. Cyber resilience in organisations and supply chains: From perceptions to actions. Int. J. Logist. Manag. 2024, 35, 99–122. [Google Scholar] [CrossRef]
  15. Jazairy, A.; Brho, M.; Manuj, I.; Goldsby, T.J. Cyber risk management strategies and integration: Toward supply chain cyber resilience and robustness. Int. J. Phys. Distrib. Logist. Manag. 2024, 54, 1–29. [Google Scholar] [CrossRef]
  16. Sadeghi, K.; Ojha, D.; Kaur, P.; Mahto, R.V.; Dhir, A. Explainable artificial intelligence and agile decision-making in supply chain cyber resilience. Decis. Support Syst. 2024, 180, 114194. [Google Scholar] [CrossRef]
  17. Fernando, Y.; Tseng, M.L.; Wahyuni-Td, I.S.; de Sousa Jabbour, A.B.L.; Chiappetta Jabbour, C.J.; Foropon, C. Cyber supply chain risk management and performance in Industry 4.0 era: Information system security practices in Malaysia. J. Ind. Prod. Eng. 2023, 40, 102–116. [Google Scholar] [CrossRef]
  18. Topping, C.; Dwyer, A.; Michalec, O.; Craggs, B.; Rashid, A. Beware suppliers bearing gifts! Analysing coverage of supply chain cybersecurity in critical national infrastructure frameworks. Comput. Secur. 2021, 108, 102324. [Google Scholar] [CrossRef]
  19. Creazza, A.; Colicchia, C.; Spiezia, S.; Dallari, F. Who cares? Supply chain managers’ perceptions regarding cyber supply chain risk management in the digital transformation era. Supply Chain Manag. Int. J. 2022, 27, 30–53. [Google Scholar] [CrossRef]
  20. Gani, A.B.D.; Fernando, Y.; Lan, S.; Lim, M.K.; Tseng, M.L. Interplay between cyber supply chain risk management practices and cybersecurity performance. Ind. Manag. Data Syst. 2023, 123, 843–861. [Google Scholar] [CrossRef]
  21. Bartol, N. Cyber supply chain security practices DNA: Filling in the puzzle using a diverse set of disciplines. Technovation. 2014, 34, 354–361. [Google Scholar] [CrossRef]
  22. Orji, I.J.; U-Dominic, C.M. Modelling the conundrums of cyber-risk management in logistics firms for supply chain social sustainability. J. Enterp. Inf. Manag. 2024, 37, 1885–1925. [Google Scholar] [CrossRef]
  23. Colicchia, C.; Creazza, A.; Menachof, D.A. Managing cyber and information risks in supply chains: Insights from an exploratory analysis. Supply Chain Manag. Int. J. 2019, 24, 215–240. [Google Scholar] [CrossRef]
  24. Ghadge, A.; Weiß, M.; Caldwell, N.D.; Wilding, R. Managing cyber risk in supply chains: A review and research agenda. Supply Chain Manag. Int. J. 2020, 25, 223–240. [Google Scholar] [CrossRef]
  25. Aarland, M. Cybersecurity in digital supply chains in the procurement process: Introducing the digital supply chain management framework. Inf. Comput. Secur. 2024, 33, 5–24. [Google Scholar] [CrossRef]
  26. Melnyk, S.A.; Schoenherr, T.; Speier-Pero, C.; Peters, C.; Chang, J.F.; Friday, D. New challenges in supply chain management: Cybersecurity across the supply chain. Int. J. Prod. Res. 2022, 60, 162–183. [Google Scholar] [CrossRef]
  27. Song, J.M.; Wang, T.; Yen, J.C.; Chen, Y.H. Does cybersecurity maturity level assurance improve cybersecurity risk management in supply chains? Int. J. Account. Inf. Syst. 2024, 54, 100695. [Google Scholar] [CrossRef]
  28. Dalal, R.S.; Howard, D.J.; Bennett, R.J.; Posey, C.; Zaccaro, S.J.; Brummel, B.J. Organizational science and cybersecurity: Abundant opportunities for research at the interface. J. Bus. Psychol. 2022, 37, 1–29. [Google Scholar] [CrossRef]
  29. Pala, A.; Zhuang, J. Information sharing in cybersecurity: A review. Decis. Anal. 2019, 16, 172–196. [Google Scholar] [CrossRef]
  30. Yang, A.; Kwon, Y.J.; Lee, S.Y.T. The impact of information sharing legislation on cybersecurity industry. Ind. Manag. Data Syst. 2020, 120, 1777–1794. [Google Scholar] [CrossRef]
  31. Kumar, S.; Biswas, B.; Bhatia, M.S.; Dora, M. Antecedents for enhanced level of cyber-security in organisations. J. Enterp. Inf. Manag. 2021, 34, 1597–1629. [Google Scholar] [CrossRef]
  32. Soares, L.O.; Reis, A.D.C.; Vieira, P.S.; Hernández-Callejo, L.; Boloy, R.A.M. Electric vehicle supply chain management: A bibliometric and systematic review. Energies 2023, 16, 1563. [Google Scholar] [CrossRef]
  33. Yu, W.; Yin, Q.; Yin, H.; Xiao, W.; Chang, T.; He, L.; Ni, L.; Ji, Q. A systematic review on password guessing tasks. Entropy 2023, 25, 1303. [Google Scholar] [CrossRef]
  34. Atstāja, D.; Mukem, K.W. Sustainable supply chain management in the oil and gas industry in developing countries as a part of the quadruple helix concept: A systematic literature review. Sustainability 2024, 16, 1776. [Google Scholar] [CrossRef]
  35. Kumar, A.; Shrivastav, S.K.; Shrivastava, A.K.; Panigrahi, R.R.; Mardani, A.; Cavallaro, F. Sustainable supply chain management, performance measurement, and management: A review. Sustainability 2023, 15, 5290. [Google Scholar] [CrossRef]
  36. Gerring, J. What makes a concept good? A criterial framework for understanding concept formation in the social sciences. Polity 1999, 31, 357–393. [Google Scholar] [CrossRef]
  37. Boyson, S.; Corsi, T.M.; Paraskevas, J.P. Defending digital supply chains: Evidence from a decade-long research program. Technovation 2022, 118, 102380. [Google Scholar] [CrossRef]
  38. Paul, J.; Lim, W.M.; O’Cass, A.; Hao, A.W.; Bresciani, S. Scientific procedures and rationales for systematic literature reviews (SPAR-4-SLR). Int. J. Consum. Stud. 2021, 45, O1–O16. [Google Scholar] [CrossRef]
  39. Erkan-Barlow, A.; Nguyen, T. Cybersecurity and executive compensation: Can inside debt-induced risk aversion improve cyber risk management effectiveness? Int. Rev. Financ. Anal. 2024, 93, 103173. [Google Scholar] [CrossRef]
  40. Van Eck, N.J.; Waltman, L. VOSviewer Manual; Leiden University: Leiden, The Netherlands, 2019; Available online: https://www.vosviewer.com/documentation/Manual_VOSviewer_1.6.13.pdf (accessed on 28 January 2025).
