key: cord-1004064-h7udwz8y authors: Durowoju, Olatunde A.; Chan, Hing Kai; Wang, Xiaojun; Akenroye, Temidayo title: Supply chain redesign implications to information disruption impact date: 2020-09-28 journal: Int J Prod Econ DOI: 10.1016/j.ijpe.2020.107939 sha: 3239f93e2389eb85a37aa339c60364767865a17a doc_id: 1004064 cord_uid: h7udwz8y Over the years, supply chain reconfiguration decisions have been solely based on operational risk. Simplification strategies, such as horizontal mergers, and networking strategies, such as risk pooling, are conflicting paradigms that have been shown to improve financial performance of supply partners. The implication of this to disruption risk is not fully known, especially as it concerns information security breach (ISB). Analysts have rated ISB as a huge disruption risk, costing businesses millions of dollars. Using a credible and well-established agent-based simulation approach and statistical analysis, we examine the impact of ISB on the simplification and risk pooling strategies respectively under three different order replenishment systems. The effect of reconfiguring the supply chain is first examined in a non-security breach scenario and then in a breached scenario. We find that reconfiguration has no benefit to a supply chain using a parameter based replenishment policy (option I), in both breach and non-breach situations, but leads to significant advantage when batch ordering model (option II) or a combined batch-and-parameter based ordering policy (option III) is used. We also established that batch ordering system favours the risk pooling strategy whereas a combined batch-and-parameter ordering system favours the simplification counterpart especially when the simplification is at the wholesaler tier. This study has significant implications for supply chain design as well as information security priorities. This is one of the first papers to look at how ISB impacts supply chain configuration and the role of ordering decision context. According to Chen et al. (2013) there are two types of supply chain risks that affect supply chain performance, namely: operational risk and disruption risks. Operational risks are issues relating to people, systems and processes, which may result in failures in supply-demand coordination while disruption risks relate to less controllable issues that arise from man-made or natural disasters such as sabotage, strike, technology failure, tsunamis, earth quakes and severe weather (Chen et al., 2013 , Ho et al., 2015 . There is often a presumption in the literature that operational and disruption risks are disparate concepts with differing approaches for mitigating them. The focus of mitigating the former is on improving efficiency while that of the latter is on improving resilience. This appears to be in conflict as the former seeks to simplify by reducing entities in the supply chain while the other seeks to hedge against uncertainties by having more entities to serve as emergency reserves in the event of disruption. So far, most studies (Tang 2006 , Chen et al. 2013 , Ho et al. 2015 have considered their mitigation strategies separately and not many have explored how one can be used to reconcile the other. In this study, we aim to show how improvement strategies used to reduce operational risk can also have a positive effect on the impact of disruption risks. Specifically, we examined the effect of structural redesign or reconfiguration strategy used for mitigating operational risk on information disruption in the supply chain. On one hand, it has been suggested that supply chain configuration, also referred to as supply chain structure, is one of the most prominent performance levers that helps mitigate operational risk and improve supply chain performance (Hoole, 2005) . Supply chain configuration is mostly construed to mean the arrangement of physical asset and material flow in the supply chain (Ottemöller and Friedrich, 2019) . The more complex the supply chain configuration, the less efficient it will be and consequently, the lower the performance. Therefore, improving the complexity of the supply chain through reconfiguration is one of the most common methods for reducing supply chain operational risks and improving J o u r n a l P r e -p r o o f performance (Childerhouse and Towill, 2003 , Caniato et al., 2013 , Jahani et al., 2018 , Razm et al., 2019 . In addition to this, a previous survey of managers by Accenture have shown that operational risk is more predominant than disruption risk (Byrne, 2007 as cited in, Chen et al., 2013 . Consequently, over the years supply chain reconfiguration decisions have been based solely on operational risk (Li and Womer, 2012 , Caniato et al., 2013 , Carnovale and Yeniyurt, 2014 , Razm et al., 2019 , Seiler et al., 2020 . Therefore, as certain reconfiguration strategies have been shown to have greater operational benefits than others (Nagurney, 2009 , Yildiz et al., 2016 , it may be worthwhile for supply chains to reconfigure into more promising structure types, as long as operational benefits outweigh restructuring costs. These reconfiguration strategies are explained in more details under section 3.2. However, many of the existing configuration studies utilise single inventory replenishment policy which limits generalisability of findings as different replenishment policies behave differently under certain conditions leading to different outcome or conclusion (Son and Sheu, 2008, Lau et al., 2008) . There is, therefore, a need to evaluate the moderating effect of configuration under various ordering policies to gain a better understanding on the topic. Consequently, the following questions have been unanswered in existing literature: (1) What is the impact of reconfiguration on the ordering behaviour/pattern of the supply chain? (2) Which reconfiguration strategy would be most suitable under normal conditions? We examined this impact under three inventory replenishment policies; parameter based ordering policy (option I), batch ordering model (option II), and a combined batch-andparameter based policy (option III). These are discussed in more details under section 3.2. On the other hand, ISB has emerged as a huge disruption risk to supply chains temporarily, or permanently in many cases, causing system failures and denying supply agents of needed information to run a timely operation. As years go by, this has proved increasingly J o u r n a l P r e -p r o o f problematic owing to the higher level of sophistication with which breaches occur (Potter and Beard 2010) and the fact that security controls appear to be lagging behind new technology (Vaidya, 2019) . Exacerbating this problem further is the reality that appropriate security measures can be very expensive and supply chains are forced to prioritise which control measures to focus on whilst seeking additional means of protection against the impact of security breach. The need for this is quite evident as system failures result in the disruption of business