Despite implementing a risk-avoidance strategy of purchasing semiconductor chips directly from a semiconductor manufacturer's authorized sources, the electronics industry continues to discover counterfeit chips within the semiconductor supply chain and demand chain (i.e., the semiconductor ecosystem). This article presents a mathematical model of supply chain risk developed based on an analysis of how vulnerabilities, if exploited, increase the risk of the supply chain integrity being compromised. The model is developed based on a case study of an actual supply chain that was compromised and is tested for validity. A critical finding of this work is that the most important vulnerability of a supply chain is a malicious insider. This finding is important because prior research assumes that any breakdown in supply chain integrity originates outside of the trusted partners of the semiconductor ecosystem. Another finding is that the semiconductor industry's recommended counterfeit-avoidance strategy may have the unintended consequence of increasing, rather than reducing, the risk of counterfeit chips entering the supply chain. Based on the results, we propose a framework for counterfeit-risk management to complement existing counterfeit-risk programs.