  41. Aria, M.; Cuccurullo, C. Bibliometrix: An R-tool for comprehensive science mapping analysis. J. Informetr. 2017, 11, 959–975. [Google Scholar] [CrossRef]
  42. Tonn, G.; Kesan, J.P.; Zhang, L.; Czajkowski, J. Cyber risk and insurance for transportation infrastructure. Transp. Policy 2019, 79, 103–114. [Google Scholar] [CrossRef]
  43. Erola, A.; Agrafiotis, I.; Nurse, J.R.C.; Axon, L.; Goldsmith, M.; Creese, S. A system to calculate cyber-value-at-risk. Comput. Secur. 2022, 113, 102545. [Google Scholar] [CrossRef]
  44. Skeoch, H.R. Expanding the Gordon–Loeb model to cyber-insurance. Comput. Secur. 2022, 112, 102533. [Google Scholar] [CrossRef]
  45. Tripathi, M.; Mukhopadhyay, A. Financial loss due to a data privacy breach: An empirical analysis. J. Organ. Comput. Electron. Commer. 2020, 30, 381–400. [Google Scholar] [CrossRef]
  46. Gordon, L.A.; Loeb, M.P.; Zhou, L.; Wilford, A.L. Empirical evidence on disclosing cyber breaches in an 8-K report: Initial exploratory evidence. J. Account. Public Policy 2024, 46, 107226. [Google Scholar] [CrossRef]
  47. Posey, C.; Shoss, M. Employees as a source of security issues in times of change and stress: A longitudinal examination of security violations during COVID-19. J. Bus. Psychol. 2024, 39, 1027–1048. [Google Scholar] [CrossRef]
  48. Goel, L.; Russell, D.; Williamson, S.; Zhang, J.Z. Information systems security resilience as a dynamic capability. J. Enterp. Inf. Manag. 2023, 36, 906–924. [Google Scholar] [CrossRef]
  49. Schatz, D.; Bashroush, R. Economic valuation for information security investment: A systematic literature review. Inf. Syst. Front. 2017, 19, 1205–1228. [Google Scholar] [CrossRef]
  50. Zwilling, M.; Klien, G.; Lesjak, D.; Wiechetek, Ł.; Cetin, F.; Basim, H.N. Cybersecurity awareness, knowledge, and behavior: A comparative study. J. Comput. Inf. Syst. 2022, 62, 82–97. [Google Scholar] [CrossRef]
  51. Li, L.; He, W.; Xu, L.; Ash, I.; Anwar, M.; Yuan, X. Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. Int. J. Inf. Manag. 2019, 45, 13–24. [Google Scholar] [CrossRef]
  52. Connolly, L.Y.; Wall, D.S. The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Comput. Secur. 2019, 87, 101568. [Google Scholar] [CrossRef]
  53. Jalali, M.S.; Siegel, M.; Madnick, S. Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment. J. Strateg. Inf. Syst. 2019, 28, 66–82. [Google Scholar] [CrossRef]
  54. Bashir, M.; Wee, C.; Memon, N.; Guo, B. Profiling cybersecurity competition participants: Self-efficacy, decision-making and interests predict effectiveness of competitions as a recruitment tool. Comput. Secur. 2017, 65, 153–165. [Google Scholar] [CrossRef]
  55. Chatterjee, S.; Thekdi, S. An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems. Reliab. Eng. Syst. Saf. 2020, 193, 106664. [Google Scholar] [CrossRef]
  56. Choi, S.J.; Johnson, M.E. The relationship between cybersecurity ratings and the risk of hospital data breaches. J. Am. Med. Inform. Assoc. 2021, 28, 2085–2092. [Google Scholar] [CrossRef]
  57. D’Arcy, J.; Basoglu, K.A. The influences of public and institutional pressure on firms’ cybersecurity disclosures. J. Assoc. Inf. Syst. 2022, 23, 779–805. [Google Scholar] [CrossRef]
  58. Feng, C.Q.; Wang, T. Does CIO risk appetite matter? Evidence from information security breach incidents. Int. J. Account. Inf. Syst. 2019, 32, 59–75. [Google Scholar] [CrossRef]
  59. La Fleur, C.; Hoffman, B.; Gibson, C.B.; Buchler, N. Team performance in regional and national U.S. cybersecurity defense competitions. Comput. Secur. 2021, 104, 102229. [Google Scholar] [CrossRef]
  60. Gao, L.; Calderon, T.G.; Tang, F. Public companies’ cybersecurity risk disclosures. Int. J. Account. Inf. Syst. 2020, 38, 100468. [Google Scholar] [CrossRef]
  61. Islam, M.S.; Farah, N.; Stafford, T.F. Factors associated with security/cybersecurity audit by internal audit function: An international study. Manag. Audit. J. 2018, 33, 377–409. [Google Scholar] [CrossRef]
  62. Jiang, W. Cybersecurity risk and audit pricing: A machine learning-based analysis. J. Inf. Syst. 2024, 38, 91–117. [Google Scholar] [CrossRef]
  63. Kam, H.J.; Menard, P.; Ormond, D.; Crossler, R.E. Cultivating cybersecurity learning: An integration of self-determination and flow. Comput. Secur. 2020, 96, 101875. [Google Scholar] [CrossRef]
  64. Kappelman, L.; Johnson, V.; Torres, R.; Maurer, C.; McLean, E. A study of information systems issues, practices, and leadership in Europe. Eur. J. Inf. Syst. 2019, 28, 26–42. [Google Scholar] [CrossRef]
  65. Kappelman, L.; Torres, R.; McLean, E.R.; Maurer, C.; Johnson, V.L.; Snyder, M.; Guerra, K. The 2021 SIM IT issues and trends study. MIS Q. Exec. 2022, 21, 75–114. [Google Scholar] [CrossRef]
  66. Kwong, J.K.; Pearlson, K. How large companies can help small and medium-sized enterprise suppliers strengthen cybersecurity. MIS Q. Exec. 2024, 23, 387–398. [Google Scholar] [CrossRef]
  67. Li, H.; Yoo, S. Information systems sourcing strategies and organizational cybersecurity breaches. IEEE Trans. Eng. Manag. 2021, 71, 481–490. [Google Scholar] [CrossRef]
  68. Massimino, B.; Gray, J.V.; Lan, Y. On the inattention to digital confidentiality in operations and supply chain research. Prod. Oper. Manag. 2018, 27, 1492–1515. [Google Scholar] [CrossRef]
  69. Mhajne, A.; Crystal, W. A feminist cybersecurity: Addressing the crisis of cyber(in)security. Int. Aff. 2024, 100, 2341–2360. [Google Scholar] [CrossRef]
  70. Molinaro, K.A.; Bolton, M.L. Evaluating the applicability of the double system lens model to the analysis of phishing email judgments. Comput. Secur. 2018, 77, 128–137. [Google Scholar] [CrossRef]
  71. Norris, D.F.; Mateczun, L.; Hatcher, W.; Meares, W.L.; Heslen, J. Local government cyber insecurity: Causes and recommendations for improvement. Public Adm. Rev. 2024, 84, 651–659. [Google Scholar] [CrossRef]
  72. Pate-Cornell, M.E.; Kuypers, M.A. A probabilistic analysis of cyber risks. IEEE Trans. Eng. Manag. 2023, 70, 3–13. [Google Scholar] [CrossRef]
  73. Salimath, M.S.; Philip, J. Cyber management and value creation: An organisational learning-based approach. Knowl. Manag. Res. Pract. 2020, 18, 474–487. [Google Scholar] [CrossRef]
  74. Sen, R.; Choobineh, J.; Kumar, S. Determinants of software vulnerability disclosure timing. Prod. Oper. Manag. 2020, 29, 2532–2552. [Google Scholar] [CrossRef]
  75. Smith, T.; Tadesse, A.F.; Vincent, N.E. The impact of CIO characteristics on data breaches. Int. J. Account. Inf. Syst. 2021, 43, 100532. [Google Scholar] [CrossRef]