operations leveraged by the Information systems (IS), and this has cost implications. For example, analysts estimated the cost of data breach experienced by eBay in 2014 to be a loss of around $200 million in revenue (Drinkwater, 2014) . Also, a Zogby Analytics survey of 1006 small business decision makers revealed that 10% of SMEs die after experiencing a data breach (Small Business Cybercriminal Target Survey Data, 2019) . Therefore, there have been calls for supply chains to re-assess supply chain designs not only based on financial risk or operational risk (Tang, 2006) but also on supply chain disruption risks (Bode and Wagner, 2015) . Despite the significance of ISB impact on supply operations (Deane et al., 2009, Durowoju and Chan, 2012) , there has been no single study, to the authors' knowledge, examining how supply chain reconfiguration affects the level of impact ISB has on supply chain inventory performance. This is a key step in reconciling operational risks with disruption risks and ensuring that the objectives of both concepts align for the betterment of the supply chain. We aim to show that reconfiguration strategies meant to improve efficiency can also be used to reduce ISB impact. Since each ISB has a profile, which is defined as a combination of two elements: the rate of occurrence (RoC) and disruption duration (DD), and Durowoju (2014) have shown that the ISB profile determines the scale of impact on supply chain performance, therefore, the effect of reconfiguration will also depend on the breach profile. Consequently, two research questions emerge: J o u r n a l P r e -p r o o f (3) What is the magnitude and direction of the effect of reconfiguration on the impact of ISB profile? (4) What role does ordering policy play on this effect? The authors agree with Marley et al. (2014) that reducing supply chain complexity can also be used as an additional measure (not an alternative measure in itself) to mitigate disruption impact, and therefore understanding how supply chain reconfiguration can help mitigate the impact of ISB is important. Therefore, those supply chains considering reconfiguration strategy such as horizontal mergers (Nagurney, 2009 , Cho, 2014 should understand how the landscape of their inventory management performance would change in the face of ISB incidences. This paper contributes to the literature on reconciling conflicting paradigms in operations and supply chain management by unifying and advancing three streams of research in literature: i. Implication of simplification through horizontal mergers for supply chain performance (Nagurney, 2009 , Cho, 2014 , Ottemöller and Friedrich, 2019 ii. Implication of operational risk such as supply chain complexity for supply chain disruption risk (Craighead et al., 2007 , Marley et al., 2014 , Bode and Wagner, 2015 iii. Implication of ordering policy context for supply chain decisions (Baganha and Cohen, 1998 , Chen and Disney, 2007 , Wadhwa et al., 2009 Using agent-based simulation, we examine the performance of a supply chain under various supply chain structures in a breach and non-breach scenario. Agent based simulation has been described as an effective and practical tool in evaluating and analysing supply chain design and management alternatives (Swaminathan et al., 1998 , Fahimnia et al., 2015 . J o u r n a l P r e -p r o o f Supply chain structure has been defined by many researchers based on several parameters. Randall and Ulrich (2001) defined structure as a function of distance of production facility to target market and the extent of production to reach minimum efficiency. Stock et al. (2000) conceptualized structure as a function of geographic dispersion and channel governance. Xu et al. (2010) defined structure in the context of how the manufacturer directs its capabilities. They defined three structures; (i) a component supplier structure is one where the manufacturer produces component for the original equipment manufacturer (OEM); (ii) a monopoly structure is where the manufacturer assembles the product under own brand; and the dual distributor structure is a combination of both. Beamon and Chen (2001) described four supply chain structures based on a single manufacturer present in the chain, namely, convergent (assembly type), divergent (Arborescent type), conjoined (combination of convergent and divergent) and general (called network). According to them, the conjoined structure is typically used in web-based retail, which is the supply chain type that is examined in this study. Ottemöller and Friedrich (2019) described supply chain structure as having two dimensions, the vertical and horizontal dimensions. The vertical dimension prescribes how many stages there are in the supply chain and the horizontal prescribes how many agents are in each stage. The concept of simplification strategy used in our study stems from the horizontal dimension of the supply chain structure described in (Ottemöller and Friedrich, 2019) . The objective of improving the structure of the supply chain is usually to increase efficiency by simplifying the supply chain through pooling of resources and capacity (Chopra and Sodhi, 2014) . On the other hand, the objective of reducing disruption risk is usually to increase inventory and add capacity in the supply chain in order to reduce the impact of disruption and J o u r n a l P r e -p r o o f become more resilient to future disruptions (Kamalahmadi and Parast, 2017) . Whilst both objectives appear conflicting, our study aims to show that strategies used for reducing operational risk can be useful in reducing the impact of information disruption risk, reconciling both objectives in a single study. Some studies have looked at the effect of supply chain structure alone on the performance of supply chains (Beamon and Chen, 2001 , Mills, 2004 , Xu et al., 2010 , Ottemöller and Friedrich, 2019 . Beamon and Chen (2001) , using simulation modelling, examined the performance of a conjoined supply chain structure, while Lau et al. (2002) included a linear structure (also called serial) in addition to what was described by Beamon and Chen (2001) and considered the impact of information sharing on a divergent supply chain using simulation approach. Others have examined the impact of specific disruption types on supply chain performance (Ivanov and Rozhkov, 2017 , Kamalahmadi and Parast, 2017 , Shekarian et al., 2019 . For most of these studies, the disruption usually occur at the upstream and the impact on the downstream sector is investigated. Kamalahmadi and Parast (2017) utilised mixed-integer programming to investigate two disruption types in the upstream part of the supply chain, supply and environmental risks, and the effectiveness of three redundancy practices in mitigating these disruption types. Shekarian et al. (2019) considered supply and demand risk and they evaluated how flexibility and agility mitigated these risks using mixed-integer programming. Ivanov and Rozhkov (2017) studied production capacity disruptions