This study uses analytical models to investigate whether requiring cybersecurity assurance or a particular maturity level for vendors or contractors will help them improve their cybersecurity management. Our findings suggest that, if a supplier decides on its preferred cybersecurity maturity level without knowing what level a contract requires, the supplier is more likely to exert more effort to improve its cybersecurity management. We also show that a buyer can incentivize the supplier to engage in improving cybersecurity risk management by imposing a reduced contractual price or a fine when a breach occurs. Our findings reveal the role played by cybersecurity maturity level assurance and we discuss practical implications.

中文翻译：

---

网络安全成熟度保证是否可以改善供应链中的网络安全风险管理？


本研究使用分析模型来调查供应商或承包商要求网络安全保证或特定成熟度级别是否有助于他们改进网络安全管理。我们的研究结果表明，如果供应商在不知道合同要求什么级别的情况下决定其首选的网络安全成熟度级别，则供应商更有可能付出更多努力来改进其网络安全管理。我们还表明，买方可以通过降低合同价格或在发生违规行为时处以罚款来激励供应商改善网络安全风险管理。我们的研究结果揭示了网络安全成熟度保证所发挥的作用，并讨论了实际影响。