{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T17:23:21Z","timestamp":1763573001679,"version":"3.45.0"},"reference-count":87,"publisher":"Informa UK Limited","issue":"4","content-domain":{"domain":["www.tandfonline.com"],"crossmark-restriction":true},"short-container-title":["Journal of Management Information Systems"],"published-print":{"date-parts":[[2025,10,2]]},"DOI":"10.1080\/07421222.2025.2561385","type":"journal-article","created":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T17:12:57Z","timestamp":1763572377000},"page":"1149-1176","update-policy":"https:\/\/doi.org\/10.1080\/tandf_crossmark_01","source":"Crossref","is-referenced-by-count":0,"title":["Dependency Network Structure and Security Vulnerabilities in Software Supply Chains"],"prefix":"10.1080","volume":"42","author":[{"given":"Eunae","family":"Yoo","sequence":"first","affiliation":[{"name":"Kelley School of Business, Indiana University","place":["USA"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Christopher W.","family":"Craighead","sequence":"additional","affiliation":[{"name":"Haslam College of Business, University of Tennessee","place":["Knoxville, USA"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sagar","family":"Samtani","sequence":"additional","affiliation":[{"name":"Kelley School of Business, Indiana University","place":["Bloomington, USA"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"301","published-online":{"date-parts":[[2025,11,19]]},"reference":[{"key":"e_1_3_4_2_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2023.2301178"},{"key":"e_1_3_4_3_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2014.0527"},{"key":"e_1_3_4_4_1","doi-asserted-by":"publisher","DOI":"10.7551\/mitpress\/2366.001.0001"},{"key":"e_1_3_4_5_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.44.4.433"},{"key":"e_1_3_4_6_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.11.3.219.12209"},{"key":"e_1_3_4_7_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2024.2376385"},{"key":"e_1_3_4_8_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jom.2014.12.004"},{"key":"e_1_3_4_9_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1745-493X.2009.03166.x"},{"key":"e_1_3_4_10_1","doi-asserted-by":"publisher","DOI":"10.2307\/23044049"},{"key":"e_1_3_4_11_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2021.1014"},{"key":"e_1_3_4_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-021-09951-x"},{"key":"e_1_3_4_13_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0272-6963(02)00025-6"},{"key":"e_1_3_4_14_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jom.2005.07.002"},{"key":"e_1_3_4_15_1","unstructured":"Collins K. The hackers who broke into Equifax exploited a flaw in open-source server software. 2017. https:\/\/qz.com\/1073221\/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw\/ (accessed on November 11 2019."},{"key":"e_1_3_4_16_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1540-5915.2007.00151.x"},{"key":"e_1_3_4_17_1","unstructured":"CVE. Terminology. 2016. http:\/\/cve.mitre.org\/about\/terminology.html (accessed on November 9 2022)."},{"key":"e_1_3_4_18_1","volume-title":"Organization Theory and Design","author":"Daft R.L.","year":"1989","unstructured":"Daft, R.L. Organization Theory and Design. New York:West Publishing, 1989."},{"key":"e_1_3_4_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_4_20_1","unstructured":"Devo. The Evolution Toward an Alertless SOC: A Smarter Approach to Security Operations. 2025. https:\/\/www.devo.com\/resources\/ebook\/evolution-toward-an-alertless-soc (accessed on May 1 2025)."},{"key":"e_1_3_4_21_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2021.1962599"},{"key":"e_1_3_4_22_1","article-title":"Common vulnerability scoring system version 3.1","author":"FIRST","year":"2019","unstructured":"FIRST. Common vulnerability scoring system version 3.1: Specification document. 2019. https:\/\/www.first.org\/cvss\/specification-document (accessed on May 5, 2023).","journal-title":"Specification document"},{"key":"e_1_3_4_23_1","doi-asserted-by":"publisher","DOI":"10.2307\/25750693"},{"key":"e_1_3_4_24_1","unstructured":"GitHub. The 2020 state of the Octoverse - Securing the world\u2019s software. 2020. https:\/\/octoverse.github.com\/static\/github-octoverse-2020-security-report.pdf (accessed on May 5 2023)."