  76. Stafford, T.; Deitz, G.; Li, Y. The role of internal audit and user training in information security policy compliance. Manag. Audit. J. 2018, 33, 410–424. [Google Scholar] [CrossRef]
  77. Syed, R. Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. Inf. Manag. 2020, 57, 103334. [Google Scholar] [CrossRef]
  78. Tayaksi, C.; Ada, E.; Kazancoglu, Y.; Sagnak, M. The financial impacts of information systems security breaches on publicly traded companies. J. Enterp. Inf. Manag. 2022, 35, 650–668. [Google Scholar] [CrossRef]
  79. Tejay, G.P.S.; Mohammed, Z.A. Cultivating security culture for information security success: A mixed-methods study. Inf. Manag. 2023, 60, 103751. [Google Scholar] [CrossRef]
  80. Torten, R.; Reaiche, C.; Boyle, S. The impact of security awareness on information technology professionals’ behavior. Comput. Secur. 2018, 79, 68–79. [Google Scholar] [CrossRef]
  81. Turel, O.; He, Q.; Wen, Y.; Trenz, M. Examining the neural basis of information security policy violations. MIS Q. 2021, 45, 1715–1744. [Google Scholar] [CrossRef]
  82. Yoo, C.W.; Goo, J.; Rao, H.R. Is cybersecurity a team sport? MIS Q. 2020, 44, 907–931. [Google Scholar] [CrossRef]
  83. Zhao, Y.; Huang, L.; Smidts, C.; Zhu, Q. Finite-horizon semi-Markov game for attack response and probabilistic risk assessment in nuclear power plants. Reliab. Eng. Syst. Saf. 2020, 201, 106878. [Google Scholar] [CrossRef]
  84. Johnson, V.; Torres, R.; Mohit, H.; Chatterjee, S.; Maurer, C.; Guerra, K.; Srivastava, S. The 2023 SIM IT issues and trends study. MIS Q. Exec. 2024, 23, 7. [Google Scholar] [CrossRef]
  85. Uddin, M.H.; Mollah, S.; Ali, M.H. Does cyber tech spending matter for bank stability? Int. Rev. Financ. Anal. 2020, 72, 101587. [Google Scholar] [CrossRef]
  86. French, A.; Storey, V.C.; Wallace, L. A typology of disinformation intentionality and impact. Inf. Syst. J. 2024, 34, 1324–1354. [Google Scholar] [CrossRef]
  87. Benaroch, M. Cyber failures and information technology capability reputation: Examining ex ante and ex post interplay effects. J. Manag. Inf. Syst. 2024, 41, 744–778. [Google Scholar] [CrossRef]
  88. Hiller, J.; Kisska-Schulze, K.; Shackelford, S. Cybersecurity carrots and sticks. Am. Bus. Law J. 2024, 61, 5–29. [Google Scholar] [CrossRef]
  89. Morrow, E. Scamming higher education: An analysis of phishing content and trends. Comput. Hum. Behav. 2024, 158, 108274. [Google Scholar] [CrossRef]
  90. Alshabib, H.N.; Martins, J.T. Cybersecurity: Perceived threats and policy responses in the Gulf Cooperation Council. IEEE Trans. Eng. Manag. 2022, 69, 3664–3675. [Google Scholar] [CrossRef]
  91. Arroyabe, M.F.; Arranz, C.F.A.; de Arroyabe, I.F.; de Arroyabe, J.C.F. The effect of IT security issues on the implementation of Industry 4.0 in SMEs: Barriers and challenges. Technol. Forecast. Soc. Change 2024, 199, 123051. [Google Scholar] [CrossRef]
  92. Arroyabe, M.F.; Arranz, C.F.A.; Fernández de Arroyabe, I.; Fernández de Arroyabe, J.C. Exploring the economic role of cybersecurity in SMEs: A case study of the UK. Technol. Soc. 2024, 78, 102670. [Google Scholar] [CrossRef]
  93. Carver, J. More bark than bite? European digital sovereignty discourse and changes to the European Union’s external relations policy. J. Eur. Public Policy 2024, 31, 2250–2286. [Google Scholar] [CrossRef]
  94. Garcia-Perez, A.; Cegarra-Navarro, J.G.; Sallos, M.P.; Martinez-Caro, E.; Chinnaswamy, A. Resilience in healthcare systems: Cybersecurity and digital transformation. Technovation 2023, 121, 102583. [Google Scholar] [CrossRef]
  95. Knight, R.; Nurse, J.R.C. A framework for effective corporate communication after cybersecurity incidents. Comput. Secur. 2020, 99, 102036. [Google Scholar] [CrossRef]
  96. Morris, D.; Madzudzo, G.; Garcia-Perez, A. Cybersecurity threats in the auto industry: Tensions in the knowledge environment. Technol. Forecast. Soc. Change 2020, 157, 120102. [Google Scholar] [CrossRef]
  97. Pescaroli, G.; Wicks, R.T.; Giacomello, G.; Alexander, D.E. Increasing resilience to cascading events: The M.OR.D.OR. scenario. Saf. Sci. 2018, 110, 131–140. [Google Scholar] [CrossRef]
  98. Renaud, K.; Warkentin, M.; Pogrebna, G.; van der Schyff, K. VISTA: An inclusive insider threat taxonomy with mitigation strategies. Inf. Manag. 2024, 61, 103877. [Google Scholar] [CrossRef]
  99. Sallos, M.P.; Garcia-Perez, A.; Bocanet, A. Organisational cyber resilience: A heuristic for bridging foundations and applications. J. Enterp. Inf. Manag. 2024, 37, 1926–1952. [Google Scholar] [CrossRef]
  100. Uchendu, B.; Nurse, J.R.C.; Bada, M.; Furnell, S. Developing a cybersecurity culture: Current practices and future needs. Comput. Secur. 2021, 109, 102387. [Google Scholar] [CrossRef]
  101. Cheng, S.; Li, J.; Luo, L.; Zhu, Y. Cybersecurity governance and digital finance: Evidence from sovereign states. Financ. Res. Lett. 2024, 65, 105533. [Google Scholar] [CrossRef]
  102. Chen, W.; Li, X.; Wu, H.; Zhang, L. The impact of managerial myopia on cybersecurity: Evidence from data breaches. J. Bank. Financ. 2024, 166, 107254. [Google Scholar] [CrossRef]
  103. Lee, J.K.; Chang, Y.; Kwon, H.Y.; Kim, B. Reconciliation of privacy with preventive cybersecurity: The bright internet approach. Inf. Syst. Front. 2020, 22, 45–57. [Google Scholar] [CrossRef]
  104. Li, Y.; Xu, L. Cybersecurity investments in a two-echelon supply chain with third-party risk propagation. Int. J. Prod. Res. 2021, 59, 1216–1238. [Google Scholar] [CrossRef]
  105. Li, Y.; Zhao, L. Collaborating with bounty hunters: Encouraging white-hat hackers’ participation in vulnerability crowdsourcing programs. Inf. Manag. 2022, 59, 103648. [Google Scholar] [CrossRef]
  106. Wang, F.; Wang, H.; Li, J. The effect of cybersecurity legislation on firm cost behavior: Evidence from China. Pac. Basin Financ. J. 2024, 86, 102460. [Google Scholar] [CrossRef]
  107. Wang, W.; Cova, G.; Zio, E. A clustering-based framework for searching vulnerabilities in cyber-physical energy systems. Reliab. Eng. Syst. Saf. 2022, 222, 108400. [Google Scholar] [CrossRef]
  108. Zeng, H.; Yunis, M.; Khalil, A.; Mirza, N. Toward a conceptual framework for AI-driven anomaly detection in smart city IoT networks. J. Innov. Knowl. 2024, 9, 100601. [Google Scholar] [CrossRef]
  109. Dennis, A.R.; Minas, R.K. Security on autopilot: Why current security theories hijack our thinking and lead us astray. ACM SIGMIS Database DATABASE Adv. Inf. Syst. 2018, 49, 16–37. [Google Scholar] [CrossRef]