on supply chain performance by means of simulation modelling. Failure risks were studied by (Pariazar and Sir, 2018) using multi-objective stochastic programming to determine the best mitigation strategies for disruption due to failure in availability and quality of products. However, only a handful studies have investigated the effect of structure on supply chain disruption. To the author's knowledge, three studies have examined the effect of structure on J o u r n a l P r e -p r o o f supply chain disruption. Craighead et al. (2007) examined the role of supply chain design characteristics-supply density, complexity and node criticality, on the severity of supply chain disruption using semi-structured interviews and focus group. They found that there is an interaction between supply chain mitigation capability (recovery and warning systems) and design characteristics, which determines how severe a disruption is on supply chain. They defined severity as the number of supply chain members whose activities have been hampered to downstream, which makes sense that Bode and Wagner (2015) and Marley et al. (2014) studied the impact of disruption to this flow on downstream customers. However, information typically flows in the opposite direction in the supply chain from downstream to upstream, and since information delays play a bigger role to lost sales revenue than material delay (Munoz and Clements, 2008) , this study considered it important to focus on disruption to information flow and how this affects upstream members (the reverberating effect). In addition, our study also adds to this field by examining how structural configuration affects the impact of downstream information flow disruption due to ISB. Garvey et al. (2015) examined the propagation of several supply chain disruption risks using Bayesian network approach. Although this study was useful in understanding how risky a location is within a supply network, it is not clear how the actual cost impact of disruption transmits to upstream J o u r n a l P r e -p r o o f members. The current study will examine cost implication to upstream members using discrete event simulation. Supply chain structure and the benefit of supply chain redesign has been studied in the past. This has been either construed as a strategy where a merger occurs in a specific tier (Cho, 2014) or in multiple tiers (Nagurney, 2009 ). Cho (2014) , using mathematical modelling, studied the impact on consumer price of mergers between two supply agents in the same tier and found that benefit only comes when the merger occurs at the tier that acts as the leader in the supply chain. Since this merger occurs in a single tier (either upstream or downstream only), the authors have termed this a simplification strategy for the purpose of this study. While Cho (2014)'s concern was on how horizontal merger affects the profits of the supply chain and consumer price, the current study focuses specifically on the implication for inventory performance before and after supply chain disruption due to ISB. In addition, this study also offers the ordering policy context, as it is intuitive that different ordering policies behave differently in a breach scenario. On the other hand, Nagurney (2009) examined three cases where the merger only involved the manufacturing tier, the distribution tier and both manufacturing and distribution tiers respectively using system-optimisation modelling. However, they examined two separate supply chains headed by two different firms. It appears each firm own or control all the supply chain tiers. In the current study, the authors examine the case of autonomous players within each tier and the supply chain is not owned by any one firm. To examine the effect of structure on supply chain performance, this study evaluates the relative performance of distribution type, manufacturing type and network type structures to a serial counterpart in disrupted and non-disrupted supply chain scenarios. These structures have been studied separately in the past under various subjects. However, the effect of J o u r n a l P r e -p r o o f structure on the impact of supply chain disruption has not been studied in the literature. The structures considered in this study represent a strategic decision which supply chains can make to improve operational performance and reduce the risk of ISB. There are two strategies examined here: a simplification strategy (or merger at a specific tier) and a form of risk sharing strategy called networking strategy. They are illustrated in Figure 1 . is defined as a single wholesaler serving and being served by more than one downstream and upstream agent. A manufacturer supply chain (MF) is defined as a supply chain with a single manufacturer serving more than one supply stream. These two structures are synonymous with the downstream and upstream merger structures described in Cho (Cho, 2014) . The wholesaler and manufacturer typically cater to either SMEs or large operators meaning they prioritise economies of scale. This makes simplification strategy a desirable objective where they are able to pool resources to take advantage of economies of scale and consequently improve performance. We have not considered simplification at the retailer because unlike the wholesale or manufacturer, the priority of the retailer is to reach as many customers as possible and this requires having several outlets, in many cases. Moreover, reduction in the number of retail outlets is usually a loss reduction strategy rather than a performance improvement strategy which is the focus in this research. The last structure shown in Figure 1 (d) is a network structure (N) which is a risk sharing strategy (referred to in this study as networking strategy). The network structure in this study is synonymous with the third merger case described in Nagurney (Nagurney, 2009) . Instead of reducing the number of agents in each tier (simplification strategy), a network is formed where multiple agents in each tier divide all the orders coming from different demand streams equally between themselves. In other words, they share the risk associated with each demand stream equally. The reality however is that in some cases, equal sharing might not be possible as some supply chain agents have higher level of participation in the supply chain than others do. The point being made here is that risk sharing can still take place as long as the division of responsibility to each member in the tier is commensurate with their level of participation. For simplicity, the number of agents in each tier has been limited to two. J o u r n a l P r e -p r o o f 3. METHODOLOGY This study uses secondary data on three typical ISB profiles. The profile of a breach is defined as the rate of occurrence (RoC) of the breach and the severity/disruption duration (DD) of the breach when it occurs. A 2017 cyber security survey (Klahr et al., 2017) revealed that 1 in 5 organisations experience a security breach which results in temporary