Audit to Assurance: Evaluating the Impact of Regulatory Cybersecurity Audits on Organisational Cyber Resilience and Strategic Decision-Making
DOI:
https://doi.org/10.54536/ajise.v5i1.7223Keywords:
Audit assurance, Board governance, Cyber resilience, Cybersecurity audit, Enterprise risk management, Information security, Regulatory compliance, Strategic decision-making, Structural equation modellingAbstract
As digital threats proliferate in scope and sophistication, regulatory bodies worldwide have expanded mandatory cybersecurity audit frameworks to compel organisational accountability. Despite widespread regulatory adoption, evidence on whether compliance translates into genuine cyber resilience remains contested. This study investigates the multidimensional impact of regulatory cybersecurity audits on cyber resilience and strategic decision-making, and introduces the Audit-to-Assurance (A2A) Framework. A mixed-methods design integrates quantitative survey data from 347 enterprise organisations across 12 sectors (hierarchical regression; structural equation modelling) with 24 executive interviews (thematic analysis). Audit intensity (β = 0.42, p < .001) and audit quality (β = 0.61, p < .001) are significant predictors of cyber resilience and strategic outcomes respectively. Remediation depth mediates the audit quality–resilience relationship (indirect effect β = 0.31, 95% CI [0.24, 0.39]). Board cybersecurity literacy significantly moderates the audit–strategy pathway (β = 0.29, p = .002). All ten hypotheses are supported. Regulatory audits generate substantial resilience and strategic value, but only under conditions of high audit quality, rigorous gap analysis, and deep remediation. The A2A Framework provides a structured roadmap for practitioners and regulators.
Downloads
References
Aiken, L.S. and West, S.G. (1991) Multiple regression: Testing and interpreting interactions. Newbury Park, CA: Sage.
Al-Ahmad, W. and Mohammad, B. (2013) ‘Addressing information security risks by adopting standards’, International Journal of Information Security Science, 2(2), pp. 63–72.
Al-Hakami, H., Bandar, Z. and Nisbet, A. (2020) ‘Developing a cybersecurity framework for Saudi Arabia’s critical national infrastructure’, International Journal of Advanced Computer Science and Applications, 11(7), pp. 294–303.
Alotaibi, M. and Roussinov, D. (2016) ‘Information security compliance behaviour: A positivist case study of Saudi Arabia’, International Journal of Cyber-Security and Digital Forensics, 5(2), pp. 76–85.
Anderson, R. (2020) Security engineering: A guide to building dependable distributed systems. 3rd edn. Chichester: Wiley.
Argyris, C. and Schon, D.A. (1978) Organisational learning: A theory of action perspective. Reading, MA: Addison-Wesley.
Armstrong, J.S. and Overton, T.S. (1977) ‘Estimating nonresponse bias in mail surveys’, Journal of Marketing Research, 14(3), pp. 396–402.
Ashenden, D. and Sasse, A. (2013) ‘CISOs and organisational culture: Their own worst enemy?’, Computers & Security, 39, pp. 396–405.
Australian Government (2022) Security of Critical Infrastructure Act 2018 (amended 2022). Canberra: Attorney-General’s Department.
Backhouse, J., Hsu, C.W. and Silva, L. (2006) ‘Circuits of power in creating de jure standards’, MIS Quarterly, 30(Special Issue), pp. 413–438.
Baron, R.M. and Kenny, D.A. (1986) ‘The moderator-mediator variable distinction in social psychological research’, Journal of Personality and Social Psychology, 51(6), pp. 1173–1182.
Baskerville, R., Spagnoletti, P. and Kim, J. (2014) ‘Incident-centered information security’, Computers & Security, 45, pp. 183–199.
Bodin, L.D., Gordon, L.A. and Loeb, M.P. (2008) ‘Information security and risk management’, Communications of the ACM, 51(4), pp. 64–68.
Braun, V. and Clarke, V. (2006) ‘Using thematic analysis in psychology’, Qualitative Research in Psychology, 3(2), pp. 77–101.
Brecht, M. and Nowey, T. (2013) ‘A closer look at information security costs’, in Böhme, R. (ed.) The Economics of Information Security and Privacy. Berlin: Springer, pp. 3–24.
Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010) ‘Information security policy compliance’, MIS Quarterly, 34(3), pp. 523–548.
Campbell, K., Gordon, L.A., Loeb, M.P. and Zhou, L. (2003) ‘The economic cost of publicly announced information security breaches’, Journal of Computer Security, 11(3), pp. 431–448.
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) ‘The effect of internet security breach announcements on market value’, International Journal of Electronic Commerce, 9(1), pp. 70–104.
Chang, S.E. and Ho, C.B. (2006) ‘Organisational factors to the effectiveness of implementing information security management’, Industrial Management & Data Systems, 106(3), pp. 345–361.
Cram, W.A., Proudfoot, J.G. and D’Arcy, J. (2019) ‘Organisational information security policies: A review and research framework’, European Journal of Information Systems, 26(6), pp. 605–641.
D’Arcy, J. and Herath, T. (2011) ‘A review and analysis of deterrence theory in the IS security literature’, European Journal of Information Systems, 20(6), pp. 643–658.
