Supply Chain Dynamics: security dynamics introduce game
theory aspects in the structure
Sander Zeijlemaker, PhD student Radboud University, IMR Faculty
Postbus 9108, 6500 HK Nijmegen, +31 6 29 46 84 89, email@example.com
Elvir Jasarevic, master student BAM, IMR Faculty Nijmegen
Postbus 9108, 6500 HK Nijmegen, +31 6 15 82 12 10, firstname.lastname@example.org
The beer game provides us with a lot of knowledge about the drivers for the bullwhip
effect: human behaviour, structure of the value chain and ordering & production
strategies. Also various levers are known to reduce this effect. Besides strategies for
ordering, production, service and pricing, also information sharing and lead time
reduction are useful levers. The usage of information technology also reduces the time
needed and improves the quality of information sharing. Yet the introduction of
information technology makes value chain participants susceptible for cyber attacks by
their actors. We believe this introduction to cyberspace evokes new game theory-like
dilemmas with their own dynamic structure that may have an impact on the bullwhip
effect. First notions of the structure suggest better-before-worse and worse-before-
1. Problem articulation
We learn from the beer game (Sterman 1992 and 1989) that a value chain is susceptible
for the bullwhip effect. This is the oscillating effect of rotational large surpluses and
shortages in the supplies within the value chain, caused by changing demands in the
This effect depends on the structure of the value chain (Domingueza, Cannellaa and
Framinan 2015; Sterman 1992; Sterman 1989), human behaviour (Coppini, Rossignoli,
Rossi and Strozzi 2010; Nienhaus , Ziegenbein and Schoensleben 2007; Sterman 1992;
Sterman 1989) and ordering and production strategies (Hussain and Drake 2011).
Figure 1 shows a stabilizing increase in outsourcing activities around the world. This
means more and more organizations depend on other organizations in their value chain
and might be subjected to the bullwhip effect. Concepts like Data Centre as a Service
, IT-Platform as a Service (PAAS)
and Software as a Service (SAAS)
that also the service sector may be susceptible to this effect. However, instead of
supplies the service sector has to cope with (service) capacity.
Figure 1. Global market size of outsourced services from 2000 to 2018 in billions of U.S. dollars
Simultaneously, means to limit the bullwhip effect have been found. Possible solutions
to limit these effects are lead time reduction (De Trevillea, Shapirob and Hamer 2004),
specific ordering, production, quality and pricing strategies (Giard and Sali 2013;
DAAS = Datacentre capacity as a service
PAAS = IT Platform capacity as a service
SAAS = Software as a service. SAAS is software that will be made available through the internet
Hussain and Drake 2011; Davidsson and Wernstedt 2002) and information sharing
(Giard and Sali 2013; Hussain and Drake 2011; Crosona and Donohu 2005).
In this day and age most of the information sharing and order processing depends on
information systems. Maranon (2013) argues that Internet of Things can be used for
information sharing and supply chain monitoring to reduce the bullwhip effect. This
indicates that the dependence on information technology may increase. This dependence
on information technology introduces also other risks (Boyens Paulsen Moorthy and
Bartol 2015). An example of such risk can be the potential abuse of these information
systems by threat actors. Threat actors are persons or entities that potentially can harm
or potentially harm the security of a targeted entity.
Recently, we observe non-linear exponential growth in threat actors’ activities. Figure 2
demonstrates this growth over time for hacking, malware attacks and social engineering
attacks. In order to protect the value chain from the impact of such activities a certain
level of protection is needed, which requires investments. Zeijlemaker (2016) argues
that cyber security investment decision making is a dynamic complex problem impacted
by the interaction between the threat actor and the targeted organisation and the
response of that organisation. In short this is called security dynamics. The security
investment decision making can be subjected to:
• The Detection trap, which indicate that underinvestment results in a lower level of
observed threat actor activities which lead into a false perception of being secure
(Martinez-Moyano, Conrad and Anderson 2011 but adjusted in the context of this
• The Capability trap, decision to reduce security capabilities or decision to reduce
staff may result in lower cost but also in eroding capabilities because increasing
work of resolving security incidents needs to be done while less time is available to
improve and prepare staff and capabilities for future cyber-attacks (based on
Repenning and Sterman 2002 but adjusted in the context of this paper).