loss of access to files/network or have their software/systems corrupted or damaged. This is a major concern, as many organisations rely on access to these files/networks in order to store and retrieve real time demand and/or inventory information. Various breach surveys have reported typical frequencies of ISBs to be a few times per day, one per day, one per week, one per month, less than one per month, and one per year (Miller et al., 2015 , Vaidya, 2019 . However, having studied data from these surveys and based on our investigation, we have only considered frequencies of one per quarter (low frequency)-BP1, and one per week (high frequency)-BP2, in order to show the effect of increased frequency of ISBs on supply chain performance. According to the SANS Institute survey of 591 respondents in 2016, DD is determined by how long it takes to complete remedial actions. These actions are largely manual and can include activities such as rebuilding a server or replacing a workstation (Bromiley, 2016) . The survey further revealed that remedial action can typically take less than one day (29% of respondents) or between 2 to 7 days (33% of respondents). Therefore, in our study, we examined the impact of an average of 1-day (low) and 5-day (high) remediation length as they are typical figures in the industry and can help show the effect of increased DD on supply chain performance. Combining the RoC and DD helps us create a breach profile which is summarised in Table 1 classified as less disruptive breaches because of the low DD (but BP2 is typically a highly recurring breach), and BP3 is classified as a highly disruptive breach. These three profiles would affect the supply chain in different ways, but this has not been established in past literature. This information was incorporated into the simulation model as a deterministic model. The supply chain structures were studied under three different ordering policies, where magnitude of order quantity could either be the difference between two specific decision parameters, a predetermined batch size, or a combination of both. These three alternatives have been used in different forms and studied separately in literature. They have been used in periodic review models as well as continuous review models. Each of these three alternatives is considered in this study: (i) The first alternative, parameter based ordering, is exemplified in this study with Option I-the order-up-to base stock policy (Chen et al., 2000, Beamon and Chen, J o u r n a l P r e -p r o o f 2001, Bensoussan et al., 2007 , Agrawal et al., 2009 ). The order size (Q t ) in any particular period, t, is determined by computing the difference between two decision parameters (inventory position (IP) and order-up-to level (OUT)) when IP is less than the re-order point (ROP). This is shown in equation (1) and the OUT is assumed to be equal re-order point (ROP). (ii) the second alternative, predetermined batch size is represented in this study as Option II-the optimal economic order quantity (EOQ*) (Axsäter, 1996) . The order size at any particular period, t, is obtained by multiplying the normal EOQ computation in equation (2) by a predetermined optimal value, 2.2361, as shown in equation (3). where μ is the average demand from downstream; f is the fixed ordering cost; b is the unit backlog cost; and h is the unit holding cost. (iii) the last alternative which combines the previous two alternatives in determining its order quantity is represented as Option III-the combined batch-and-parameter based policy with an EOQ component (Arrow et al., 1951 , Chen and Disney, 2007 , Lau et al., 2004 . OUT in option III is the sum of the re-order point and the simple EOQ in equation (2), unlike option I, where OUT is the same as the re-order point. This model can be viewed as a combination of options I and II and is shown in equation (4). = max ( + − , 0), < 0, ≥(4) In the WH structure, there is a single wholesaler serving two downstream retailers and two upstream manufacturers. The retailers and manufacturers in this model make their decisions independently but the wholesaler acts like a consolidation centre. After receiving the shipment from both manufacturers, the wholesaler adjusts its inventory position by deducting the shortage quantity from the on-hand inventory and on-order inventory, and an ordering decision is made depending on the ordering policy of choice. In determining its re-order point, the mean order (µ) and standard deviation (σ) used is determined from the moving average of the aggregate orders from both retailers. The order size is then split into two and sent to both manufacturers separately. To fulfil the sum of the retailers' order (eq. 5), the wholesaler checks if its on-hand inventory is greater than the sum of the retailers' order and fulfils the entire order when the inventory level is greater (eq. 6). However, when the inventory level is less than the sum of the orders from both retailers, the wholesaler fulfils part of each retailer's order by sending half of the on-hand inventory to each retailer. where # $, represents the order placed by downstream agent, x, at period t. '' is the quantity of order shipped to downstream agents and ( is the on-hand inventory of the active agent. Whatever is not fulfilled is backordered and the wholesaler maintains a record of the backlog for each retailer separately. In this model, there exists a single manufacturer serving two separate serial demand streams. Here, the manufacturer computes the moving average of its orders over the sum of orders J o u r n a l P r e -p r o o f from both wholesalers as in equation (5). The order fulfilled by the manufacturer is determined in a similar way to the wholesaler in the wholesaler structure using equation (6) and whatever is not fulfilled is backordered. The manufacturer also maintains a separate backlog record for each wholesaler when the entire order is not fulfilled. In the network structure each member splits its order into two and sends an order to the two upstream members. In other words, retailer1 divides its determined order quantity into two and sends the information to wholesaler-1 and wholesaler-2 separately. Retailer-2 does the same and sends the orders to wholesaler-1 and wholesaler-2. Each wholesaler also splits its order quantity into two and sends to manufacturer-1 and manufacturer-2 separately. Each agent combines the order placed by downstream members in determining its moving average information and the requested orders are fulfilled in the same way as described in wholesaler and manufacturer models. The authors employ an agent-based simulation approach and parameters similar to that used in (Lau et al., 2004, Durowoju and Chan, 2012) to investigate the impact of the mentioned breach types. The supply chain consists of the retailer, wholesaler, and manufacturer. Each of these supply chain members is modelled as an agent in the simulation study. Three performance measures are considered in the simulation: backlog