Strange Dance Partners: Supply Chain Cyberattacks and Chained Vulnerability

ABSTRACT The concept of “chained vulnerability” addresses the cyberattack risks for organizations through interconnected internal and external actors (e.g., employees and suppliers). As organizational defenses and tactics of antagonistic actors (e.g., hackers) adapt to emerging conditions, certain actors of organizations become compromised as entry points into the targeted organizations. A disruption (i.e., COVID‐19) induces operational changes (i.e., digital transformation), and we study the co‐evolution of attacks and defenses as if the antagonistic actors, organizations, and their internal and external actors are engaged in a dance together. Building on routine activity theory, our study theorizes the adaptive target suitability where the properties of actors, the types of actors involved, and the consequential phases co‐evolve following the disruption. We leverage the COVID‐19 pandemic as the empirical context and use a novel dataset of 3497 publicly reported cyber breaches. Analyses reveal that cyberattacks initially focused on internal actors (i.e., deception‐based attacks on employees) and then shifted to external actors (i.e., system vulnerability‐based attacks on digital infrastructure providers and product suppliers). Semi‐structured interviews with experts (e.g., hackers and cybersecurity managers) and subsequent econometric analyses elucidate how strategic interactions between dance partners lead to disruptions that dynamically reshape the landscape of chained vulnerability.