• The Adaptation trap, local well-intended workload optimization may overload the
whole eco-system and cause the capabilities to erode (based on Rahmandad and
Repenning 2015 but adjusted in the context of this paper). When the focus on
efficiency is too strong the defender organisation is less able to handle multiple
cyber-attacks (based on Rudolph and Repenning, 2002).
Figure 2. Verizon Data Breach Report 2016 (figure 4): nu mber of breaches per threat action category over time
As a consequence of aforementioned traps, future investments in security are hindered,
making the problem of escalating threat actor behaviour endemic and therefore
extremely difficult to identify and avoid in the future (based on Martinez-Moyano et al
2011 but adjusted in the context of this paper).
In the context of a supply chain, multiple organisations are dependent on each other and
each of these organisations has to cope with its own security dynamics. This gives rise
to the questions:
• Does information system dependency and risk of threat actor behaviour change the
structure of behaviour of supply chain dynamics?
• To what extent is the bullwhip effect impacted by the increasing threat actor
• What policies are effective in supply chain dynamics while taking into account the
aspects of cyber security?
• Do these policies change when deep uncertainty analysis is applied?
2. Supply chain dynamics: the specifics of cyber security
The Report European Foresight Cyber Security Meeting (2016) states about duty of care
and diligence in context of cyber security: “The responsibilities of governments,
industry and end-users should be clear in order to take adequate cyber security
measures and show how they are accountable when incidents occur”. Currently
European counties have different laws and regulation about this topic. Also, various
professional practices in the field of security, like CISSP, CISM, CISA, etc., have their
own professional standards about duty of care and diligence. This difference might
result in uncertainty within the business domain (Report European Foresight Cyber
Security Meeting 2016) and harmonization is recommended.
Within the value chain the relations between parties are governed through contracts
between adjacent organisations. The value chain itself, however, consist of more
organisations. For instance the beer game assumes a factory, a distributor, a wholesaler
and a retailer. In terms of automated processes you might want to think about data
centre provider, platform supplier, software supplier, supplier of operations and the
marketing & sales department that has not been outsourced. As a result, in the value
chain it becomes less clear what all combined parties have agreed to maintain the value
chain secure. The longer the distance between organisations in the value chain the more
uncertainty can be perceived. This increasing uncertainty is caused by less visibility,
less understanding and less control further in the chain. This problem is demonstrated in
Figure 3. Reduction of Visibility, Understanding and Control caused by distance in the supply chain (Boyens Paulsen
Moorthy and Bartol 2015).
As a result the whole value chain has to rely more on trust and cooperation since the
effects of formal control deteriorate over the distance in the supply or value chain. In
this situation there is a social dilemma. All participants in the supply or value chain can
decide whether they cooperate and follow the norm of the value chain, being reasonably
secure and deliver as promised, or defect and follow some competing norm. As
individual participants all have to weigh the cost and benefits of each option (based on
Schneier 2012 but adjusted in the context of this paper). However, the cost for being
reasonably secure against threat actors activities for an organisation can be huge. Dreyer
et al 2018 suggest security cost may be 1.1% up to 32.7% of GDP. Limited security
investments may result in higher financial results. This social dilemma is visible in
Figure 4. This dilemma is related to the attacker – defender interaction.
Social Dilemma: Participants maintaining the value chain secure
Society: businesses working together in a supply or value chain
Group Interest: maintain a secure value
chain that continues delivers
Group norm: deliver as promised due to
secure processes of each participant
Competing interest: minimize
investments in cyber security.
Corresponding defection: without any
(severe) cyber-attack the lack of
investments will not be noticed.
To encourage people to act in the group interest, the society implements a variety of
• Moral: People feel bad when they let members of their group down
• Reputational: Some cyber-attacks will be or need to be reported (responsible
disclosure respectively mandatory breach reporting)
• Institutional: Government and professional bodies have defined duty of care
• Security (preventive): agreements between peers that include right to audit, audit
statement, information charging, minimum requirements for security before
participation, security rating agencies and mandatory response time or efforts.