DiMaggio, P.J. and Powell, W.W. (1983) ‘The iron cage revisited: Institutional isomorphism and collective rationality in organisational fields’, American Sociological Review, 48(2), pp. 147–160.
European Parliament and Council (2022a) Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Brussels: Official Journal of the European Union.
European Parliament and Council (2022b) Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). Brussels: Official Journal of the European Union.
Fenz, S. and Ekelhart, A. (2011) ‘Verification, validation, and evaluation in information security risk management’, IEEE Security & Privacy, 9(2), pp. 58–65.
Flores, W.R., Antonsen, E. and Ekstedt, M. (2014) ‘Information security knowledge sharing in organisations’, Computers & Security, 43, pp. 90–110.
Fornell, C. and Larcker, D.F. (1981) ‘Evaluating structural equation models with unobservable variables and measurement error’, Journal of Marketing Research, 18(1), pp. 39–50.
Gordon, L.A. and Loeb, M.P. (2002) ‘The economics of information security investment’, ACM Transactions on Information and System Security, 5(4), pp. 438–457.
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Sohail, T. (2020) ‘Externalities and the magnitude of cyber security underinvestment by private sector firms’, Journal of Information Security, 6(1), pp. 24–30.
Gordon, L.A., Loeb, M.P. and Sohail, T. (2010) ‘Market value of voluntary disclosures concerning information security’, MIS Quarterly, 34(3), pp. 567–594.
Hair, J.F., Black, W.C., Babin, B.J. and Anderson, R.E. (2019) Multivariate data analysis. 8th edn. Andover: Cengage.
Hausken, K. (2017) ‘A cost–benefit analysis of cybersecurity investments’, International Journal of Critical Infrastructure Protection, 19, pp. 1–12.
Hayes, A.F. (2018) Introduction to mediation, moderation, and conditional process analysis. 2nd edn. New York: Guilford Press.
Herath, T. and Rao, H.R. (2009) ‘Encouraging information security behaviours in organisations’, Decision Support Systems, 47(2), pp. 154–165.
Hu, Q., Hart, P. and Cooke, D. (2007) ‘The role of external and internal influences on information systems security’, Journal of Strategic Information Systems, 16(2), pp. 153–172.
Huang, C.D. and Behara, R.S. (2013) ‘Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints’, International Journal of Production Economics, 141(1), pp. 255–268.
ISACA (2022) CISA review manual. 28th edn. Schaumburg, IL: ISACA.
ISACA (2023) State of cybersecurity 2023: Global update on workforce efforts, resources and cyberoperations. Schaumburg, IL: ISACA.
ISO/IEC (2022) ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection. Geneva: International Organisation for Standardisation.
Jensen, M.C. and Meckling, W.H. (1976) ‘Theory of the firm: Managerial behaviour, agency costs and ownership structure’, Journal of Financial Economics, 3(4), pp. 305–360.
Kankanhalli, A., Teo, H.H., Tan, B.C.Y. and Wei, K.K. (2003) ‘An integrative study of information systems security effectiveness’, International Journal of Information Management, 23(2), pp. 139–154.
Kwon, J. and Johnson, M.E. (2014) ‘Proactive versus reactive security investments in the healthcare sector’, MIS Quarterly, 38(2), pp. 451–471.
Laszka, A., Felegyhazi, M. and Buttyan, L. (2015) ‘A survey of interdependent information security games’, ACM Computing Surveys, 47(2), pp. 1–38.
Lévesque, F.L., Nunnery, J., Chiasson, S. and Somayaji, A. (2017) ‘Are they real? Real-life comparable studies for deception in cyber security’, New Security Paradigms Workshop Proceedings, pp. 55–70.
Liu, D., Ji, Y. and Mookerjee, V. (2011) ‘Knowledge sharing and investment decisions in information security’, Decision Support Systems, 52(1), pp. 95–107.
Makridis, C. and Smeets, M. (2019) ‘Determinants of cybersecurity investments’, Journal of Cybersecurity, 5(1), pp. 1–14.
National Institute of Standards and Technology (2018) Framework for improving critical infrastructure cybersecurity version 1.1. Gaithersburg, MD: U.S. Department of Commerce.
National Institute of Standards and Technology (2023) Cybersecurity framework 2.0. Gaithersburg, MD: U.S. Department of Commerce.
NCA — National Cybersecurity Authority (2018) Essential Cybersecurity Controls (ECC-1:2018). Riyadh: NCA.
NCA — National Cybersecurity Authority (2020) National Cybersecurity Strategy 2020–2030. Riyadh: NCA.
NCA — National Cybersecurity Authority (2023) Cybersecurity Audit Methodology (CCC-1:2023). Riyadh: NCA.
Nunnally, J.C. (1978) Psychometric theory. 2nd edn. New York: McGraw-Hill.
OECD (2015) Digital security risk management for economic and social prosperity. Paris: OECD Publishing.
Payment Card Industry Security Standards Council (2022) PCI data security standard (PCI DSS) version 4.0. Wakefield, MA: PCI SSC.
