Supply Chain Characteristics as Predictors of Cyber Risk: A Machine-Learning Assessment

TL;DR

This study demonstrates that incorporating supply chain network features significantly improves the prediction of enterprise cyber risk, highlighting the importance of third-party cyberattack considerations in cybersecurity assessments.

Contribution

It provides the first large-scale empirical evidence that supply chain attributes enhance cyber risk prediction models beyond internal enterprise features.

Findings

Supply chain features increase prediction accuracy by 2.3% AUC.

Supply chain attributes are significant predictors of cyber risk.

Insights into third-party attack mechanisms suggest targeted interventions.

Abstract

This paper provides the first large-scale data-driven analysis to evaluate the predictive power of different attributes for assessing risk of cyberattack data breaches. Furthermore, motivated by rapid increase in third party enabled cyberattacks, the paper provides the first quantitative empirical evidence that digital supply-chain attributes are significant predictors of enterprise cyber risk. The paper leverages outside-in cyber risk scores that aim to capture the quality of the enterprise internal cybersecurity management, but augment these with supply chain features that are inspired by observed third party cyberattack scenarios, as well as concepts from network science research. The main quantitative result of the paper is to show that supply chain network features add significant detection power to predicting enterprise cyber risk, relative to merely using enterprise-only attributes. Particularly, compared to a base model that relies only on internal enterprise features, the supply chain network features improve the out-of-sample AUC by 2.3\%. Given that each cyber data breach is a low probability high impact risk event, these improvements in the prediction power have significant value. Additionally, the model highlights several cybersecurity risk drivers related to third party cyberattack and breach mechanisms and provides important insights as to what interventions might be effective to mitigate these risks.