cost, holding cost and ordering cost. These are added up for each supply agent to give the total supply chain operating cost used in this comparative study. The values of the simulation parameters for the experiment are shown in Table 2 . The values used here have been adopted from (Lau et al., 2002 , Lau et al., 2004 , Durowoju and Chan, 2012 , therefore, we would refer the reader to these articles for justification of the parameter values. The market demand is observed at the end of the day and is normally distributed with mean of 10 and a standard deviation of 2. The J o u r n a l P r e -p r o o f capacity of the manufacturer is 80 and the production lead time is 3 days. The assumption is that manufacturer capacity is in use for the duration of the production lead time, after which it becomes available again. Demand ( Altogether, 48 different scenarios (4 supply chain structures X 3 ordering policies X 4 breach and non-breach scenarios) were examined. Each experiment was run for a total of 800 simulation days. Using time series inspection method, the warmup period was determined to be 100 days, leaving an effective simulation period of 700 days. Using the confidence interval method described in (Law, 2007) , the number of replication was determined to be 45 at 98% confidence level. The same random number streams were used for each experiment to ensure consistency and variance reduction (i.e. reducing randomness effect) (Kelton et al., 2010) . Altogether 2160 experiments were conducted. The Paired-t Confidence Intervals for Mean Differences with Bonferroni Correction at 95% confidence level were used to test for significance during result comparison (Robinson, 2004 , Law, 2007 . The other assumptions include: • All members of the supply chain use the same ordering policy • If on-order quantity cannot be met with current on hand inventory, then the on-hand inventory is shipped, and the rest is back ordered leaving the agent with zero inventories. • Each unfulfilled order is backordered, and a shortage or back log cost is incurred per unit item including a fixed shortage cost once an order is unfilled or partly filled • The performance of each tier is seen as an average of the performance of all the agents within that tier. • The total production capacity at the manufacturer tier is equal to 80, equally split between all manufacturers. • The manufacturer has an unlimited and unfettered supply of raw materials. The models were coded using Java Development Kit (JDK). The programming code was verified to ensure the implementation of the codes is correct. A very useful and widely used verification method is structured walkthrough or traces. According to Sargent (2013) traces is defined as the behaviours of different types of specific entities through the model to determine if the model's logic is correct and if the necessary accuracy is obtained. In this study, each of the 48 scenarios is run for a simulation time of 10 days and the predicted result (obtained by manual calculation) is compared with the simulation output. This confirmed that the computerised model was properly implemented using the java programming language. According to Kleijnen (1995) sensitivity analysis is a systematic investigation of the reaction of the model output to changes in model input and/or model structure. The demand input constitutes the only random input in this model. Since a breach is modelled as a delay and not loss of demand information, the demand stream used represents the single most important source of uncertainty. The question being asked here is: if the variability of the demand stream is increased by two-fold, what happens to the findings? Does the impact of ISB increase or decrease? And is this change consistent or inconsistent for all supply chain scenarios? The assumption in this study is that demand follows a normal distribution with J o u r n a l P r e -p r o o f mean of 10 and a standard deviation of 2. Therefore to accept that the findings in this study are true for any stream of demand, the standard deviation of the demand distribution was increased from 2 (low) to 4 (high) to perform a sensitivity assessment of the serial structure model (base model). The result of the effect of increasing the standard deviation of the demand distribution from 2 to 4 is shown in Table 3 . The values were obtained by computing the difference between the cost performance under low demand variance (2 standard deviation) and high demand variance (standard deviation of 4), expressed as a percentage of the former. A negative sign indicates the supply chain daily average operating cost in the high demand variance scenario is higher than the low demand variance scenario. Although one would expect that a change in the variability of the demand distribution would affect the performance of the supply chain as the result reveals, the consistency in the result is of concern here. It can be seen from the result in Table 3 that increasing the demand variance consistently increases the magnitude of the impact but not the direction of the impact for both breach and non-breach scenarios. The consistency in the direction of the effect implies that for all 12 scenarios, the observed effect is an increase in cost performance and not an increase in some and a decrease in others. Hence the, inference drawn from the output of this study using low demand variance (standard deviation of 2) is expected to be consistent for any demand stream following a normal distribution regardless of the demand variance. In a broader sense, the effect of changing the different aspects of the supply chain (ordering option and structure) from one alternative to another is also a sensitivity analysis in itself. This section extends the work of (Nagurney, 2009 ) and Cho (2014) by offering an ordering policy context to demonstrate that their findings would depend on the ordering policy being used in the supply chain and also to reveal the effect of horizontal mergers to non-merging tiers in the supply chain. To understand how reconfiguration affects supply chain performance, the performance under the three supply structures (WH, MF and NT) are compared to the serial structure (which is also termed the 'base model') performance. The first line of inquisition is to see how the ordering pattern changes because of the reconfiguration. The second step of examination is to assess the implication of this change to supply chain inventory cost performance. This section helps to answer question (1) from the introduction section. Ordering systems have implications for findings in supply chain studies (Baganha and Cohen, 1998, Chen and Disney, 2007) . This study lends credence to that fact by investigating how the ordering pattern changes under various reconfiguration strategies. The change in ordering pattern is conceptualised as the change in ordering frequency and effective daily average order quantity. The change brought about by restructuring in ordering frequency/rate is calculated by taking the difference