{"id":"https://openalex.org/W4416364859","doi":"https://doi.org/10.1080/07421222.2025.2561385","title":"Dependency Network Structure and Security Vulnerabilities in Software Supply Chains","display_name":"Dependency Network Structure and Security Vulnerabilities in Software Supply Chains","publication_year":2025,"publication_date":"2025-10-02","ids":{"openalex":"https://openalex.org/W4416364859","doi":"https://doi.org/10.1080/07421222.2025.2561385"},"language":"en","primary_location":{"id":"doi:10.1080/07421222.2025.2561385","is_oa":false,"landing_page_url":"https://doi.org/10.1080/07421222.2025.2561385","pdf_url":null,"source":{"id":"https://openalex.org/S9954729","display_name":"Journal of Management Information Systems","issn_l":"0742-1222","issn":["0742-1222","1557-928X"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320547","host_organization_name":"Taylor & Francis","host_organization_lineage":["https://openalex.org/P4310320547"],"host_organization_lineage_names":["Taylor & Francis"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Management Information Systems","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5103196170","display_name":"Eunae Yoo","orcid":"https://orcid.org/0000-0002-4667-927X"},"institutions":[{"id":"https://openalex.org/I592451","display_name":"Indiana University","ror":"https://ror.org/01kg8sb98","country_code":"US","type":"education","lineage":["https://openalex.org/I592451"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Eunae Yoo","raw_affiliation_strings":["Kelley School of Business, Indiana University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Kelley School of Business, Indiana University","institution_ids":["https://openalex.org/I592451"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5001862274","display_name":"Christopher W. Craighead","orcid":"https://orcid.org/0000-0003-2081-8216"},"institutions":[{"id":"https://openalex.org/I75027704","display_name":"University of Tennessee at Knoxville","ror":"https://ror.org/020f3ap87","country_code":"US","type":"education","lineage":["https://openalex.org/I75027704"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Christopher W. Craighead","raw_affiliation_strings":["Haslam College of Business, University of Tennessee"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Haslam College of Business, University of Tennessee","institution_ids":["https://openalex.org/I75027704"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5038811607","display_name":"Sagar Samtani","orcid":"https://orcid.org/0000-0002-4513-805X"},"institutions":[{"id":"https://openalex.org/I592451","display_name":"Indiana University","ror":"https://ror.org/01kg8sb98","country_code":"US","type":"education","lineage":["https://openalex.org/I592451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Sagar Samtani","raw_affiliation_strings":["Kelley School of Business, Indiana University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Kelley School of Business, Indiana University","institution_ids":["https://openalex.org/I592451"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5103196170"],"corresponding_institution_ids":["https://openalex.org/I592451"],"apc_list":null,"apc_paid":null,"fwci":2.0267,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.90965726,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":91,"max":95},"biblio":{"volume":"42","issue":"4","first_page":"1149","last_page":"1176"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.24729999899864197,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.24729999899864197,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11864","display_name":"Supply Chain Resilience and Risk Management","score":0.12639999389648438,"subfield":{"id":"https://openalex.org/subfields/1408","display_name":"Strategy and Management"},"field":{"id":"https://openalex.org/fields/14","display_name":"Business, Management and Accounting"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.026100000366568565,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.539900004863739},{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.5210999846458435},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5182999968528748},{"id":"https://openalex.org/keywords/network-security","display_name":"Network security","score":0.4851999878883362},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.35030001401901245},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.3407000005245209},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.32100000977516174},{"id":"https://openalex.org/keywords/network-security-policy","display_name":"Network security policy","score":0.3176000118255615}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6427000164985657},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.539900004863739},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.5210999846458435},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5182999968528748},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5067999958992004},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.4851999878883362},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.42320001125335693},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.35030001401901245},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3407000005245209},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.32100000977516174},{"id":"https://openalex.org/C117110713","wikidata":"https://www.wikidata.org/wiki/Q3394676","display_name":"Network security policy","level":4,"score":0.3176000118255615},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.29899999499320984},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.29100000858306885},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.29019999504089355},{"id":"https://openalex.org/C40700","wikidata":"https://www.wikidata.org/wiki/Q1411783","display_name":"Industrial organization","level":1,"score":0.28949999809265137},{"id":"https://openalex.org/C44104985","wikidata":"https://www.wikidata.org/wiki/Q492886","display_name":"Supply