  110. Mukhopadhyay, A.; Jain, S. A framework for cyber-risk insurance against ransomware: A mixed-method approach. Int. J. Inf. Manag. 2024, 74, 102724. [Google Scholar] [CrossRef]
  111. Rajan, R.; Rana, N.P.; Parameswar, N.; Dhir, S.; Dwivedi, Y.K. Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management. Technol. Forecast. Soc. Change 2021, 170, 120872. [Google Scholar] [CrossRef]
  112. Rajput, S. Analysis of Industry 4.0 technological enablers for sustainable supply chain transparency in a fuzzy environment. Bus. Strategy Environ. 2024, 33, 8616–8636. [Google Scholar] [CrossRef]
  113. Tripathi, M.; Mukhopadhyay, A. Does privacy breach affect firm performance? Inf. Manag. 2022, 59, 103707. [Google Scholar] [CrossRef]
  114. Cram, W.A.; D’Arcy, J.; Benlian, A. Time will tell: The case for an idiographic approach to behavioral cybersecurity research. MIS Q. 2024, 48, 95–136. [Google Scholar] [CrossRef]
  115. Hoong, Y.; Rezania, D.; Baker, R. When traditional SME managers encounter cybersecurity: Discourse analysis of opportunities and dilemmas in meeting the demands. Technol. Soc. 2024, 78, 102650. [Google Scholar] [CrossRef]
  116. Radu, C.; Smaili, N. Board gender diversity and corporate response to cyber risk: Evidence from cybersecurity-related disclosure. J. Bus. Ethics 2022, 177, 351–374. [Google Scholar] [CrossRef]
  117. Cram, W.A.; Proudfoot, J.G.; D’Arcy, J. Maximizing employee compliance with cybersecurity policies. MIS Q. Exec. 2020, 19, 183–198. [Google Scholar] [CrossRef]
  118. Armenia, S.; Angelini, M.; Nonino, F.; Palombi, G.; Schlitzer, M.F. A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs. Decis. Support Syst. 2021, 147, 113580. [Google Scholar] [CrossRef]
  119. Calabrese, A.; Costa, R.; Tiburzi, L.; Brem, A. Merging two revolutions: A human–artificial intelligence method to study how sustainability and Industry 4.0 are intertwined. Technol. Forecast. Soc. Change 2023, 188, 122265. [Google Scholar] [CrossRef]
  120. Salvi, A.; Spagnoletti, P.; Noori, N.S. Cyber-resilience of critical cyber infrastructures: Integrating digital twins in the electric power ecosystem. Comput. Secur. 2022, 112, 102507. [Google Scholar] [CrossRef]
  121. De Nóbrega, K.M.; Rutkowski, A.F.; Saunders, C. The whole of cyber defense: Syncing practice and theory. J. Strateg. Inf. Syst. 2024, 33, 101861. [Google Scholar] [CrossRef]
  122. Dinkova, M.; El-Dardiry, R.; Overvest, B. Should firms invest more in cybersecurity? Small Bus. Econ. 2024, 63, 21–50. [Google Scholar] [CrossRef]
  123. Hassib, B.; Shires, J. Digital recognition: Cybersecurity and internet infrastructure in UAE–Israel diplomacy. Int. Aff. 2024, 100, 2399–2418. [Google Scholar] [CrossRef]
  124. Rone, J. The sovereign cloud in Europe: Diverging nation-state preferences and disputed institutional competences. J. Eur. Public Policy 2024, 31, 2343–2369. [Google Scholar] [CrossRef]
  125. Milevski, L. What makes a good strategic concept? Comp. Strategy 2023, 42, 718–728. [Google Scholar] [CrossRef]
  126. Fan, Y.; Stevenson, M. A review of supply chain risk management: Definition, theory, and research agenda. Int. J. Phys. Distrib. Logist. Manag. 2018, 48, 205–230. [Google Scholar] [CrossRef]
  127. Gani, A.B.D.; Fernando, Y. Cybersecurity governance in changing security psychology and security posture: Insights into e-procurement. Int. J. Procure. Manag. 2021, 14, 308–327. [Google Scholar] [CrossRef]
  128. Al-Momani, A.M.; Ramayah, T.; Al-Sharafi, M.A. Exploring the impact of cybersecurity on using electronic health records and their performance among healthcare professionals: A multi-analytical SEM-ANN approach. Technol. Soc. 2024, 77, 102592. [Google Scholar] [CrossRef]
  129. Cheraghali, H.; Molnár, P.; Storsveen, M.; Veliqi, F. The impact of cryptocurrency-related cyberattacks on return, volatility, and trading volume of cryptocurrencies and traditional financial assets. Int. Rev. Financ. Anal. 2024, 95, 103439. [Google Scholar] [CrossRef]
  130. Backman, S.; Stevens, T. Cyber risk logics and their implications for cybersecurity. Int. Aff. 2024, 100, 2441–2460. [Google Scholar] [CrossRef]
  131. Abhari, K.; Safaei Pour, M.; Shirazi, H. How to design a better cybersecurity readiness program. MIS Q. Exec. 2024, 23, 8. [Google Scholar] [CrossRef]
  132. Afshari-Mofrad, M.; Amrollahi, A.; Abedin, B. Adopt agile cybersecurity policymaking to counter emerging digital risks. MIS Q. Exec. 2024, 23, 371–386. [Google Scholar] [CrossRef]
  133. Nico, A.; Brechbühl, H. Identifying and filling gaps in operational technology cybersecurity. MIS Q. Exec. 2024, 23, 413–428. [Google Scholar] [CrossRef]
  134. Huang, J.A.; Murthy, U. The impact of cybersecurity risk management strategy disclosure on investors’ judgments and decisions. Int. J. Account. Inf. Syst. 2024, 54, 100696. [Google Scholar] [CrossRef]
  135. Kabanda, S.; Tanner, M.; Kent, C. Exploring SME cybersecurity practices in developing countries. J. Organ. Comput. Electron. Commer. 2018, 28, 269–282. [Google Scholar] [CrossRef]
  136. Le, A.T.; Huang, H.H.; Do, T.K. Navigating through cyberattacks: The role of tax aggressiveness. J. Corp. Financ. 2024, 88, 102649. [Google Scholar] [CrossRef]
  137. Khan, S.K.; Shiwakoti, N.; Stasinopoulos, P.; Chen, Y.; Warren, M. The impact of perceived cyber-risks on automated vehicle acceptance. Transp. Policy 2024, 152, 87–101. [Google Scholar] [CrossRef]
  138. Slapničar, S.; Vuko, T.; Čular, M.; Drašček, M. Effectiveness of cybersecurity audit. Int. J. Account. Inf. Syst. 2022, 44, 100548. [Google Scholar] [CrossRef]
  139. Huang, S.Y.; Wang, T.; Huang, Y.T.; Yeh, T.N. Information security risk items and management practices for mobile payment using non-financial-institution service providers: An exploratory study. Int. J. Account. Inf. Syst. 2024, 53, 100684. [Google Scholar] [CrossRef]
  140. Brooks, R.R.; Williams, K.J.; Lee, S.Y. Personal and contextual predictors of information security policy compliance: Evidence from a low-fidelity simulation. J. Bus. Psychol. 2024, 39, 657–677. [Google Scholar] [CrossRef]
  141. Georgiadou, A.; Mouzakitis, S.; Bounas, K.; Askounis, D. A Cyber-Security Culture Framework for Assessing Organization Readiness. J. Comput. Inf. Syst. 2022, 62, 452–462. [Google Scholar] [CrossRef]
  142. Li, H.; Sun, Z.; Huang, F. The impact of audit office cybersecurity experience on non-breach clients’ audit fees and cybersecurity risks. J. Inf. Syst. 2024, 38, 177–206. [Google Scholar]
  143. Malatji, M.; Marnewick, A.; von Solms, S. Validation of a socio-technical management process for optimising cybersecurity practices. Comput. Secur. 2020, 95, 101846. [Google Scholar] [CrossRef]
