An inductive analysis of collaborative cybersecurity management capabilities, relational antecedents and supply chain cybersecurity parameters

PurposeThe vulnerability of customers to malware attacks through weak supplier links has prompted a need for collaboration as a strategic alternative in improving supply chain cybersecurity (SCC). Current studies overlook the fact that the effectiveness of cybersecurity strategies is dependent on the form of interfirm relationship mechanisms within which supply chain digital assets are embedded. This paper analyses the association between interfirm collaborative cybersecurity management capabilities (ICCMC) and cybersecurity parameters across a supply chain and proposes an agenda for future research.Design/methodology/approachA systematic literature review (SLR) is conducted, employing text mining software to analyse content extracted from 137 scholarly articles on SCC from January 2013 to January 2022.FindingsThe co-occurrence analysis strongly confirms the potential of ICCMC to reinforce SCC. Furthermore, we establish that relational factors could have multiple roles: as antecedents for ICCMC, and as factors that directly affect SCC parameters. The analysis reveals knowledge gaps in SCC theory grounding, including a fragmented and sparse representation of SCC parameters and the potential presence of an omitted variable - SCC - that could improve subsequent testing of causal relationships for theory development.Originality/valueThe paper's contribution is at the intersection of interfirm collaboration and mandating cybersecurity requirements across a supply chain. Our paper contributes to closing a social-technical gap by introducing social aspects such as the Relational View and the importance of developing ICCMC to reinforce SCC. We offer a method for testing co-occurrences in SLRs, a comprehensive definition of SCC, and a framework with propositions for future research on increasing the effectiveness of collaborative cybersecurity management. We position collaboration as a necessary condition for the transition from cybersecurity of a firm to cybersecurity across a supply chain, and its ecosystem.