Risk assessment in software supply chains using the Bayesian method

In recent years, the software production industry has experienced significant changes largely caused by extensive growth of globalisation, outsourcing, and competitive pressure. With these changes, risks in the software supply chain (SSC) have become a growing concern. Such risks include product tampering during development or delivery, potential compromises in quality and assurance due to software defects, production delays, and increased production costs. In this context, this study is aimed at evaluating the primary risks in the software supply chain using Bayesian belief networks combined with the analytic hierarchy process and noisy-OR (a generalisation of the logical OR) techniques to reduce the number of queries required of a given decision maker. A numerical example was presented to illustrate the application in which software suppliers were ranked according to their level of risk. The results indicated that, by using the proposed model, decision makers would be able to select a low-risk supplier by evaluating the probability of system failure caused by tampering or the introduction of defective code in the software. In addition, the proposed approach contributes to a better understanding of the risk main factors in an SSC and could be used to support managerial decision-making related to software products.