Information Security in the Extended Enterprise: A Research Agenda

Today most companies are closely knit together with and thus dependent on suppliers, allies, customers, and public authorities. Member companies in such an extended enterprise or “business network ” are either forced or volunteer to meet certain security objectives as a whole. As a consequence, the business network needs to agree on a common strategy, joint processes and technical interfaces to meet regulatory or voluntary requirements from industry standards. Reality shows that – even if standards exist – they are not harmonized and access and reconciliation between partners is sometimes legally, if not technically impossible, or simply too expensive. The serious and economic assessment of risks, already tough on the internal scale, becomes almost an insurmountable obstacle when considering the entire business network. This paper’s objective is to emphasize the importance of security in business networks for research and practice. Since there is little research available, it raises major questions to be answered by a future research agenda. A basic research framework is derived based on related research, an observation of the interdependencies of firms and a series of cases from different industry sectors. Finally, the paper discusses which factors and incentives might be catalysts for the adoption of such a framework by a single firm, business network, or even public welfare