between the ordering rate (expressed in %) in the base model and the corresponding ordering rate in the WH, MF and NT structures. On the other hand, the change in average effective order quantity is calculated as the difference between the values in the base model and the corresponding structure but is expressed as a percentage of the base model. The result for this computation for each ordering policy under each structure type is shown in The general observation from this table is that restructuring the supply chain from the serial structure to any of the WH, MF and NT structures has no impact on the ordering pattern of option I. However, this has an effect on option II and option III, with the magnitude of change generally higher in option II than in option III. The direction of the change, for the most part, is that the ordering frequency is higher while the EAOQ is lower than in the serial structure. The only exception here is with the manufacturer using Option II in the MF structure where OR is slightly lower (at 0.01%) and EAOQ is higher (at 0.03%). This can be attributed to the reported stabilising effect of the wholesaler where variability of the manufacturer's shipment is reduced in the MF structure (Baganha and Cohen, 1998) . Changes to ordering pattern have practical implications for supply chain shipping strategy. For example, the best shipping option may be selected based on the frequency of delivery and the capacity of the shipping mode. If the frequency of ordering then increases as the order quantity is reduced, the initial shipping strategy may no longer be the optimal option. It may then be worthwhile to change the shipping strategy to best suit the current ordering pattern. This section answers the question (2) in the introduction section. The magnitude of the difference between the cost performances of each structure to that of the base model (serial structure) is expressed as a percentage of the base model performance and this result is shown in Table 5 . This relative comparison to that of the serial structure is termed 'reconfiguration effect'. For example, the WH-effect would be the difference between the performance of the Wholesaler supply chain structure and the base model expressed as a percentage of the base model performance. The direction of the structure effect can be positive or negative. A positive value reveals that the cost in the base model is higher than that of the corresponding structure, indicating a beneficial structure effect. A negative value indicates a detrimental structure effect. Values with '*' superscript indicate that the percentage difference is not statistically significant at p<0.05 and therefore no effect is said to occur regardless of the magnitude of the effect. From Table 5 , it is apparent that the inventory performance under parameter-based policy (base stock-option I) does not benefit from horizontal merger or networking. This is like the findings in Nagurney (2009) where they reported no difference in total cost between case 1-merger at the manufacturing plant alone and case 2-merger at the distribution centre only. However, our study further reveals that performance is improved under the other two ordering policy types, thereby confirming that ordering policy context is important in any supply chain comparative analysis (Wadhwa et al., 2009) . While Cho (2014) J o u r n a l P r e -p r o o f focused on impact of merger on profit, we focused on the impact of merger on the inventory management cost. Contrary to Cho (2014) , we have shown that upstream mergers (WH and MF structures) do not hold benefit for downstream members as the retailer in WH structure and the wholesaler and retailer in the MF structure did not experience any significant improvement regardless of the ordering policy used. This also lends credence to the argument that better supply chain wide benefits can be achieved when collaboration exist between tiers rather than within tiers of the supply chain. It is also clear that supply agents are affected in different ways, depending on where the merger is taking place. It is therefore of practical importance for non-merging members of the supply chain to understand how such mergers occurring elsewhere in the supply chain affect their performance and where incentives may be required. If adopting any of the three proposed structures yields benefit to the supply chain, then that structure could be a beneficial strategy which should only be adopted when all supply members are benefiting. If some are not benefited, the decision framework shown in Figure 2 can be followed to arrive at an 'acceptance', 'rejection' or 'acceptance after incentivisation' decision. Incentivisation can include contractual agreement that facilitates the entire supply system efficiency such as sharing inventory and backlog cost or adjusting pricing between supply partners (Tsay et al., 1999 *Signifies this is not statistically significant at p≤0.05 Table 5 : Structure effect on cost performance in a no-breach-scenario Strategy acceptance decision framework in a non-breach scenario From Table 5 , the authors summarise the effect of structural reconfiguration on individual cost performance of supply agents and the supply chain without security breach consideration and this is shown in Table 6 . The symbol '>' indicates that the supply chain agent or the aggregate supply chain experience a beneficial effect when reconfiguration takes place, while the '<' indicate a detrimental effect and as such there is no inclination to adopt that specific structure. The '-'symbol indicates that the effect is not significant and hence the supply agent Is the aggregate supply chain performance improved by the reconfiguration strategy? Effect on supply chain agent? Is the agent directly involved in the strategy change? Table 6 also indicate whether incentives can be provided for non-benefiting supply chain agents as long as the overall effect of restructuring is positive. A beneficial effect or one where incentives can be provided is a good motivator for structural reconfiguration. The agent to whom incentive is to be provided is also included in the last row of the under option I and no incentive can be provided to non-benefiting members since the overall effect is nil. Therefore, there is no motivation for reconfiguration under option I, at least for the retailer and wholesaler. There is overall benefit to the supply chain under options II and III for all types of structural reconfiguration. However, incentives need to be provided to the retailer/wholesaler/both depending on which reconfiguration strategy is adopted. J o u r n a l P r e -p r o o f This section answers question (3) and (4) from the introduction section. It extends the work of Bode and Wagner (2015) and Marley et al. (2014) an overall negative influence on breach cost impact (except under BP3) and therefore restructuring to any of the structure types may not be beneficial under option I scenario. This is because BP3 has a comparatively