  144. Al-Emran, M.; Deveci, M. Unlocking the potential of cybersecurity behavior in the metaverse: Overview, opportunities, challenges, and future research agendas. Technol. Soc. 2024, 77, 102498. [Google Scholar] [CrossRef]
  145. Al-Emran, M.; Al-Sharafi, M.A.; Foroughi, B.; Iranmanesh, M.; Alsharida, R.A.; Al-Qaysi, N.; Ali, N. Evaluating the barriers affecting cybersecurity behavior in the metaverse using PLS-SEM and fuzzy sets (fsQCA). Comput. Hum. Behav. 2024, 159, 108315. [Google Scholar] [CrossRef]
  146. Donalds, C.; Osei-Bryson, K.M. Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents. Int. J. Inf. Manag. 2020, 51, 102056. [Google Scholar] [CrossRef]
  147. Kweon, E.; Lee, H.; Chai, S.; Yoo, K. The utility of information security training and education on cybersecurity incidents. Inf. Syst. Front. 2021, 23, 361–373. [Google Scholar] [CrossRef]
  148. Wang, M.; Parker, J.; Zhang, F.; Roberts, S.C. Assessing training and warning systems on drivers’ response to vehicle cyberattacks. Accid. Anal. Prev. 2024, 203, 107644. [Google Scholar] [CrossRef] [PubMed]
  149. Wong, L.W.; Lee, V.H.; Tan, G.W.H.; Ooi, K.B.; Sohal, A. The role of cybersecurity and policy awareness in shifting employee compliance attitudes. Int. J. Inf. Manag. 2022, 66, 102520. [Google Scholar] [CrossRef]
  150. Alshaikh, M.; Maynard, S.B.; Ahmad, A. Applying social marketing to evaluate current security education training and awareness programs in organisations. Comput. Secur. 2021, 100, 102090. [Google Scholar] [CrossRef]
  151. Obaydin, I.; Xu, L.; Zurbruegg, R. The unintended cost of data breach notification laws: Evidence from managerial bad news hoarding. J. Bus. Financ. Account. 2024, 51, 2709–2736. [Google Scholar] [CrossRef]
  152. Bartlett, B. Why do states engage in cybersecurity capacity-building assistance? Evidence from Japan. Pac. Rev. 2024, 37, 475–503. [Google Scholar] [CrossRef]
  153. Smith, K.; Gupta, M.; Prakash, P.; Rangan, N. Wealth effects of firms’ strategic technology investments: Evidence from the Ethereum blockchain. Internet Res. 2024, 34, 1775–1799. [Google Scholar] [CrossRef]
  154. Haag, S.; Eckhardt, A. Dealing effectively with shadow IT by managing both cybersecurity and user needs. MIS Q. Exec. 2024, 23, 399–412. [Google Scholar] [CrossRef]
  155. Kim, B.J.; Kim, M.J. The influence of work overload on cybersecurity behavior: A moderated mediation model of psychological contract breach, burnout, and self-efficacy in AI learning such as ChatGPT. Technol. Soc. 2024, 77, 102543. [Google Scholar] [CrossRef]
  156. Vrhovec, S.; Mihelič, A. Redefining threat appraisals of organizational insiders and the moderating role of fear. Comput. Secur. 2021, 106, 102309. [Google Scholar] [CrossRef]
  157. Wynn, D.; Salisbury, W.D.; Winemiller, M. Experiences and lessons learned at SMEs following ransomware attacks. MIS Q. Exec. 2024, 23, 429–446. [Google Scholar] [CrossRef]
  158. Saxena, A.; Sun, H.M. Tokendoc: Source authentication with a hybrid approach of smart contract and rnn-based models with aes encryption. IEEE Trans. Eng. Manag. 2023, 71, 12418–12432. [Google Scholar] [CrossRef]
  159. Zkik, K.; Sebbar, A.; Fadi, O.; Kamble, S.; Belhadi, A. Securing blockchain-based crowdfunding platforms. Electron. Commer. Res. 2024, 24, 497–533. [Google Scholar] [CrossRef]
  160. Gomez, Y.; Rios, J.; Insua, D.R.; Vila, J. Forecasting adversarial actions using judgment decomposition–recomposition. Int. J. Forecast. 2025, 41, 76–91. [Google Scholar] [CrossRef]
  161. Yalcin, H.; Daim, T.; Moughari, M.M.; Mermoud, A. Supercomputers and quantum computing on the axis of cybersecurity. Technol. Soc. 2024, 77, 102556. [Google Scholar] [CrossRef]
  162. Seaton Kelton, A.; Yang, Y.-W. Understanding cybersecurity breach contagion effects: The role of the loss heuristic and internal controls. Int. J. Account. Inf. Syst. 2024, 55, 100714. [Google Scholar] [CrossRef]
  163. Naseer, H.; Maynard, S.B.; Desouza, K.C. Demystifying analytical information processing capability: The case of cybersecurity incident response. Decis. Support Syst. 2021, 143, 113476. [Google Scholar] [CrossRef]
  164. Zhou, F.; Huang, J. Cybersecurity data breaches and internal control. Int. Rev. Financ. Anal. 2024, 93, 103174. [Google Scholar] [CrossRef]
  165. Cheung, K.F.; Bell, M.G.H. Improving connectivity of compromised digital networks via algebraic connectivity maximisation. Eur. J. Oper. Res. 2021, 294, 353–364. [Google Scholar] [CrossRef]
  166. Gilad, A.; Tishler, A. Measuring and mitigating the risk of advanced cyber attackers. Decis. Anal. 2024, 21, 215–234. [Google Scholar] [CrossRef]
  167. Hayat, R.F.; Aurangzeb, S.; Aleem, M.; Srivastava, G.; Lin, J.C.W. ML-DDoS: A blockchain-based multilevel DDoS mitigation mechanism for IoT environments. IEEE Trans. Eng. Manag. 2022, 71, 12605–12618. [Google Scholar] [CrossRef]
  168. Ampel, B.M.; Samtani, S.; Zhu, H.; Chen, H. Creating proactive cyber threat intelligence with hacker exploit labels: A deep transfer learning approach. MIS Q. 2024, 48, 137–166. [Google Scholar] [CrossRef]
  169. Ampel, B.M.; Samtani, S.; Zhu, H.; Chen, H.; Nunamaker, J.F., Jr. Improving threat mitigation through a cybersecurity risk management framework: A computational design science approach. J. Manag. Inf. Syst. 2024, 41, 236–265. [Google Scholar] [CrossRef]
  170. Le, T.D.; Le-Dinh, T.; Uwizeyemungu, S. Search engine optimization poisoning: A cybersecurity threat analysis and mitigation strategies for SMEs. Technol. Soc. 2024, 76, 102470. [Google Scholar] [CrossRef]
  171. Urrea, N.T.; Vishkaei, B.M.; De Giovanni, P. Operational risk management in e-commerce: A platform perspective. IEEE Trans. Eng. Manag. 2024, 71, 3807–3819. [Google Scholar] [CrossRef]
  172. Ullman, S.; Samtani, S.; Zhu, H.; Lazarine, B.; Chen, H.; Nunamaker, J.F. Enhancing vulnerability prioritization in cloud computing using multi-view representation learning. J. Manag. Inf. Syst. 2024, 41, 708–743. [Google Scholar] [CrossRef]
  173. Kotsias, J.; Ahmad, A.; Scheepers, R. Adopting and integrating cyber-threat intelligence in a commercial organisation. Eur. J. Inf. Syst. 2023, 32, 35–51. [Google Scholar] [CrossRef]
  174. Kahyaoglu, B.; Caliyurt, K. Cyber security assurance process from the internal audit perspective. Manag. Audit. J. 2018, 33, 360–376. [Google Scholar] [CrossRef]
  175. Rezaee, Z.; Zhou, G.; Bu, L.L. Corporate social irresponsibility and the occurrence of data breaches: A stakeholder management perspective. Int. J. Account. Inf. Syst. 2024, 53, 100677. [Google Scholar] [CrossRef]
