Abstract
Software supply chains have emerged as a critical battleground in cyberspace security, with their compromise posing direct threats to critical infrastructure and information systems. The inherent multi-level structures and complex interdependencies among supply chain entities have introduced novel challenges in network and information security. This study investigates the contagion mechanisms of information security risks in software supply chains, aiming to identify key factors influencing risk propagation and evaluate effective defense strategies under multi-layer network conditions. We employ system dynamics (SD) modeling to construct a risk contagion framework for software supply chains, incorporating multi-layer network structures. Dynamic simulations are conducted to analyze risk transmission patterns under different attack and defense scenarios. The simulation results show that the risk transmission rate of software supply chain information security is influenced by the attack path. As compared to random attacks, selective attacks result in a faster risk transmission. In terms of defense strategy, increasing information security investment and improving the level of software quality are more effective for defense against random attacks. In terms of governance measures, increasing technological progress is more effective as compared to reducing the vulnerability rate. The results show that the marginal benefits of the technological progress rate show a decreasing trend. The study quantitatively validates the cascading effects of security risks in multi-layer supply chain networks and provides actionable insights and establishes a system dynamics foundation for predictive risk assessment in complex software supply chain ecosystems.