higher negative impact on supply chain performance owing to its a high DD compared to BP1 and BP2. Therefore, the benefit of reconfiguration is made more apparent in this scenario than in the other less disruptive scenarios. This study agrees with Marley 2014 that reducing supply chain complexity can help mitigate against disruptions. However, we have shown that this is not always applicable under certain inventory policies and low disruption profiles. In addition, we have also shown that the benefit of reducing complexity is even more apparent in highly disruptive scenarios. Since businesses are increasingly reliant on information technology to run their daily operation, they are more prone to longer disruption durations. Therefore, such businesses may find it worthwhile to use reconfiguration strategies in conjunction with ISB countermeasures. At face value, based on the performance ranking, a network structure would be ideal for an option II supply chain, while a wholesaler structure would be ideal for an option III supply chain. As they both have the highest cost benefit, the question now is: what would be the supply chain management priority and Information security management priorities based on J o u r n a l P r e -p r o o f the ideal reconfiguration and ideal ISB countermeasure? The subsequent sections help to answer this question. The decision model of whether to accept the reconfiguration strategy as breach cost impact mitigation strategy and the supply chain priority is shown in Figure 3 . The transmission of impact is called the reverberating effect of the breach. This is defined as the condition where the breach occurring at the downstream negatively impacts the performance of supply agents upstream. If the reverberating effect decreases but is still significantly affecting upstream members, then perhaps the retailer should immediately notify the upstream partners of any breach so they can quickly respond. This is known as ISB sharing. The ISM priorities considered here are those that either prevent the breach from re-occurring (prevention & deterrence) or the ones that makes it easier to detect the incidence of breach J o u r n a l P r e -p r o o f and recover the system quickly (detection & recovery) (Ouyang, 2012) . DD is a function of the level of security breach detection and recovery (D&R) and the RoC is indicative of the required level of prevention & deterrence measures (P&D). While the ultimate goal for supply chains is to stop disruption from occurring altogether through the use of appropriate countermeasures, the inevitability of disruptions and the costly nature of countermeasures mean supply chains need to prioritise which countermeasures to use. To understand the implication of reconfiguration to ISM priorities, first we determined the effect of increasing either of the two elements of the breach profile, namely: the DD and the RoC. In other words, we looked at the effect of high DD and the effect of a high rate of occurrence (RoC) separately. Then, we examined how the reconfiguration strategy mitigates the impact of increasing each element of the breach profile. Finally, we considered the consequence of reconfiguration to ISM priorities. A summary of this analysis is shown in Table 8 . A '>' symbol indicates that reconfiguration holds significant benefit (ameliorating effect) by reducing the cost impact under higher magnitude of the profile element and '<' indicates the reconfiguration does not hold any benefit (exacerbating effect) where the cost impact of the increased profile element is made worse than in a non-reconfigured scenario. From the third column in table 8, we see the new ISM priority based on the effect reconfiguration has on the breach profile. The general observation here is that the effect of reconfiguration is always positive under increasing DD of any breach. This is perhaps because DD has a higher impact on a serial supply chain than RoC and the higher the impact the more reconfiguration helps absorb some of this impact. From table 8, we can see that, under Option I, the impact of increased RoC is exacerbated by reconfiguration but that of increased DD is ameliorated by reconfiguration. Therefore, in this scenario, ISM priority would be to reduce RoC by increasing P&D spend. On the other hand, under Option II and Option III, the reconfiguration strategies yielded an ameliorating effect on the impact of J o u r n a l P r e -p r o o f increased RoC and DD, making D&R the priority since the impact of DD, from Overall, the serial structure is preferred when the ordering policy in use is the parameterbased policy while for batch ordering policy and combined batch-and-parameter based policy, the structure of choice would be NT and WH, respectively. This study has established that reconfiguring the supply chain from the serial structure to any of the other structures prescribed can provide benefit both in an ISB disruption scenario and in a no-disruption scenario. This benefit depends on the ordering policy of choice and the profile of the breach. This study have given strong supportive evidence to claims by Baganha and Cohen (1998) and Wadhwa et al. (2009) that ordering policy context is an important element in supply chain analysis. This study examined the effect of reconfiguring the supply, through simplification and networking strategies, on the impact of ISB on supply chain performance. The simplification strategy entailed a horizontal merger at the wholesaler tier (WH structure) and at the manufacturer tier (MF structure) while the networking strategy involved risk pooling at both wholesaler and manufacturer tiers. This effect was studied under three replenishment policies, namely: the parameter-based; batch; combined batch-and-parameter based policies. Our study extends the work of (Nagurney, 2009) and Cho (2014) by offering an ordering policy context to demonstrate that their findings would depend on the ordering policy being used in the supply chain and also to reveal the effect of horizontal mergers to non-merging tiers in the supply chain. This study answered question (1) and (2) by showing that re-J o u r n a l P r e -p r o o f configuration, under non-disruptive scenarios, improves the performance of supply chains using batch or combined batch-and-parameter replenishment policies but not those using parameter based replenishment policy. However, managers may need to reconsider their current shipping strategy as a result of the change in ordering pattern to maximise the cost reduction benefit and incentives should be provided to downstream members who are not directly involved in the merger, as they are negatively impacted by the merger. Through this study, we have reconciled what was often perceived as conflict between the need for efficiency and drive for resilience. We have answered questions (3) and (4) by showing that reconfiguration, a strategy for improving efficiency, can be a worthwhile strategy that can help the supply chain improve cost performance and reduce the