The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

Supply chain security: threats, defences and risk assessment methodology

Supply chain security: threats, defences and risk assessment methodology
Supply chain security: threats, defences and risk assessment methodology
Global supply chains have become increasingly complex, with a large number of companies spanning multiple tiers. This complexity makes it difficult for enterprises to have full visibility into their supplier networks, leaving them vulnerable to cyberattacks. To target a specific company, attackers often exploit the weaker cybersecurity measures of its suppliers, using a compromised supplier as a stepping stone to reach the intended target. This cyberattack strategy, known as a supply chain attack, has seen a significant rise in recent years. To protect entire supply chains, each organisation needs to understand the threats, assess the interconnected supply chain risk, and implement appropriate mitigation strategies.

This thesis directly addresses this need by developing and validating a simplified risk assessment approach tailored to organisations with limited resources, specifically focusing on the unique challenges of supply chain security. We first analyse supply chain security threats, providing a comprehensive overview of threats and attacks for various types of supply chains, including digital, food, and pharmaceutical. Our analysis reveals that current cybersecurity solutions often lack broad security analysis and fail to provide extensive protection against cyberattacks. Therefore, we develop a novel cybersecurity risk assessment methodology tailored for companies with limited cybersecurity expertise and resources. The methodology involves a questionnaire-based approach to capture the perceived likelihood and impact of supplier-related cyber vulnerabilities and threats targeting specific organisational assets. It then utilises a systematic method to compute cybersecurity risk scores for each identified threat, enabling prioritisation of mitigation efforts. Moreover, the methodology was then implemented in a free web-based software application called Securechains to enhance its accessibility for organisations with limited resources. Additionally, recognising the heightened vulnerability of software supply chains, we extended our research to conduct a thorough analysis of attacks targeting this specific domain, encompassing common attack methods, recent trends, and the specific risks associated with open-source and third-party software components. This thesis aims to provide organisations with the knowledge and tools needed to better understand, assess, and mitigate the evolving cybersecurity risks to supply chain security, ultimately strengthening the resilience of global supply chains.
University of Southampton
Gokkaya, Betul
7c7964ae-106f-4f4f-8ea4-01fb4c65caac
Gokkaya, Betul
7c7964ae-106f-4f4f-8ea4-01fb4c65caac
Halak, Basel
8221f839-0dfd-4f81-9865-37def5f79f33
Karafili, Erisa
f5efa31c-22b8-443e-8107-e488bd28918e
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3

Gokkaya, Betul (2025) Supply chain security: threats, defences and risk assessment methodology. University of Southampton, Doctoral Thesis, 241pp.

Record type: Thesis (Doctoral)

Abstract

Global supply chains have become increasingly complex, with a large number of companies spanning multiple tiers. This complexity makes it difficult for enterprises to have full visibility into their supplier networks, leaving them vulnerable to cyberattacks. To target a specific company, attackers often exploit the weaker cybersecurity measures of its suppliers, using a compromised supplier as a stepping stone to reach the intended target. This cyberattack strategy, known as a supply chain attack, has seen a significant rise in recent years. To protect entire supply chains, each organisation needs to understand the threats, assess the interconnected supply chain risk, and implement appropriate mitigation strategies.

This thesis directly addresses this need by developing and validating a simplified risk assessment approach tailored to organisations with limited resources, specifically focusing on the unique challenges of supply chain security. We first analyse supply chain security threats, providing a comprehensive overview of threats and attacks for various types of supply chains, including digital, food, and pharmaceutical. Our analysis reveals that current cybersecurity solutions often lack broad security analysis and fail to provide extensive protection against cyberattacks. Therefore, we develop a novel cybersecurity risk assessment methodology tailored for companies with limited cybersecurity expertise and resources. The methodology involves a questionnaire-based approach to capture the perceived likelihood and impact of supplier-related cyber vulnerabilities and threats targeting specific organisational assets. It then utilises a systematic method to compute cybersecurity risk scores for each identified threat, enabling prioritisation of mitigation efforts. Moreover, the methodology was then implemented in a free web-based software application called Securechains to enhance its accessibility for organisations with limited resources. Additionally, recognising the heightened vulnerability of software supply chains, we extended our research to conduct a thorough analysis of attacks targeting this specific domain, encompassing common attack methods, recent trends, and the specific risks associated with open-source and third-party software components. This thesis aims to provide organisations with the knowledge and tools needed to better understand, assess, and mitigate the evolving cybersecurity risks to supply chain security, ultimately strengthening the resilience of global supply chains.

Text
Betul_Gokkaya_Thesis_Final_Version_
Restricted to Repository staff only until 31 December 2025.
Available under License University of Southampton Thesis Licence.
Text
Final-thesis-submission-Examination-Ms-Betul-Gokkaya
Restricted to Repository staff only

More information

Published date: 2025
Learn more about School of Electronics and Computer Science research

Identifiers

Local EPrints ID: 502578
URI: http://eprints.soton.ac.uk/id/eprint/502578
PURE UUID: b0d59069-35af-4dcf-8735-0cb7242b5ee1
ORCID for Betul Gokkaya: ORCID iD orcid.org/0009-0009-3632-9768
ORCID for Basel Halak: ORCID iD orcid.org/0000-0003-3470-7226
ORCID for Erisa Karafili: ORCID iD orcid.org/0000-0002-8250-4389
ORCID for Leonardo Aniello: ORCID iD orcid.org/0000-0003-2886-8445

Catalogue record

Date deposited: 01 Jul 2025 16:38
Last modified: 11 Sep 2025 03:12

Export record

Contributors

Author: Betul Gokkaya ORCID iD
Thesis advisor: Basel Halak ORCID iD
Thesis advisor: Erisa Karafili ORCID iD
Thesis advisor: Leonardo Aniello ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×