• Security (responsive): sue participants that neglect their duty of care for damages
occurred. Replace not performing participants in the value chain.
Figure 4. Social Dilemma on value chain participation in context of security dynamics (structure derived from
A second social dilemma is more related to the response of the resilient organisation.
The resilient organisation maintains positive adjustment (-aims to improve current and
future business performance -) under challenging conditions (- incidents, disruptions,
crisis, etc. -) so that the organisation emerges from these conditions strengthened and
more resourceful (Vogus and Sutcliffe 2007). Within the cyber-security domain
learning from the attacker via threat intelligence
, sharing knowledge and learning from
security incidents are important means of learning.
In a context of a value or supply chain, organisations might observe threat actor
behaviour that can be relevant to other participants as well. For instance, certain forms
of cyber-attacks have the objective to attack one participant of the chain. When this
attack is successful the threat actor may act as if it was this participant of the chain and
threat intelligence represents the synthesis of information detailing potential threats with a solid understanding of
network structure, operations, and activities (Chismon & Ruks, 2015).
can be trusted by the other participants. The objective of this attack might be obtaining
data, money or goods of one of the other participants in the chain. Other participants can
only react on this form if they know something is happening. Another example can be
that certain participants are not fully equipped to respond to certain threat actor
activities and they need help from other supply chain participants. In such a situation
they need to reach out to other participants and ask for help. The problem with sharing
this knowledge and asking for help might be that other participants may observe
weaknesses in the security state of the sharing organisation. A more negative scenario is
that they perceive a decline of trust or even worse: negligence of contract terms. This
dilemma is shown in Figure 5.
Social Dilemma: Sharing security information in the value chain
Society: business working together in a supply or value chain
Group Interest: sharing information
enhance learning and improve responsive
Group norm: share security-relevant
Competing interest: shared information
Corresponding defection: decline of trust,
negligence of contract terms
To encourage people to act in the group interest, the society implements a variety of
• Moral: People feel good about helping each other
• Reputational: Organisations are willing to help each other off-set by perception of
being a weak organisation.
• Institutional: duty of care may include sharing of security-relevant information
• Security: active network of Cyber Emergency Response Teams off-set by contractual
Figure 5. Social Dilemma on sharing information in the value chain (structure derived from Schneier 2012)
3. Security supply chain dynamics: the eco system
We have held group model building sessions with an ethical hacker, an information
security consultant, a cyber-crime emergency response specialist, a procurement
specialist and a business consultant. Based on their sessions we have created a model
for security supplier management. Figure 6 is a hybrid model for security supplier
management. This is an aggerated simple model for the purpose of explanation of the
structure of behaviour. In this picture three parties in the supply chain can be recognized
party A, Party B and Party C. Party A is the factory and orders raw material. Party B is
the wholesaler which obtains is goods from A and delivers it to Party C. Party C
delivers to the customers. In case there is a gap between the demand and supply of any
participants, additional ordering will take place. Over time the orders will be delivered.
This is represented by the black arrows.
The red arrows represent the behaviour of the attacker. Threat actor activities will
increase after a successful attack due to word of mouth effects (Zeijlemaker 2016,
Zeijlemaker 2017). Unsuccessful attacks will result in a short-term effect where threat
actors are looking for other targets and a long-term effect to improve their way of
working (Zeijlemaker 2016, Zeijlemaker 2017). For the defender there is the opposite
dynamic in blue arrows. Successful defences will likely result into a feeling of being
secure and overspending on cyber defence capabilities (called security level).
Unsuccessful defences result in the need to improve. Yet, these improvements will take
some time. This interaction between red and blue is called the attacker – defender
interaction. The attacker – defender interaction is an ongoing dialogue between attacker
and defender both searching for the weakest link for attack or defends respectively both
will anticipate on and learn from each other’s actions (Clayton, Moore and Christin
2015, Libicki, Ablon and Webb 2015, Su 2006, Böhme and Moore 2016, Barth et al
2012, Martinez-Moyano, Morrison and Sallach 2015). The strength of the threat actors
and the defender (red versus blue) are challenged in the warzone with the successfulness
of attacks and defences as an outcome.
