SIMULATION EXPERIMENT

This study first examines the performance of the supply chain with no security breach under the various scenarios of the three strategic factors: ordering options; supply chain structures; and information sharing levels. Each strategic factor is evaluated by comparing the performance of the other alternatives to the base factor. In this study, ordering option I is considered to be the base factor for evaluating ordering option decisions. For supply chain structure, the serial structure (S) is the base factor and the non-integrated mode (NI) is the base factor for comparing information sharing alternatives. Therefore the base model for comparing all three strategic factors is the non-integrated serial supply chain structure with ordering option I. All supply chain scenarios considered in this study would have an ordering option being used, a supply chain structure and a level of information sharing. The combination of these three factors is also referred to as the supply chain condition. In other words the supply chain condition refers to the type of ordering option, supply chain structure and information sharing level present in any particular supply chain. Therefore 48 distinct supply chain conditions are considered in this study and the impact of four distinct information security breaches on these scenarios are evaluated. Therefore a total of 240 different scenarios are created and evaluated altogether as shown in Table 3.3.

62

Level

Factor 1 2 3 4 5

Information Security Breach

No Breach SFDD AOW PT IBMS

Ordering Options I II III

Supply chain structure S WH MF NT

Level of Information Sharing

NI RW WM RWM

Table 3.3 Design of Experimental Scenarios

The values of the simulation parameters for the experiment are shown in Table 3.4. These values are derived from Lau et al. (2002 and 2004). The market demand is observed at the end of the day and is normally distributed with mean of 10 and a standard deviation of 2. The capacity of the manufacturer is 80 and the production lead time is 3 days. The assumption is that manufacturer capacity is in use for the duration of the production lead time after which it becomes available again, an assumption also used in Lau et al. (2004). For instance if the manufacturer is committed to producing 80 items at once, then 80 units of capacity is unavailable for 3 days and any more production orders will have to wait until the production lead time is completed.

Each experiment was run for a total of 800 simulation days and, using time series inspection method, the warm up period was determined to be 100 days leaving an effective simulation period of 701 days. Using the confidence interval method described in Law (2007), the number of replication was determined to be 45 at 98% confidence level and the same random number streams were used for each experiment to ensure consistency and variance reduction (i.e. reduce randomness effect) (Kelton et al., 2010).

63

Parameter Value

Demand (units) NORM(10,2)

Demand Arrival End of day

Production Lead Time 3 days

Manufacturer Capacity 80

Transportation Lead time from Wholesaler to Retailer 2 days Transportation Lead time from Manufacturer to

Wholesaler 5 days

Retailer Unit Holding cost, Backlog cost, Ordering cost £5, 10, 5 Wholesaler Unit Holding cost, Backlog cost, Ordering

cost £3, 10, 5

Manufacturer Unit Holding cost, Backlog cost,

Production cost £3, 10, 5

Table 3.4 Simulation parameters

3.6.1 Performance Measures and Test of Significance

The cost performance measures used in this study include the holding, backlog and ordering cost (similar to Lau et al. 2002), while the service performance measure used is the fill rate (commonly used in many studies). The performance measures are averaged over the effective simulation period and this is computed for each supply agent (the retailer, wholesaler and manufacturer) and the sum of the three cost is referred to as the daily average operating cost. The sum of the daily average operating cost of all three agents is called the supply chain daily average operating cost. The fill rate is only considered at the operating level of each supply chain agent but not considered as a performance measure for the supply chain as a whole. The average performance under security breach in each scenario is noted and the difference in performance level to that of the corresponding non-breach scenario is called the breach impact. This impact is expressed as a percentage of the non-breach scenario performance.

To test for significance during result comparison, we employed the Paired-t Confidence Intervals for Mean Differences with Bonferroni Correction and standard- t Confidence Intervals for Mean Differences with Bonferroni Correction at 95% confidence level (Law, 2007, Robinson, 2004). It is important to note that while the difference between two values may be statistically significant, it does not mean the

64

magnitude of the difference is a huge concern. To help understand the impact of information security breach on supply chain performance, the effect of each breach on the ordering pattern of the agents in the supply chain is examined. The ordering pattern is defined by the frequency of placing an order to the upstream agent and the effective average order quantity computed over the ordering days only. In addition the singular effect of both element of the breach profile (i.e. disruption duration and recurrence rate) is studied to understand how increasing one element affect the magnitude and direction (whether positive or negative) of breach impact. Then the effect of changing the strategic factors from the base model to the other alternatives is examined to determine if any improvement can be obtained. An improvement in performance (which should also be statistically significant at p<0.05) would show that the alternative strategic factor also holds benefit in a breach scenario.

3.6.2 Sensitivity Analysis

Sensitivity analysis, also known as what-if analysis, is a systematic investigation of the reaction of the model output to changes in model input and or model structure (Kleijnen, 1995). The demand input constitute the only random input in this model and since a breach is modelled as a delay and not loss of demand information, the demand stream used represents the single most important source of uncertainty. The question asked here is; if the variability of the demand stream is increased by two fold, what happens to the findings? Does the impact of information security breach increase or decrease? And is this change consistent or inconsistent for all supply chain scenarios. The assumption in this study is that demand follows a normal distribution with mean of 10 and a standard deviation of 2. Therefore to accept that the findings in this study are true for any stream of demand, the standard deviation of the demand distribution was increased from 2 (low) to 4 (high) to perform a sensitivity assessment of the main model (base model) in this study. The result of the effect of increasing the standard deviation of the demand distribution from 2 to 4 is shown in Table 3.5.

65

Option I Option II Option III

NB -6% -17% -17%

AOW -15% -14% -15%

IBMS -8% -16% -18%

PT -9% -16% -18%

SFDD -12% -5% -12%

Table 3.5 Effect of increased variability in the demand distribution The values were obtained by computing the difference between the cost performance under low demand variance (2 standard deviation) and high demand variance (standard deviation of 4), expressed as a percentage of the former. A negative sign indicates the supply chain daily average operating cost in the high demand variance scenario is higher than the low demand variance scenario. Although one would expect that a change in the variability of the demand distribution would affect the performance of the supply chain as the result reveals, however the consistency in the result is of concern here. It can be seen from the result in Table 3.5 that increasing the demand variance consistently increases the magnitude of the impact but not the direction of the impact for both breach and non-breach scenarios. The consistency in the direction of the effect implies that for all 15 scenarios, the observed effect is an increase in cost performance and not an increase in some and then a decrease in others. Hence the inference drawn from the output of this study using low demand variance (standard deviation of 2) is expected to be consistent for any demand stream following a normal distribution regardless of the demand variance.

In a broader sense, the effect of changing the different aspects of the supply chain (ordering option, structure and information sharing level) from one alternative to another using the design of experiment described in section 3.6 is also a sensitivity analysis in itself.