Pfleeger, S.L. and Caputo, D.D. (2012) ‘Leveraging behavioural science to mitigate cyber security risk’, Computers & Security, 31(4), pp. 597–611.
Podsakoff, P.M., MacKenzie, S.B., Lee, J.Y. and Podsakoff, N.P. (2003) ‘Common method biases in behavioural research’, Journal of Applied Psychology, 88(5), pp. 879–903.
Ponemon Institute (2023) 2023 cost of a data breach report. Traverse City, MI: Ponemon Institute LLC.
Puhakainen, P. and Siponen, M. (2010) ‘Improving employees’ compliance through information systems security training’, MIS Quarterly, 34(4), pp. 757–778.
Safa, N.S., Von Solms, R. and Furnell, S. (2016) ‘Information security policy compliance model in organisations’, Computers & Security, 56, pp. 70–82.
SAMA — Saudi Arabian Monetary Authority (2017) Cyber Security Framework. Riyadh: SAMA.
SAMA — Saudi Arabian Monetary Authority (2021) Open Banking Security Framework. Riyadh: SAMA.
SAMA — Saudi Arabian Monetary Authority (2024) Cybersecurity Framework v2.0 and AI Cyber Risk Circular. Riyadh: SAMA.
Schatz, D. and Bashroush, R. (2017) ‘Economic valuation for information security investment’, Information Systems Frontiers, 19(5), pp. 1205–1228.
Schlienger, T. and Teufel, S. (2003) ‘Analysing information security culture’, in Proceedings of the 14th International Workshop on Database and Expert Systems Applications, pp. 405–409.
SecurityScorecard (2020) Healthcare cybersecurity report. New York, NY: SecurityScorecard Research.
Singapore Cyber Security Agency (2023) Cybersecurity Act (amended). Singapore: CSA.
Siponen, M. and Vance, A. (2010) ‘Neutralisation: New insights into the problem of employee information systems security policy violations’, MIS Quarterly, 34(3), pp. 487–502.
Siponen, M., Pahnila, S. and Mahmood, M.A. (2010) ‘Compliance with information security policies: An empirical investigation’, Computer, 43(2), pp. 64–71.
Srinidhi, B., Yan, J. and Bhargava, M. (2015) ‘Effect of IT governance on enterprise security’, Information & Management, 52(6), pp. 607–624.
Sveen, F.O., Torres, J.M. and Sarriegi, J.M. (2009) ‘Blind information security strategy’, International Journal of Critical Infrastructure Protection, 2(3), pp. 95–109.
Tsohou, A., Karyda, M., Kokolakis, S. and Kiountouzis, E. (2015) ‘Managing the introduction of information security awareness programmes in organisations’, European Journal of Information Systems, 24(1), pp. 38–58.
U.S. Securities and Exchange Commission (2023) Cybersecurity risk management, strategy, governance, and incident disclosure: Final rules. Washington, DC: SEC. Federal Register 88(143), pp. 51896–51989.
Vance, A., Siponen, M. and Pahnila, S. (2012) ‘Motivating IS security compliance’, Information & Management, 49(3–4), pp. 190–198.
Vogel, R. (2016) ‘Closing the cybersecurity skills gap’, Salus Journal, 4(2), pp. 32–46.
Von Solms, B. and Von Solms, R. (2004) ‘The 10 deadly sins of information security management’, Computers & Security, 23(5), pp. 371–376.
Von Solms, R. and Van Niekerk, J. (2013) ‘From information security to cyber security’, Computers & Security, 38, pp. 97–102.
Whitman, M.E. (2003) ‘Enemy at the gate: Threats to information security’, Communications of the ACM, 46(8), pp. 91–95.
Williams, S.P. and Hardy, C.A. (2020) ‘Governing cybersecurity from the boardroom’, in Clarke, M. (ed.) Digital Futures. Oxford: Oxford University Press, pp. 235–262.
World Economic Forum (2022) Global cybersecurity outlook 2022. Cologny: World Economic Forum.
World Economic Forum (2023) Global cybersecurity outlook 2023. Cologny: World Economic Forum.
Wynn, J., Whitmore, J., Upton, L., Spaulding, L., McKinnon, D., Key, R. and Hueca, A. (2011) Threat assessment & remediation analysis (TARA) methodology description. Bedford, MA: The MITRE Corporation.
Yildirim, E.Y., Akalp, G., Aytac, S. and Bayram, N. (2011) ‘Factors influencing information security management in small- and medium-sized enterprises’, Journal of Systems and Information Technology, 13(3), pp. 278–297.
Zaharia, C. and Pietrosanu, M. (2015) ‘A new approach to cybersecurity using risk-based authentication’, in Proceedings of the International Conference on Communications, pp. 165–168.
Zwilling, M., Klien, G., Lesjak, D., Wiechetek, L., Cetin, F. and Basim, H.N. (2022) ‘Cyber security awareness, knowledge and behaviour: A comparative study’, Journal of Computer Information Systems, 62(1), pp. 82–97.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Yasir Majeed, Anas Majeed
This work is licensed under a Creative Commons Attribution 4.0 International License.