Figure 6. Aggregated hybrid model on security supplier management
A threat actor can impact the processes of a party, steal goods, steal money, steal data, alter
data. At the end of the day it will result in a delay of delivery to the customers because the
targeted organisation needs to be brought back in a state where it can continue its business,
which will take time. This is represented in figure 6 by connecting unsuccessful defence to
delivery time. A threat actor can perform different forms of attacks. They can launch
attacks that impact one participant, attacks that impact all participants but also attack one
participant and actually affect another participant of the value chain.
If the participants share their information about the threat actor activities and their
capabilities, they might be able to cooperate and respond faster and stronger to the threat
actor activities resulting in the threat actor being less successful. This is represented by the
purple arrows. The sharing of information will also impact the level of trust as explained
by the social dilemmas.
Our elaboration of social dilemmas explains that duty of care (limited unsuccessful
defences since organisations should be reasonably defended), delivering as promised
(delivery as ordered and therefore limited gaps between supply and demand). This is
represented by the yellow arrows.
The gross margin for each participant in the supply chain is the revenues of the delivery
minus the cost of the delivery minus the cost of security and minus the impact of
unsuccessful defences. The gross margin available to the participants determines the
maximum level of investments in security capabilities on one hand. On the other hand,
there is a social dilemma for not investing.
4. Summary and discussion
We believe this structure may evoke a better-before-worse scenario. This scenario may
occur in the following way. A supply chain participant claims to have sufficient security in
place but in reality this is not the case. In this situation this participant has less costs and
better results. However, when a cyber-attack occurs it is likely this participant cannot
respond properly to this attack impacting this participant. Short term feedback evokes a
worth-of-mouth effect in the world of the attacker resulting in more (successful) attacks.
Besides the impact of these attacks the defender will suffer additional cost for improving
the defences. Yet, the defender needs time to improve their defences. This time delay for
the defender is caused by time needed for staff hiring, supplier selection and
implementation of the improved defences. In addition, it is very likely these staff and
suppliers know that the defender is in need for security capability improvements. As a
result, the defenders’ purchase power is lowered resulting in increasing supplier and staff
hiring costs. The defender may only participate in the chain as long as the other
participants trust that the defender is able to improve its defences and maintain service
On the other hand, the same structure may result in a worse before better scenario. This
scenario is basically the opposite. Early investment in sufficient security defences results in
higher cost but avoids the impact of successful cyber-attacks.
5. Questions to the colloquium angel advisors
We have the following questions to the angel advisors:
• Any feedback on the introduction of these new structures of behaviour?
• To what extent does the structure of behaviour change if service industry is
Barth A, Rubinstein B I P, Surandararajan M, Mitchell J C, Song D, Bartlett P L, 2012. A
learning-Based Approach to Reactive Security, IEEE transactions on dependable
and secure computing, Vol 9, No 4, Jul/Aug 2012.
Boyens J M, Paulsen C, Moorthy R, Bartol R N, 2015. Supply Chain Risk Management
Practices for Federal Information Systems and Organizations, Special Publication (NIST
SP) - 800-161
Böhme R, Moore T, 2016. The Iterated Weakest Link, a Model of Adaptive Security
Investment, Journal of Information Science, Vol 7, No 2, March 2016.
Clayton R, Moore T, Christin N, 2015. Concentrating Correctly on Cybercrime
Concentration, Workshop on Economics in Information Security, 2015 conference
Coppini M, Rossignoli C, Rossi T & Strozzi F, (2010). Bullwhip effect and inventory
oscillations analysis using the beer game model, International Journal of
Production Research, 48:13, 3943-3956, DOI: 10.1080/00207540902896204
Crosona R & Donohueb K, 2003. Upstream versus downstream information and its impact
on the bullwhip effect, System Dynamics Review, Vol. 21, No. 3, (Fall 2005): 249–
Davidsson P, Wernstedt F., 2002. A Multi-Agent System Architecture for Coordination of
Just-in-time Production and Distribution, The Knowledge Engineering Review, ·
Domingueza R, Cannellaa S, Framinana J M, 2015. The impact of the supply chain
structure on bullwhip effect, Applied Mathematical Modelling, Volume 39, Issues
23–24, December 2015, Pages 7309-7325
Dreyer P, Jones T, Klima K, Oberholtzer J, Strong A, Welburn J W, Winkelman Z, 2018.
