I-SCRAM: A Framework for IoT Supply Chain Risk Analysis and Mitigation Decisions

Timothy Kieras, Junaid Farooq, Quanyan Zhu

Research output: Contribution to journalArticlepeer-review


Supply chain security is becoming an important factor in security risk analysis for modern information and communication technology (ICT) systems. As Internet of Things (IoT) devices proliferate and get adopted into critical infrastructure, the role of suppliers in risk assessment becomes all the more significant. IoT security risks are affected by supplier trust since suppliers possess the capacity to modify black box systems without detection. The risks posed by potentially malicious or compromised suppliers are compounded by interdependence among suppliers. In this paper, we propose I-SCRAM, a framework to analyze supply chain risks in IoT systems and to support risk mitigating decisions. After defining an expanded system model that consists of interconnected components and a hierarchy of component vendors, we develop and propose metrics to quantify systemic risks. Finally, we present a decision framework that helps in selection of vendors to mitigate supply chain risk. Through a case study and simulation, we show that I-SCRAM successfully minimizes system risk as higher budget and more reliable component sources become available, while allowing flexibility in prioritizing sources of risk.

Original languageEnglish (US)
Article number9350583
Pages (from-to)29827-29840
Number of pages14
JournalIEEE Access
StatePublished - 2021


  • Attack tree
  • Birnbaum structural importance
  • Internet of things
  • component importance
  • risk mitigation
  • supply chain risk management

ASJC Scopus subject areas

  • General Computer Science
  • General Materials Science
  • General Engineering


Dive into the research topics of 'I-SCRAM: A Framework for IoT Supply Chain Risk Analysis and Mitigation Decisions'. Together they form a unique fingerprint.

Cite this