Cybersecurity Information Sharing: a Framework for Sustainable Information Security Management in UK SME Supply Chains

UK small to medium sized enterprises (SMEs) are suffering increasing levels of cybersecurity breaches and are a major point of vulnerability in the supply chain networks in which they participate. A key factor for achieving optimal security levels within supply chains is the management and sharing of cybersecurity information associated with specific metrics. Such information sharing schemes amongst SMEs in a supply chain network, however, would give rise to a certain level of risk exposure. In response, the purpose of this paper is to assess the implications of adopting select cybersecurity metrics for information sharing in SME supply chain consortia. Thus, a set of commonly used metrics in a prototypical cybersecurity scenario were chosen and tested from a survey of 17 UK SMEs. The results were analysed in respect of two variables; namely, usefulness of implementation and willingness to share across supply chains. Consequently, we propose a Cybersecurity Information Sharing Taxonomy for identifying risk exposure categories for SMEs sharing cybersecurity information, which can be applied to developing Information Sharing Agreements (ISAs) within SME supply chain consortia.