Managing cyber risk in organizations and supply chains

In the Industry 4.0, modern organizations are characterized by an extensive digitalization and use of Information Technology (IT). Even though there are significant advantages in such a technological progress, a noteworthy drawback is represented by cyber risks, whose occurrence dramatically increased over the last years. The information technology literature has shown great interested toward the topic, identifying mainly technical solutions to face these emerging risks. Nonetheless, cyber risks cause business disruption and damages to tangible and intangible corporate assets and require a major integration between technical solutions and a strategic management. Recently, the risk management domain and the supply chain literature have provided studies about how an effective cyber risk management process should be planned, to improve organizational resilience and to prevent financial drawbacks. However, the aforementioned studies are mainly theoretical and there is still a significant lack of empirical studies in the management literature, measuring the potential effects of cyber threats within single companies, and along networks of relationships, in a wider supply chain perspective. The present thesis aims at filling some of these gaps through three empirical essays. The first study has implemented a Grounded Theory approach to develop an interview targeting 15 European organizations. Afterwards, the fuzzy set Qualitative Comparative Analysis (fsQCA) has been performed, in order to ascertain how managers perceive cyber risks. Results contradict studies that focus merely on technical solution, and con\ufb01rm the dynamic capability literature, which highlights the relevance of a major integration among relational, organizational, and technical capabilities when dealing with technological issues. Moreover, the study proposes a managerial framework that draws on the dynamic capabilities view, in order to consider the complexity and dynamism of IT and cyber risks. The framework proposes to implement both technical (e.g. software, insurance, investments in IT assets) and organizational (e.g. team work, human IT resources) capabilities to protect the capability of the company to create value. The second essay extends the investigation of the drawbacks of cyber risks to supply chains. The study conducts a Grounded Theory empirical investigation toward several European organizations that rely on security and risk management standards in order to choose the drivers of systematic IT and cyber risk management (risk assessment, risk prevention, risk mitigation, risk compliance, and risk governance). The evidence gleaned from the interviews have highlighted that investments in supply chain mitigation strategies are scant, resulting in supply chains that perform like they had much higher risk appetite than managers declared. Moreover, it has emerged a general lack of awareness regarding the effects that IT and cyber risks may have on supply operations and relationships. Thus, a framework drawing on the supply chain risk management is proposed, offering a holistic risk management process, in which strategies, processes, technologies, and human resources should be aligned in coherence with the governance of each organization and of the supply chain as a whole. The \ufb01nal result should be a supply chain where the actors share more information throughout the whole process, which guarantees strategic bene\ufb01ts, reputation protection, and business continuity. The third essay draws on the Situational Crisis Communication Theory (SCCT) to ascertain whether and how different types of cyber breaches differently affect the corporate reputation, defined as a multidimensional construct in which perceptions of customers, suppliers, (potential) employees, investors and local communities converge. Data breaches have been categorized into three groups by the literature, meaning intentional and internal to the organization (e.g., malicious employees stealing customers\u2019 data), unintentional and internal to the organization (e.g., incorrect security settings that expose private information), and intentional and external to the organization (e.g., ransomware infecting companies\u2019 software). However, this is among the first study to analyse the different reputational drawbacks these types may cause. Moreover, the study considers that, in the industry 4.0 era, social media analysis may be of paramount importance for organizations to understand the market. In fact, user-generated content (UGC), meaning the content created by users, might help in understanding which dimensions of the corporate have been more attacked after a data breach. In this context, the study implements the Latent Dirichlet Allocation (LDA) automated method, a base model in the family of \u201ctopic models\u201d, to extract the reputational dimensions expressed in UGC of a sample of 35 organizations in nine industries that had a data breach incident between 2013 and 2016. The results reveal that in general, after a data breach, three dimensions\u2014perceived quality, customer orientation and corporate performance\u2014 are a subject of debate for users. However, if the data breach was intentional ad malicious, users focused more on the role of firms\u2019 human resources management, whereas if users did not identify a responsible, users focused more on privacy drawbacks. The study complements crisis communication research by categorizing, in a data breach context, stakeholders\u2019 perceptions of a crisis. In addition, the research is informative for risk management literature and reputation research, analysing corporate reputation dimensions in a data breach crisis setting

Latecomers’ science-based catch-up in transition: the case of the Korean pharmaceutical industry

This thesis investigates the 25-year transitional process of the Korean pharmaceutical industry from its initial focus on the imitative production of generic drugs to the development of new drugs. The catch-up dynamics of latecomer countries in science-intensive industries, such as the pharmaceutical industry, is an overlooked research topic in existing literature on innovation studies. This thesis provides an in-depth analysis of Korea’s science-intensive catch-up and applies an ‘exploration and exploitation’ framework to a latecomer setting and in a novel institutional and market context of the transitional phase. This thesis argues that the rate of change in the transition from imitating drugs to developing new drugs depends on the institutional and organisational mechanisms that enable a new form of technological learning, termed ‘exploratory learning’. This form of learning is often unfamiliar to firms in latecomer countries, whereas it is necessary for producing innovative drugs. That is, latecomers’ institutional and organisational promotion of exploratory learning is related to a ‘pattern change’ in the previously established institutional and organisational routines associated with imitative learning. The findings show that the rate of industrial transition in this sector was constrained by the problematic operation of S&T policies promoting key characteristics of exploratory learning, such as high-risk long-term learning as well as dense interactions between a diverse number of innovation actors. The findings also illuminate some latecomer firms’ initial difficulties in managing the new mode of technological learning, and in strategically applying that mode of learning to overcome the barriers to moving through the transitional phase towards producing competitive innovation. The thesis also suggests that the nature of drugs as integral products, deeply grounded in science, makes it difficult to effectively promote institutional and organisational transformations in favour of exploratory learning

The Anesthesia Continuing Education Market and the Value Creation From a Sustainable Unified Platform

Practicing anesthesia professionals in the United States are all governed by various profession-specific regulatory bodies that mandate continuing education (CE) requirements. To date, no unified resource exists for anesthesia professionals (i.e., Anesthesiologists, Certified Registered Nurse Anesthetists, and Anesthesiologist Assistants) to explore the CE offerings available within the marketplace. This study endeavored to convey the potential value of a unified anesthesia CE resource. It investigated how to cultivate a sustainable platform to potentially improve how anesthesia professionals search available CE offerings and to potentially enhance how anesthesia CE providers reach anesthesia professionals. This qualitative study was conducted utilizing an integrative review of the literature. The key concepts identified and investigated were network effect, segmentation, first to market, best of breed, search costs, transaction costs, minimally viable product, evolutionary phases of platforms, platform theory, platform business model, platform economy, and types of platforms. Inductive content analysis was chosen as the organizational method for the resultant qualitative data. The goal of the analysis was to create a conceptual, practical, and strategically applicable platform paradigm for the anesthesia CE marketplace driven by the insights and amalgamations from the literature. The analyzed concepts, dimensions, and indicators of platform successes and their applications potentially facilitate anesthesia professionals’ CE explorations and CE providers’ marketing efforts, as well as contextualize the overarching impacts and implications onto the anesthesia CE industry and beyond. The conclusion portrays these impacts and implications