chain management","level":3,"score":0.2815999984741211},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.27900001406669617},{"id":"https://openalex.org/C77270119","wikidata":"https://www.wikidata.org/wiki/Q1655198","display_name":"Software-defined networking","level":2,"score":0.2768999934196472},{"id":"https://openalex.org/C34947359","wikidata":"https://www.wikidata.org/wiki/Q665189","display_name":"Complex network","level":2,"score":0.2700999975204468},{"id":"https://openalex.org/C2988224531","wikidata":"https://www.wikidata.org/wiki/Q20830730","display_name":"Network structure","level":2,"score":0.2700999975204468},{"id":"https://openalex.org/C25343380","wikidata":"https://www.wikidata.org/wiki/Q277521","display_name":"Relation (database)","level":2,"score":0.2630000114440918},{"id":"https://openalex.org/C78597825","wikidata":"https://www.wikidata.org/wiki/Q484847","display_name":"E-commerce","level":2,"score":0.2540000081062317}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1080/07421222.2025.2561385","is_oa":false,"landing_page_url":"https://doi.org/10.1080/07421222.2025.2561385","pdf_url":null,"source":{"id":"https://openalex.org/S9954729","display_name":"Journal of Management Information Systems","issn_l":"0742-1222","issn":["0742-1222","1557-928X"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320547","host_organization_name":"Taylor & Francis","host_organization_lineage":["https://openalex.org/P4310320547"],"host_organization_lineage_names":["Taylor & Francis"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Management Information Systems","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":70,"referenced_works":["https://openalex.org/W65801920","https://openalex.org/W1482734477","https://openalex.org/W1533444565","https://openalex.org/W1540343830","https://openalex.org/W1903013269","https://openalex.org/W1944810960","https://openalex.org/W1969287756","https://openalex.org/W1976362794","https://openalex.org/W1980224781","https://openalex.org/W1988395163","https://openalex.org/W1997890676","https://openalex.org/W2007834894","https://openalex.org/W2022695357","https://openalex.org/W2040420981","https://openalex.org/W2043837581","https://openalex.org/W2049004543","https://openalex.org/W2055397528","https://openalex.org/W2069205948","https://openalex.org/W2070527651","https://openalex.org/W2098569569","https://openalex.org/W2098783227","https://openalex.org/W2101179869","https://openalex.org/W2102234277","https://openalex.org/W2116805092","https://openalex.org/W2117405938","https://openalex.org/W2129318028","https://openalex.org/W2133026349","https://openalex.org/W2138211899","https://openalex.org/W2144604715","https://openalex.org/W2154398797","https://openalex.org/W2167423126","https://openalex.org/W2204032447","https://openalex.org/W2560808744","https://openalex.org/W2752025338","https://openalex.org/W2765805884","https://openalex.org/W2786705330","https://openalex.org/W2789570312","https://openalex.org/W2795288464","https://openalex.org/W2809901382","https://openalex.org/W2911874551","https://openalex.org/W2947010043","https://openalex.org/W2995526978","https://openalex.org/W3006733680","https://openalex.org/W3022734214","https://openalex.org/W3036270494","https://openalex.org/W3046453918","https://openalex.org/W3088691441","https://openalex.org/W3106855263","https://openalex.org/W3122189568","https://openalex.org/W3122230074","https://openalex.org/W3123292146","https://openalex.org/W3123792077","https://openalex.org/W3124560715","https://openalex.org/W3125265168","https://openalex.org/W3139650183","https://openalex.org/W3141119712","https://openalex.org/W3141789851","https://openalex.org/W3159300567","https://openalex.org/W3165300127","https://openalex.org/W3215879207","https://openalex.org/W4206727796","https://openalex.org/W4284680133","https://openalex.org/W4322627891","https://openalex.org/W4362698237","https://openalex.org/W4389549408","https://openalex.org/W4390804134","https://openalex.org/W4391934842","https://openalex.org/W4391942833","https://openalex.org/W4402236233","https://openalex.org/W4402236512"],"related_works":[],"abstract_inverted_index":{"Software":[0],"packages":[1],"can":[2],"be":[3,123],"susceptible":[4],"to":[5],"attack":[6],"whenever":[7],"they":[8],"utilize":[9],"dependencies":[10,25,139],"containing":[11],"security":[12,137,144],"vulnerabilities":[13],"(vulnerable":[14],"dependencies).":[15],"We":[16],"theorize":[17],"that":[18,47,56,84],"the":[19,76,98,104,136,143],"likelihood":[20,54,77],"of":[21,32,78,100,107,130,138,145],"relying":[22],"on":[23],"vulnerable":[24,79],"is":[26,49,72],"heightened":[27],"by":[28],"two":[29],"structural":[30],"dimensions":[31],"dependency":[33,110,132],"networks:":[34],"complexity":[35,48,58,67,91],"(dependency":[36],"count)":[37],"and":[38,55,103,125],"tight":[39,70,120],"coupling":[40,71,121],"(interdependence).":[41],"Analyzing":[42],"40,049":[43],"packages,":[44],"we":[45],"find":[46],"positively":[50],"associated":[51,74],"with":[52,75,89],"this":[53,85],"vertical":[57],"(depth)":[59],"plays":[60],"a":[61,127],"more":[62,94,141],"prominent":[63],"role":[64],"than":[65],"horizontal":[66],"(breadth).":[68],"However,":[69],"negatively":[73],"dependencies.":[80],"Further":[81],"analyses":[82],"reveal":[83],"relationship":[86],"turns":[87],"positive":[88],"greater":[90],"but":[92],"becomes":[93],"strongly":[95],"negative":[96],"as":[97],"number":[99,106],"package":[101],"developers":[102,108],"average":[105],"per":[109],"increase.":[111],"Our":[112],"findings":[113],"identify":[114],"key":[115],"boundary":[116],"conditions":[117],"under":[118],"which":[119],"may":[122],"beneficial":[124],"offer":[126],"nuanced":[128],"understanding":[129],"how":[131],"network":[133],"structure":[134],"influences":[135],"and,":[140],"broadly,":[142],"software":[146],"supply":[147],"chains.":[148]},"counts_by_year":[{"year":2025,"cited_by_count":1}],"updated_date":"2026-06-14T06:11:07.267592","created_date":"2025-11-19T00:00:00"}