},{"key":"e_1_3_4_25_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.1070.0748"},{"key":"e_1_3_4_26_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.46.4.451.12056"},{"key":"e_1_3_4_27_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1540-5915.2012.00361.x"},{"key":"e_1_3_4_28_1","article-title":"Secure at every step: What is software supply chain security and why does it matter?","author":"Kaczorowski M.","year":"2020","unstructured":"Kaczorowski, M. Secure at every step: What is software supply chain security and why does it matter? The GitHub Blog, 2020. https:\/\/github.blog\/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog\/ (accessed on May 3, 2022).","journal-title":"The GitHub Blog"},{"key":"e_1_3_4_29_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.1040.0357"},{"key":"e_1_3_4_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jom.2014.10.006"},{"key":"e_1_3_4_31_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.1998.11518188"},{"key":"e_1_3_4_32_1","doi-asserted-by":"publisher","DOI":"10.2307\/41703471"},{"key":"e_1_3_4_33_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0048-7333(03)00050-7"},{"key":"e_1_3_4_34_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2018.0814"},{"key":"e_1_3_4_35_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2023.2301177"},{"key":"e_1_3_4_36_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2021.1870390"},{"key":"e_1_3_4_37_1","doi-asserted-by":"publisher","DOI":"10.2307\/20650279"},{"key":"e_1_3_4_38_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2020.1790190"},{"key":"e_1_3_4_39_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jom.2017.10.001"},{"key":"e_1_3_4_40_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.1060.0552"},{"key":"e_1_3_4_41_1","doi-asserted-by":"publisher","DOI":"10.1111\/poms.12879"},{"key":"e_1_3_4_42_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2018\/13853"},{"key":"e_1_3_4_43_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infoandorg.2023.100499"},{"key":"e_1_3_4_44_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2018.1523605"},{"key":"e_1_3_4_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2850755"},{"key":"e_1_3_4_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/1853919.1853923"},{"key":"e_1_3_4_47_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_4_48_1","unstructured":"OpenSSF. OpenSSF Scorecard. 2025. https:\/\/scorecard.dev\/ (accessed on June 17 2025)."},{"key":"e_1_3_4_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3025443"},{"key":"e_1_3_4_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417232"},{"key":"e_1_3_4_51_1","volume-title":"Normal Accidents: Living with High-Risk Technologies","author":"Perrow C.","year":"1984","unstructured":"Perrow, C. Normal Accidents: Living with High-Risk Technologies. New York: Basic Books, 1984."},{"key":"e_1_3_4_52_1","doi-asserted-by":"publisher","DOI":"10.1111\/1468-5973.00108"},{"key":"e_1_3_4_53_1","doi-asserted-by":"publisher","DOI":"10.1509\/jmkr.47.1.3"},{"key":"e_1_3_4_54_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2015.1138374"},{"key":"e_1_3_4_55_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-021-09959-3"},{"key":"e_1_3_4_56_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.2015.2196"},{"key":"e_1_3_4_57_1","doi-asserted-by":"publisher","DOI":"10.2307\/41410405"},{"key":"e_1_3_4_58_1","doi-asserted-by":"publisher","DOI":"10.1007\/s12130-999-1026-0"},{"key":"e_1_3_4_59_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2019\/14577"},{"key":"e_1_3_4_60_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2022\/15392"},{"key":"e_1_3_4_61_1","article-title":"How to defend against software supply chain attacks","author":"Schwartz M.","year":"2021","unstructured":"Schwartz, M. How to defend against software supply chain attacks. FOSSA, 2021. https:\/\/fossa.com\/blog\/defend-against-software-supply-chain-attacks\/ (accessed on December 6, 2022).","journal-title":"FOSSA"},{"key":"e_1_3_4_62_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2015.1063315"},{"key":"e_1_3_4_63_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2019.1705511"},{"key":"e_1_3_4_64_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1100.0311"},{"key":"e_1_3_4_65_1","doi-asserted-by":"publisher","DOI":"10.2307\/25148716"},{"key":"e_1_3_4_66_1","doi-asserted-by":"publisher","DOI":"10.1002\/joom.1067"},{"key":"e_1_3_4_67_1","doi-asserted-by":"publisher","DOI":"10.2307\/25148734"},{"key":"e_1_3_4_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2010.81"},{"key":"e_1_3_4_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/1456362.1456372"},{"issue":"1","key":"e_1_3_4_70_1","first-page":"161","article-title":"Theories