  176. Alghamdi, S.; Daim, T.; Alzahrani, S. Technology assessment for cybersecurity organizational readiness: Case of airlines sector and electronic payment. IEEE Trans. Eng. Manag. 2024, 71, 7701–7718. [Google Scholar] [CrossRef]
  177. Gupta, S.; Modgil, S.; Meissonier, R.; Dwivedi, Y.K. Artificial intelligence and information system resilience to cope with supply chain disruption. IEEE Trans. Eng. Manag. 2021, 71, 10496–10506. [Google Scholar] [CrossRef]
  178. Arpaci, I. A multi-analytical SEM-ANN approach to investigate the social sustainability of AI chatbots based on cybersecurity and protection motivation theory. IEEE Trans. Eng. Manag. 2024, 71, 1714–1725. [Google Scholar] [CrossRef]
  179. Ma, W.; Li, W. Blockchain technology and internal control effectiveness. Financ. Res. Lett. 2024, 64, 105442. [Google Scholar] [CrossRef]
  180. Munim, Z.H.; Notteboom, T.; Haralambides, H.; Schøyen, H. Key determinants for the commercial feasibility of maritime autonomous surface ships (MASS). Mar. Policy 2025, 172, 106482. [Google Scholar] [CrossRef]
  181. Orero-Blat, M.; Palacios-Marqués, D.; Garzón, D. Knowledge assets for internationalization strategy proposal. J. Innov. Knowl. 2021, 6, 214–221. [Google Scholar] [CrossRef]
  182. Dunn Cavelty, M.; Pulver, T. The evolution of cyberconflict studies. Int. Aff. 2024, 100, 2317–2339. [Google Scholar] [CrossRef]
  183. Liebetrau, T.; Monsees, L. Cybersecurity and international relations: Developing thinking tools for digital world politics. Int. Aff. 2024, 100, 2303–2315. [Google Scholar] [CrossRef]
  184. Mishra, N.; Kugler, K. International community in the global digital economy: A case study on the African digital trade framework. Int. Comp. Law Q. 2024, 73, 853–889. [Google Scholar] [CrossRef]
  185. Formosa, P.; Wilson, M.; Richards, D. A principlist framework for cybersecurity ethics. Comput. Secur. 2021, 109, 102382. [Google Scholar] [CrossRef]
  186. Wang, Q.H.; Geng, R.; Kim, S.H. Chilling effects of computer misuse act enforcement. Inf. Syst. Res. 2024, 35, 1195–1215. [Google Scholar] [CrossRef]
  187. Ylönen, M.; Tugnoli, A.; Oliva, G.; Heikkilä, J.; Nissilä, M.; Iaiani, M.; Del Prete, E. Integrated management of safety and security in Seveso sites. Saf. Sci. 2022, 151, 105741. [Google Scholar] [CrossRef]
  188. Naseer, H.; Desouza, K.; Maynard, S.B.; Ahmad, A. Enabling cybersecurity incident response agility through dynamic capabilities: The role of real-time analytics. Eur. J. Inf. Syst. 2024, 33, 200–220. [Google Scholar]
  189. Agarwal, S.; Ghosh, P.; Ruan, T.; Zhang, Y. Transient customer response to data breaches of their information. Manag. Sci. 2024, 70, 4105–4114. [Google Scholar] [CrossRef]
  190. Donnelly, S.; Ríos Camacho, E.; Heidebrecht, S. Digital sovereignty as control: The regulation of digital finance in the European Union. J. Eur. Public Policy 2024, 31, 2226–2249. [Google Scholar] [CrossRef]
  191. Farrand, B.; Carrapico, H.; Turobov, A. The new geopolitics of EU cybersecurity: Security, economy and sovereignty. Int. Aff. 2024, 100, 2379–2397. [Google Scholar] [CrossRef]
  192. Vuko, T.; Slapničar, S.; Čular, M.; Drašček, M. Key drivers of cybersecurity audit effectiveness: A neo-institutional perspective. Int. J. Audit. 2025, 29, 188–206. [Google Scholar] [CrossRef]
  193. Baskerville, R.; Rowe, F.; Wolff, F.C. Integration of information systems and cybersecurity countermeasures: An exposure to risk perspective. ACM SIGMIS Database DATABASE Adv. Inf. Syst. 2018, 49, 33–52. [Google Scholar] [CrossRef]
  194. Datta, P.M.; Krancher, O. Cybersecurity end-user compliance: Password management versus update compliance. Inf. Manag. 2024, 61, 104060. [Google Scholar] [CrossRef]
  195. Audrin, B.; Audrin, C.; Salamin, X. Digital skills at work: Conceptual development and empirical validation of a measurement scale. Technol. Forecast. Soc. Change 2024, 202, 123279. [Google Scholar] [CrossRef]
  196. Bauldry, S.; Bollen, K.A. tetrad: A set of Stata commands for confirmatory tetrad analysis. Struct. Equ. Model. A Multidiscip. J. 2016, 23, 921–930. [Google Scholar] [CrossRef] [PubMed]
  197. Sarstedt, M.; Hair, J.F.; Cheah, J.H.; Becker, J.M.; Ringle, C.M. How to specify, estimate, and validate higher-order constructs in PLS-SEM. Australas. Mark. J. 2019, 27, 197–211. [Google Scholar] [CrossRef]
Sustainability 18 01151 g001
Figure 1. PRISMA flow chart of the SLR. Source: Authors’ own elaboration.
Figure 1. PRISMA flow chart of the SLR. Source: Authors’ own elaboration.
Sustainability 18 01151 g001
Sustainability 18 01151 g002
Figure 2. Annual distribution of publications and citations before taking the exclusion criteria into consideration. Source: WoS, 2025.
Figure 2. Annual distribution of publications and citations before taking the exclusion criteria into consideration. Source: WoS, 2025.
Sustainability 18 01151 g002
Sustainability 18 01151 g003
Figure 3. Life-cycle analysis of C-SCRM annual publications. Blue dots represent the observed number of publications per year, the solid blue line represents the life cycle curve, and the red dashed line indicates the predicted peak year of publication activity (2022.2). Source: Biblioshiny, 2025.
Figure 3. Life-cycle analysis of C-SCRM annual publications. Blue dots represent the observed number of publications per year, the solid blue line represents the life cycle curve, and the red dashed line indicates the predicted peak year of publication activity (2022.2). Source: Biblioshiny, 2025.
Sustainability 18 01151 g003
Sustainability 18 01151 g004
Figure 4. Cumulative growth curve of C-SCRM publications. Green dots represent the observed number of publications per year, and the solid line represents the growth curve. Source: Biblioshiny, 2025.
Figure 4. Cumulative growth curve of C-SCRM publications. Green dots represent the observed number of publications per year, and the solid line represents the growth curve. Source: Biblioshiny, 2025.
Sustainability 18 01151 g004
Sustainability 18 01151 g005
Figure 5. The evolution of C-SCRM concept. Source: Authors’ own elaboration.
Figure 5. The evolution of C-SCRM concept. Source: Authors’ own elaboration.
Sustainability 18 01151 g005
Sustainability 18 01151 g006
Figure 6. Network Diagram to Co-Occurrence of Terms in Abstracts and Titles in C-SCRM Research. Source: Authors’ computation using VOS viewer.
Figure 6. Network Diagram to Co-Occurrence of Terms in Abstracts and Titles in C-SCRM Research. Source: Authors’ computation using VOS viewer.
