Table 2 Representative quotes underlying... | Emerald Publishing

Table 2

Representative quotes underlying second-order sensing themes

Second-order theme First-order concepts	Representative quotes
Sensing Creating SC cyber risk knowledge	“Audit accordingly beforehand and see what measures he has, what plans he has prepared for just such an eventuality. Does he have the appropriate safeguards, does he have the know-how or the personnel, or perhaps also a service provider who can help him if something like this should happen, so that he can get back on his feet more quickly?” CriCo-IT-Security “And that is what you can find out during the audit because at least you know what you have, how you are positioned, how the supplier is positioned.” CriCo-IT-Security “In our environment, I mainly use service A to take suppliers into such a monitoring system.” CriSC1-IT-Security-2 “You need a special monitoring system to find out, but I am convinced that you will find out about blatant issues.” ComCo-Logistics “There are also penetration tests. The customer organizes these, or we organize them for the customer.” Supplier-SteSC3-CEO “Our customers drive us in the first place. So, we decided very early on that we would like to be certified.” CriCo-IT-Security “Our [computer emergency response team] CERT is also looking at the whole issue of situation awareness.” Customer-CriSC1-IT-Security-2
Increasing cyber risk-related SC visibility	“Well, these are at the end of the day, we see everything we also have, if it is larger customers corresponding network couplings, the most diverse categories, there is a corresponding network intrusion detection and so on. There is everything you need to implement appropriate visibility and protection.” Supplier-ComSC2-IT-Security-2 “Of course, it would be desirable to have end-to-end visibility. But this is hardly possible in terms of effort alone, with the currently available possibilities.” Customer-CriSC1-IT-Security-2 “Everything you need to implement is visibility for protection. If you have not implemented anything, you have to react somehow.” Supplier-ComSC2-IT-Security-1
Creating SC cyber threat intelligence	“Of course, we also tap into various channels for this. Of course, we have our entire landscape permanently in place for vulnerability management. We scan them, and that is how we get the picture. And another channel is, of course, at least with the large suppliers with whom we have regular exchanges, where the topic is, of course, always whether there are still many risks to be reported from their point of view.” Customer-CriSC1-IT-Security-2 “Our colleagues from CERT have outsourced some security services, such as vulnerability scanning, to a partner.” Customer-CriSC1-IT-Security-2 “Specialist knowledge or on general data that some market researchers provide.” ComCo-Logistics “Our industry CERT and other CERTs also give us the information regularly. It is really almost like the threat intelligence feeds, even if they are almost a light version, but still.” Customer-CriSC2-IT-Security

Second-order themeFirst-order concepts	Representative quotes
SensingCreating SC cyber risk knowledge	“Audit accordingly beforehand and see what measures he has, what plans he has prepared for just such an eventuality. Does he have the appropriate safeguards, does he have the know-how or the personnel, or perhaps also a service provider who can help him if something like this should happen, so that he can get back on his feet more quickly?” CriCo-IT-Security“And that is what you can find out during the audit because at least you know what you have, how you are positioned, how the supplier is positioned.” CriCo-IT-Security“In our environment, I mainly use service A to take suppliers into such a monitoring system.” CriSC1-IT-Security-2“You need a special monitoring system to find out, but I am convinced that you will find out about blatant issues.” ComCo-Logistics“There are also penetration tests. The customer organizes these, or we organize them for the customer.” Supplier-SteSC3-CEO“Our customers drive us in the first place. So, we decided very early on that we would like to be certified.”CriCo-IT-Security“Our [computer emergency response team] CERT is also looking at the whole issue of situation awareness.” Customer-CriSC1-IT-Security-2
Increasing cyber risk-related SC visibility	“Well, these are at the end of the day, we see everything we also have, if it is larger customers corresponding network couplings, the most diverse categories, there is a corresponding network intrusion detection and so on. There is everything you need to implement appropriate visibility and protection.” Supplier-ComSC2-IT-Security-2“Of course, it would be desirable to have end-to-end visibility. But this is hardly possible in terms of effort alone, with the currently available possibilities.” Customer-CriSC1-IT-Security-2“Everything you need to implement is visibility for protection. If you have not implemented anything, you have to react somehow.” Supplier-ComSC2-IT-Security-1
Creating SC cyber threat intelligence	“Of course, we also tap into various channels for this. Of course, we have our entire landscape permanently in place for vulnerability management. We scan them, and that is how we get the picture. And another channel is, of course, at least with the large suppliers with whom we have regular exchanges, where the topic is, of course, always whether there are still many risks to be reported from their point of view.” Customer-CriSC1-IT-Security-2“Our colleagues from CERT have outsourced some security services, such as vulnerability scanning, to a partner.” Customer-CriSC1-IT-Security-2“Specialist knowledge or on general data that some market researchers provide.” ComCo-Logistics“Our industry CERT and other CERTs also give us the information regularly. It is really almost like the threat intelligence feeds, even if they are almost a light version, but still.” Customer-CriSC2-IT-Security

Source:

Authors’ own work