of bounded rationality","volume":"1","author":"Simon H.","year":"1972","unstructured":"Simon, H. Theories of bounded rationality. Decision and Organization, 1, 1 (1972), 161\u2013176.","journal-title":"Decision and Organization"},{"key":"e_1_3_4_71_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1100.0308"},{"key":"e_1_3_4_72_1","unstructured":"SlashData. State of the developer nation 16th edition. 2019. https:\/\/www.slashdata.co\/free-resources\/developer-economics-state-of-the-developer-nation-16th-edition? (accessed on October 30 2019)."},{"key":"e_1_3_4_73_1","unstructured":"Sonatype. 2020 state of the software supply chain. 2020. https:\/\/www.sonatype.com\/hubfs\/Corporate\/Software%20Supply%20Chain\/2020\/SON_SSSC-Report-2020_final_aug11.pdf (accessed on June 9 2023)."},{"key":"e_1_3_4_74_1","unstructured":"Sonatype. 2021 state of the software supply chain. 2021. https:\/\/www.sonatype.com\/hubfs\/Q3%202021-State%20of%20the%20Software%20Supply%20Chain-Report\/SSSC-Report-2021_0913_PM_2.pdf?hsLang=en-us (accessed on June 9 2023)."},{"key":"e_1_3_4_75_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jom.2011.06.003"},{"key":"e_1_3_4_76_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1110.0392"},{"key":"e_1_3_4_77_1","unstructured":"Synopsys. 2022 open source security and risk analysis report. 2022. https:\/\/www.synopsys.com\/content\/dam\/synopsys\/sig-assets\/reports\/rep-ossra-2022.pdf (accessed on May 3 2022)."},{"key":"e_1_3_4_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510199"},{"key":"e_1_3_4_79_1","doi-asserted-by":"publisher","DOI":"10.2753\/MIS0742-1222280411"},{"key":"e_1_3_4_80_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2017.0722"},{"key":"e_1_3_4_81_1","unstructured":"The White House. Executive Order on improving the nation\u2019s cybersecurity. 2021. https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/ (accessed on June 9 2023)."},{"key":"e_1_3_4_82_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2023.1218"},{"key":"e_1_3_4_83_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2024.2376384"},{"key":"e_1_3_4_84_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2023.1200"},{"key":"e_1_3_4_85_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2023.2267319"},{"key":"e_1_3_4_86_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.2020.3645"},{"key":"e_1_3_4_87_1","volume-title":"Econometric Analysis of Cross Section and Panel Data","author":"Wooldridge J.M.","year":"2010","unstructured":"Wooldridge, J.M. Econometric Analysis of Cross Section and Panel Data. Cambridge, MA: The MIT Press, 2010."},{"key":"e_1_3_4_88_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2010.32"}],"container-title":["Journal of Management Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.tandfonline.com\/doi\/pdf\/10.1080\/07421222.2025.2561385","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T17:18:38Z","timestamp":1763572718000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.tandfonline.com\/doi\/full\/10.1080\/07421222.2025.2561385"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,2]]},"references-count":87,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,10,2]]}},"alternative-id":["10.1080\/07421222.2025.2561385"],"URL":"https:\/\/doi.org\/10.1080\/07421222.2025.2561385","relation":{},"ISSN":["0742-1222","1557-928X"],"issn-type":[{"type":"print","value":"0742-1222"},{"type":"electronic","value":"1557-928X"}],"subject":[],"published":{"date-parts":[[2025,10,2]]},"assertion":[{"value":"The publishing and review policy for this title is described in its Aims & Scope.","order":1,"name":"peerreview_statement","label":"Peer Review Statement"},{"value":"http:\/\/www.tandfonline.com\/action\/journalInformation?show=aimsScope&journalCode=mmis20","URL":"http:\/\/www.tandfonline.com\/action\/journalInformation?show=aimsScope&journalCode=mmis20","order":2,"name":"aims_and_scope_url","label":"Aim & Scope"},{"value":"2025-11-19","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}