Estimating the global costs of cyber risk: Methodology and examples. RAND
Corporation, Santa Monica, Calif, 2018
Giard V & Sali M, (2013). The bullwhip effect in supply chains: a study of contingent and
incomplete literature, International Journal of Production Research, 51:13, 3880-
3893, DOI: 10.1080/00207543.2012.754552
Hussain M, Drake P R, 2011. Analysis of the bullwhip effect with order batching in multi-
echelon supply chains. International Journal of Physical Distribution & Logistics
Management ,Vol. 41 No. 8, 2011 pp. 797-814 q DOI
Libicki M C, Ablon L, Webb T, 2015. The Defender’s Dilemma, Charting a Course
Towards Cybersecurity, Rand Corporation, Santa Monica, California, 2015.
Martinez-Moyano I J, Morrison D, Sallach D, 2015. Modeling Adversarial Dynamics,
Proceedings of the 2015 Winter Simulation Conference, P2412-2423.
Martinez-Moyano I J, Conrad S H, Anderson D F, 2011. Modeling behavioural
considerations related to information security, computers & security 30, 2011, 397-
Nienhaus J , Ziegenbein A & Schoensleben P, (2006). How human behaviour amplifies the
bullwhip effect. A study based on the beer distribution game online, Production
Planning & Control, 17:6, 547-557, DOI: 10.1080/09537280600866587
Rahmandad, H, Repenning, N, 2015. Capability Erosion Dynamics, Strategic Management
Repenning N P, Sterman J D, 2002. Capability Traps and Self Confirming Attribution
Errors in the Dynamics of Process Improvement, Administrative Science Quarterly,
Rudolph J W, Repenning N P, 2002. Disaster dynamics: understanding the quantity in
organisational collapse, Administrative Science Quarterly, Vol 47, 2002, pp 517–
Schneier B, 2012. Liars and Outliers: Enabling the Trust That Society Needs to Thrive.
John Wiley & Sons, Inc., Indianapolis, Indiana
Sterman J 1992. Teaching Takes Off: flight simulators for management education “the
Beer Game”, October 1992, website MIT, available at:
Sterman J, 1989. "Modeling Managerial Behavior: Misperceptions of Feedback in a
Dynamic Decision Making Experiment", Management Science, 35(3), 321-339.
Su X, 2006. An overview of Economic Approaches to Information Security Management,
University of Twente, Information System Group, Enschede, The Netherlands.
De Trevillea S, Shapirob R D, Hameria A, 2004. From supply chain to demand chain: the
role of lead time reduction in improving demand chain performance, Journal of
Operations Management, 21 (2004), 613–627
Verizon DBIR 2015, 2015 data breach investigations report, Verizon
Vogus J T, Sutcliffe K M, 2007. Organizational resilience: Towards a theory and research
agenda, conference paper, 2007.
Zeijlemaker S, 2016. Exploring the dynamic complexity of the cyber-security economic
equilibrium, PhD colloquium of the 34th International Conference of the System
Dynamics Society, Delft, Netherlands, July 17–July 21.
Zeijlemaker S, 2017. Cyber-security quantification: founding a structural understanding of
its dynamic complexity, PhD research proposal, Radboud University, 2017.
Maranon R, 2013. Winning the Beer Game with The Internet of Things (IoT),
www.statistica.com, Global market size of outsourced services from 2000 to 2018 (in
billion U.S. dollars), https://www.statista.com/statistics/189788/global-outsourcing-
Report European Foresight Cyber Security Meeting 2016,