Sustainability 18 01151 g006
Sustainability 18 01151 g007aSustainability 18 01151 g007b
Figure 7. Overlay Visualization to Co-Occurrence of Terms in Abstracts and Titles in C-SCRM Research. Source: Authors’ computation using VOS viewer.
Figure 7. Overlay Visualization to Co-Occurrence of Terms in Abstracts and Titles in C-SCRM Research. Source: Authors’ computation using VOS viewer.
Sustainability 18 01151 g007aSustainability 18 01151 g007b
Sustainability 18 01151 g008
Figure 8. Conceptual structure. Source: Authors’ computation using Biblioshiny (Bibliometrix package in R).
Figure 8. Conceptual structure. Source: Authors’ computation using Biblioshiny (Bibliometrix package in R).
Sustainability 18 01151 g008
Sustainability 18 01151 g009
Figure 9. Thematic map. Source: Authors’ computation using Biblioshiny (Bibliometrix package in R).
Figure 9. Thematic map. Source: Authors’ computation using Biblioshiny (Bibliometrix package in R).
Sustainability 18 01151 g009
Sustainability 18 01151 g010
Figure 10. The shift toward the interdisciplinary nature of C-SCRM. Source: Authors’ own elaboration.
Figure 10. The shift toward the interdisciplinary nature of C-SCRM. Source: Authors’ own elaboration.
Sustainability 18 01151 g010
Sustainability 18 01151 g011
Figure 11. C-SCRM conceptual diagram. Source: Authors’ own elaboration.
Figure 11. C-SCRM conceptual diagram. Source: Authors’ own elaboration.
Sustainability 18 01151 g011
Table 1. The most influential prior systematic literature review articles.
Table 1. The most influential prior systematic literature review articles.
Authors (Year)NTime SpanReview TypeSearch StrategySelection CriteriaQuality AssessmentKey Research AreaAC
[29] NS2003–2018Framework-based (2W+1H: Who, What, How)LimitedNSNRInformation-sharing and public–private partnerships13.5
[24] 391990–2017Structured Review (no framework)ComprehensiveESBasicCyber risk taxonomy and propagation mechanisms45.6
[28] NSNSFramework-based (ADO: Antecedents–Decisions–Outcomes)NRNSNREmployee cybersecurity behavior and organizational interests8.5
[12] 1602010–2019Structured Review (no framework)AdequateESBasicCybersecurity countermeasures across supply chain 55.5
[18]61NSStructured Review (no framework)NRNSNRCritical infrastructure supply chain security9.5
[8]1372013–2022Structured Review (no framework)ComprehensiveESBasicCollaborative cybersecurity management capabilities between firms2.0
[5] 142012–2022Framework-based (ADO)Very LimitedNSNRSupply chain visibility and cybersecurity framework alignment0.0
Note: N = total articles; NR = not reported; NS = not specified; ES = explicit specified; AC = total citations based on 2025.
Table 2. Temporal distribution of C-SCRM publications.
Table 2. Temporal distribution of C-SCRM publications.
PhaseYears N%CAGRKey CharacteristicsResearch OrientationsKey Incidents
Foundational2014–201621%NANascent Special issue
Emerging Phase2017–20192011%115.4%Early expansionCase studiesNotPetya
Expansion Phase2020–20226034%44.2%Methodological diversificationPractical frameworksSolarWinds, Colonial Pipeline, Kaseya attack
Maturation Phase+20239353%24.5%Theoretical framework developmentCross-disciplinary integration CrowdStrike
Total175100%--
Note: CAGR = Compound Annual Growth Rate calculated as percentage change from the previous period. Source: Authors’ own elaboration.
Table 3. C-SCRM Classification by Functional Domain.
Table 3. C-SCRM Classification by Functional Domain.
DomainN%Primary Focus AreasRepresentative Journals
Cyber/Information Security- information systems11565.71%Technical vulnerabilities, security frameworks, threat management, information protectionComputers and Security, MIS Quarterly, Information Systems Research
Supply Chain Management179.71%Network relationships, operational continuity, multi-tier supply chain management, supply chain security, robustness, and resilienceSupply Chain Management: An International Journal, Production and Operations Management
Risk Management2212.57%Risk assessment methodologies, financial impacts, governance frameworks, strategic risk managementInternational Review of Financial Analysis, Decision Support Systems
Others 2112.00%Integrated approaches, policy implications, organizational perspectivesTechnology in Society, International Affairs
Total175100%--
Source: Authors’ own elaboration.
Table 4. The five top-cited articles in C-SCRM Literature.
Table 4. The five top-cited articles in C-SCRM Literature.
RAuthors (Year)Title of ArticleFocus AreaTCACJournalABDC
1[49]Cyber Security Awareness, Knowledge, and Behavior: A Comparative StudyInternal behavioral area528176.0Journal of Computer Information SystemsA
2[50]Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behaviorInternal behavioral area47979.8International Journal of Information ManagementA*
3[24]Managing cyber risk in supply chains: a review and research agendaSupply chain perspective22945.8Supply Chain Management: An International JournalA
4[10]Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systemsStrategic integrated management framework 22520.5TechnovationA
5[51]The rise of crypto ransomware in a changing cybercrime landscape: Taxonomizing countermeasuresTechnical ransomware countermeasures18947.3Computers & SecurityA
Note: TC = total citations; AC = Weighted Average no of citations = Total citations ÷ Current year (2025) minus year of publishing based on Google Scholar’s citations (January 2025). Source: Authors’ own elaboration.
Table 5. The five most frequently cited countries in C-SCRM research.
Table 5. The five most frequently cited countries in C-SCRM research.
RCountryN%Research CharacteristicsRepresentative References
1United States7442.3%Policy-driven leadership, extensive funding[10,21,26,28,29,30,37,42,47,50,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88]
2United Kingdom1810.3%Strong academic-industry collaboration[18,23,24,43,44,48,51,89,90,91,92,93,94,95,96,97,98,99]
3China95.1%Rapid growth, technical focus [22,100,101,102,103,104,105,106,107]
4India63.4%Emerging expertise, behavioral studies[46,108,109,110,111,112]
5Canada42.3%Risk management specialization[113,114,115,116]
5Italy42.3%Cross-disciplinary approaches[19,117,118,119]
5Netherlands42.3%Policy and governance focus[120,121,122,123]
Source: Authors’ own elaboration. Note. Countries ranked by publication count among top-cited papers.
Table 6. Representative C-SCRM Definitions and Citation Impact.
Table 6. Representative C-SCRM Definitions and Citation Impact.
AuthorsTerm UsedDefinitionJournalTCClassification
[10]Cyber supply chain risk management (C-SCRM)Organizational strategies and programmatic activities across the entire IT system life cycle.Technovation239Widely Cited
[37]Cyber supply chain risk management (C-SCRM)Systematic process to manage exposures to cybersecurity risks and develop appropriate response strategies, policies, and procedures.Technovation50Moderately Cited
[19]Cyber supply chain risk management (C-SCRM)A process of extending control over cyber risks across the entire supply chain to foster continuous adaptive capacity and enhance overall resilience Supply Chain Management: An International Journal128Widely Cited
[20]Cyber supply chain risk management (C-SCRM)A strategic approach to identify, evaluate, and mitigate potential cyber and information risks across the entire supply chain network.Industrial Management & Data Systems20Moderately Cited
Others
[25]cybersecurity within digital supply chainsSystematically mitigate cybersecurity risks in the digital supply chainInformation & Computer Security7Emerging
[7]Managing cyber risks in digital supply chainsunderstanding and addressing supply chain cyber threats and risks by developing supply chain dynamic capabilities of how supply chains proactively sense, seize, and transform their operations to build resilience.Supply Chain Management: An International Journal13Emerging
[15]Supply Chain Cyber Risk Management (SC-CRM)Strategies used to establish outward-oriented capabilities in an attempt to deal with supply chain cyber risks.International Journal of Physical Distribution & Logistics Management,11Emerging
[26]Cybersecurity across the supply chainA holistic approach that integrates measures related to technology, process, and people to protect the entire network from damage, attack, or unauthorized access.International Journal of Production Research146Widely cited
[3]Cybersecurity supply chain risk management (C-SCRM)The development of internal and external practices in managing cybersecurity risks throughout supply chains.Supply Chain Management: An International Journal.0Emerging
Note: Classification based on citation thresholds: Widely cited (≥50 citations), Moderately cited (15–49 citations), Emerging (<15 citations). Source: Authors’ own elaboration.