impact of ISB at the same time. We have shown that the benefit of reducing operational complexity is even more apparent in highly disruptive scenarios. The significant supply chain disruptions brought by the COVID-19 pandemic have exposed the vulnerabilities and risks of the long and sophisticated global supply chains. When the world recovers from the COVID-19 pandemic, the motives of pursuing minimum overall costs and maximum efficiency behind the global value chain have to be re-examined. The long and sophisticated supply chains will have to be structurally reconfigured and possibly shortened from such a re-examination. Other values such as transparency, responsiveness, and governance might play a more prominent role in preventing future supply bottlenecks and enhancing supply chain resilience to future disruptions. We agree with Marley et al. (2014) that reducing supply chain complexity can help mitigate against disruption. However, we have shown that this is not always beneficial under certain inventory policies and low disruption profiles, which provides context for when redesigning strategies can be helpful to disruption impact. This study has useful managerial implications not only to supply chain managers but also to information security management. We have J o u r n a l P r e -p r o o f shown where incentives should be provided to supply chain members where the cost benefit derived from reconfiguration can be used to alleviate the burden of prioritisation of security control measures and further strengthen the security of information systems used in such supply chains, thereby improving IS effectiveness. One of the main limitations of this study is that simulation approach is employed. The findings may be contingent on the input parameters. However, the parameters used are similar to those used in previous literature and the simulation models have been verified and validated and a sensitivity analysis was conducted to ensure the study is robust. In addition, the structure models were simplified for ease of illustration. However, the scope of structure in this study can be extended to include other defining elements such as supply density, complexity, node criticality etc. To gain better insight on the issue, future work should discuss the framework and findings with a few practitioners that have been impacted by ISB. Again, this work focused on mergers within tiers, but future work could focus on mergers across tiers such vertical mergers or collaboration across multiple tiers to examine how the landscape of the purported benefit changes under specific disruption types. This would significantly increase our understanding of the impact of mergers and collaborative practices on disruption impact. Small Business Cybercriminal Target Survey Data Impact of information sharing and lead time on bullwhip effect and on-hand inventory Using the Deterministic EOQ Formula in Stochastic Inventory Control The Stabilizing Effect of Inventory in Supply Chains Performance analysis of conjoined supply chains Optimal Ordering Policies for Inventory Problems with Dynamic Information Delays Structural drivers of upstream supply chain complexity and the frequency of supply chain disruptions Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey. SANS Incident Response Survey Impact and ubiquity: Two reasons to proactively manage risk The effect of global supply chain configuration on the relationship between supply chain improvement programs and performance The Role of Ego Networks in Manufacturing Joint Venture Formations Quantifying the Bullwhip Effect in a Simple Supply Chain: The Impact of Forecasting Supply chain operational risk mitigation: a collaborative approach The myopic order-up-to policy with proportional feedback controller Simplified material flow holds the key to supply chain integration Horizontal Mergers in Multitier Decentralized Supply Chains Reducing the Risk of Supply Chain Disruptions The Severity of Supply Chain Disruptions: Design Characteristics and Mitigation Capabilities Managing supply chain risk and disruption from IT security incidents Rationalising the Security Concern of Cloud Enabled E-commerce in the Supply Chain Context The Role of Integration in Information Security Breach Incidents Quantitative models for managing supply chain risks: A review An analytical framework for supply network risk propagation: A Bayesian network approach Supply chain risk management: a literature review Five ways to simplify your supply chain Coordination of production and ordering policies under capacity disruption and product write-off risk: an analytical study with real-data based simulations of a fast moving consumer goods company Supply chain network redesign with demand and price uncertainty An assessment of supply chain disruption mitigation strategies Simulation with Arena Cyber Security Breaches Survey Verification and validation of simulation models Web-based simulation portal for investigating impacts of sharing production information on supply chain dynamics from the perspective of inventory allocation Impact of information sharing on inventory replenishment in divergent supply chains Effects of inventory policy on supply chain performance: A simulation study of critical decision parameters Simulation Modelling and Analysis Optimizing the supply chain configuration for make-to-order manufacturing Mitigating supply chain disruptions -a normal accident perspective INFORMATION SECURITY BREACHES SURVEY 2015 PWC and InfoSecurity Europe A strategic review of supply networks Disruptions in information flow: a revenue costing supply chain dilemma A system-optimization perspective for supply chain network integration: The horizontal merger case Modelling change in supply-chain-structures and its effect on freight transport demand Information Security & Risk Management Domain. CISSP® Common Body of Knowledge Review A multi-objective approach for supply chain design considering disruptions impacting supply availability and quality Product Variety, Supply Chain Structure, and Firm Performance: Analysis of the U.S. Bicycle Industry A global bioenergy supply network redesign through integrating transfer pricing under uncertain condition The Practice of Model Development and Use Verification and validation of simulation models On the relationship between financial performance and position of businesses in supply chain networks An examination of the impact of flexibility and agility on mitigating supply chain disruptions The impact of replenishment policy deviations in a decentralized supply chain Enterprise logistics and supply chain structure: the role of fit Modeling Supply Chain Dynamics: A Multiagent Approach Perspectives in supply chain risk management Quantitative Models for Supply Chain Management Cyber Security Breach Survey Inventory performance of some supply chain inventory policies under impulse demands Strategic Supply Chain Structure Design for a Proprietary Component Manufacturer Reliable Supply Chain Network Design