Table 7. Core Attributes of C-SCRM definitions.
Table 7. Core Attributes of C-SCRM definitions.
AspectAttributeExplanationExamples from References
Nature Strategic approach/Programmatic activities Process A strategic approach that aligns with broader enterprise goals.[10,15,17]
Scope End-to-End Supply Chain Extends beyond internal IT systems to include the full range of supply chain partners (Tier 1, Tier 2, etc.), vendors, and service providers.[3,20,23]
Cyber risk management process Identify, assess risks, and develop mitigation strategies.[20,37]
Means Resources/Capabilities Adapt, respond, and recover from cyber disruptions across the supply chain.[15,23]
Expected outcomesVisibility, internal security, external security, resilience, robustness, financial performanceAligns firm’s internal cybersecurity policies and external supplier or partner practices to create secure and resilient supply chain. [3,17]
Source: Authors’ analysis based on previous definitions.
Table 8. Critical Evaluation of C-SCRM.
Table 8. Critical Evaluation of C-SCRM.
DimensionBrief ExplanationAssessmentAssessment Rationale
FamiliarityThe concept should be familiar to the target audience in terms of terms and ideas.MediumC-SCRM has become a well-known concept to scholars and practitioners in cybersecurity and IT fields, but it is still unfamiliar among audiences in management fields, particularly supply chain management.
DifferentiationThe concept should have clear conceptual boundaries that distinguish it from similar concepts.LowC-SCRM blurs considerably with general supply chain risk management and cybersecurity risk management.
Field UtilityThe concept should provide practical relevance for research, measurement, policy, and managerial application.StrongC-SCRM is relevant, applicable, and valuable within the broader fields of supply chain, risk, and cybersecurity management. It helps scholars and practitioners identify, analyze, and mitigate cyber risks across the entire supply chain. It also helps them generate explanations, insights, and/or hypotheses related to governance, visibility, systems integration, operation management, resilience, robustness, and digital integration
ResonanceThe concept should align with important issues, debates, or concerns, ensuring both scholarly and practical relevance.StrongC-SCRM aligns with different cyber supply chain incidents that occurred, such as SolarWinds, CrowdStrike disruption, and other attacks, which highlighted the severity of cyber supply chain risks.
ParsimonyThe concept should remain concise and avoid unnecessary complexity or redundancy.LowC-SCRM includes organizational processes, governance, operations, and inter-organizational relationships across multiple tiers.
CoherenceThe internal elements of the concept should logically fit together without contradictionsLowThe dimensions of C-SCRM remain fragmented, including technical, operational, and strategic.
Theoretical UtilityThe concept should refine theory building, generate hypotheses, or explain relationships.StrongC-SCRM integrates practices from supply chain, risk, and cybersecurity management. C-SCRM links well to existing management theories such as contingency theory, stakeholder theory, resource-based theory, and dynamic capability theory. Finally, it was empirically associated with security, resilience, trust, visibility, and power dynamics in supply chains in the existing studies
DepthThe concept should support multi-level and in-depth investigation of its attributesMediumC-SCRM builds upon or extends other fields, such as supply chain management or risk management. It is often seen as cyber risk management or supply chain risk management
Source: Authors’ analysis based on ref. [36]’s conceptual evaluation framework.
Table 9. Comparative Conceptualizations of C-SCRM Across Academic Disciplines.
Table 9. Comparative Conceptualizations of C-SCRM Across Academic Disciplines.
Criteria Supply Chain ManagementCybersecurity/Information
Systems		Risk Management
FocusStrategic end-to-end control of the entire supply chainProtection of systems, data, and digital infrastructure against internal and external cyber threatsIdentification, assessment, mitigation, and monitoring of enterprise-level risks.
Risk approach A strategic network-based risk management capability A technical and operational approachA governance-oriented, cross-organization functional approach
Unit of AnalysisThe extended supply chain systems The internal IT systems The enterprise systems
Key Concepts UsedSecurity, resilience, agility, adaptability, visibility, third-party managementThreats, vulnerabilities, exploits, access control, threat intelligenceRisk identification, risk appetite, controls, residual risk, compliance
Operationalization of C-SCRMSupplier assessments, third-party cyber scorecards, supply chain resilience indicesfirewalls, penetration testing, endpoint protection, threat monitoringRisk matrices, KRIs (key risk indicators), control frameworks (e.g., COSO, ISO, enterprise risk dashboards
OrientationStrategic & relational: Technical and defensive: compliance-driven
Outcome Measuresbuild trust and joint resilience Supply chain security, resilience, robustness Attack mitigation, system uptime, threat reductionRisk exposure reduction, compliance, residual risk improvement, audit readiness
Source: Authors’ own elaboration.
Table 10. Thematic Clusters in C-SCRM Research.
Table 10. Thematic Clusters in C-SCRM Research.
ClusterItems (n)%Research Stream
Focus		Theoretical
Foundation		Temporal
Evolution		Key Characteristics
Red
Cluster		52338.9%Strategic-Organizational Social Resource-Based View, Institutional TheoryExponential growth (2020+)Strategic governance, human factors, organizational behavior
Green Cluster49036.6%Operational- AnalyticalInternal Technical Operations Management, Capability TheoryConsistent growthDetection systems, threat analysis, performance metrics
Blue Cluster31323.4%Technical-Infrastructure Systems Theory, Socio-Technical SystemsFoundational (2014–2019)Infrastructure, system integration, data management
Yellow Cluster131.0%Emerging Technologies and InnovationEnvironmental Dynamic capability, Technology AcceptanceRecent emergence (2022+)AI, dynamic systems, rapid development
Purple Cluster10.1%Cross-Domain Integration NascentInterdisciplinary approaches
Total1340100%- --
Source: Authors’ own elaboration.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Afifi, Y.A.M.; Hashem, A.E.A.E.; Ahmed Younis, R.A. The Anatomy of a Good Concept: A Systematic Review on Cyber Supply Chain Risk Management. Sustainability 2026, 18, 1151. https://doi.org/10.3390/su18031151

AMA Style

Afifi YAM, Hashem AEAE, Ahmed Younis RA. The Anatomy of a Good Concept: A Systematic Review on Cyber Supply Chain Risk Management. Sustainability. 2026; 18(3):1151. https://doi.org/10.3390/su18031151

Chicago/Turabian Style

Afifi, Yasmine Afifi Mohamed, Abd Elazez Abd Eltawab Hashem, and Raghda Abulsaoud Ahmed Younis. 2026. "The Anatomy of a Good Concept: A Systematic Review on Cyber Supply Chain Risk Management" Sustainability 18, no. 3: 1151. https://doi.org/10.3390/su18031151

APA Style

Afifi, Y. A. M., Hashem, A. E. A. E., & Ahmed Younis, R. A. (2026). The Anatomy of a Good Concept: A Systematic Review on Cyber Supply Chain Risk Management. Sustainability, 18(3), 1151. https://doi.org/10.3390/su18031151

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop