scieee Science in your language
[en] (orig)

Balancing efficiency and security: The role of voluntary standards and emerging technologies in cyber risk management framework in USA perspective

Author: ALOZIE, CHISOM ELIZABETH; OKAFOR, UZOAMAKA
Publisher: Zenodo
DOI: 10.5281/zenodo.17312480
Source: https://zenodo.org/records/17312480/files/WJARR-2025-1842.pdf
Co esponding au ho : CHISOM ELIZABETH ALOZIE
Copy igh © 2025 Au ho (s) e ain he copy igh o his a icle. This a icle is published unde he e ms o he C ea i e Commons A ibu ion Liscense 4.0.
Balancing e iciency and secu i y: The ole o olun a y s anda ds and eme ging
echnologies in cybe isk managemen amewo k in USA pe spec i e
CHISOM ELIZABETH ALOZIE 1, * and UZOAMAKA OKAFOR 2
1 Depa men o In o ma ion Technology Ins i u ion, Uni e si y o he Cumbe lands, Ken ucky, Uni ed S a es.
2 Depa men : Sa ish and Yasmin Gup a College o Business-Cen e o Cybe secu i y Ins i u ion: Uni e si y o Dallas, I ing,
Texas, USA.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
Publica ion his o y: Recei ed on 03Ap il 2025; e ised on 09 May 2025; accep ed on 11 May 2025
A icle DOI: h ps://doi.o g/10.30574/wja .2025.26.2.1842
Abs ac
This esea ch examines he dis inc i e e olu ion o olun a y cybe isk managemen amewo ks wi hin he Uni ed
S a es con ex , ocusing on he ension be ween secu i y impe a i es and ope a ional e iciency. Th ough a mixed-
me hods app oach combining 37 in e iews wi h U.S. chie in o ma ion secu i y o ice s, egula o y expe s, and
amewo k a chi ec s, alongside su ey da a om 156 U.S. o ganiza ions, his s udy iden i ies unique cha ac e is ics o
he Ame ican app oach o cybe isk managemen . Findings e eal ha U.S. o ganiza ions demons a e dis inc i e
pa e ns in amewo k u iliza ion, p io i izing sec o -speci ic adap a ions and legal isk managemen conside a ions
while le e aging eme ging echnologies o au oma e compliance ac i i ies. The esea ch iden i ies a " ede a ed
implemen a ion model" p e alen among U.S. en e p ises ha balances cen al go e nance wi h business uni
au onomy. The s udy con ibu es a no el "USA Cybe Risk In eg a ion F amewo k" ha accoun s o he sec o al
egula o y landscape, li iga ion-awa e go e nance s uc u es, and echnology-d i en compliance app oaches
cha ac e is ic o U.S. o ganiza ions. This esea ch p o ides aluable insigh s o secu i y p ac i ione s, echnology
endo s, and policymake s seeking o unde s and and enhance cybe isk managemen e ec i eness wi hin he unique
Ame ican egula o y and business en i onmen .
Keywo ds: Cybe Risk Managemen ; Nis Cybe secu i y F amewo k; Us Regula o y Landscape; Secu i y Au oma ion;
Compliance-D i en Go e nance; Sec o -Speci ic S anda ds; Public-P i a e Pa ne ships
1. In oduc ion
1.1. The E olu ion o Cybe Risk Managemen in he U.S. Con ex
The Uni ed S a es ep esen s a dis inc i e en i onmen o cybe isk managemen , shaped by i s his o ical emphasis
on ma ke -d i en solu ions, sec o al egula o y app oach, and li iga ion-o ien ed business cul u e. Unlike ju isdic ions
ha ha e implemen ed comp ehensi e cybe secu i y legisla ion, he U.S. has his o ically elied on a combina ion o
sec o -speci ic egula ions, olun a y amewo ks, and ma ke incen i es o d i e cybe secu i y imp o emen s (Wol ,
2018). This app oach e lec s b oade Ame ican go e nance p e e ences o lexibili y, inno a ion, and minimal
go e nmen in e en ion in p i a e-sec o decision-making.
The e olu ion o U.S. cybe isk managemen has been signi ican ly in luenced by se e al pi o al de elopmen s. The
9/11 a acks p omp ed inc eased ocus on c i ical in as uc u e p o ec ion, leading o ini ia i es like he Na ional
In as uc u e P o ec ion Plan. The massi e Ta ge da a b each in 2013 ele a ed cybe secu i y o a boa d-le el conce n,
in oducing new expec a ions o execu i e o e sigh (Bambe ge & Mulligan, 2019). Execu i e O de 13636 in 2013
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1747
di ec ed he Na ional Ins i u e o S anda ds and Technology (NIST) o de elop a olun a y Cybe secu i y F amewo k,
es ablishing wha would become he mos in luen ial amewo k in he Ame ican con ex .
Table 1 E olu ion o Cybe Risk Managemen in he U.S.
Time
Pe iod
Key E en s
Regula o y/Policy De elopmen s
Impac on Cybe secu i y
P ac ices
2001–
2005
- 9/11 A acks (2001)
- Fo ma ion o DHS (2002)
- Homeland Secu i y Ac (2002)
- Fede al In o ma ion Secu i y
Managemen Ac (FISMA, 2002)
- Inc eased ocus on c i ical
in as uc u e p o ec ion
- De elopmen o ea ly ede al
secu i y s anda ds
- C ea ion o ini ial public-
p i a e pa ne ships
2006–
2012
- Majo da a b eaches (e.g.,
TJX, Hea land)
- Rise o s a e-le el b each
no i ica ion laws
- Fi s s a e da a b each laws
- PCI DSS s anda diza ion
- SEC guidance on cybe secu i y
disclosu e
- G ow h in b each no i ica ion
equi emen s
- Ea ly s anda diza ion o
secu i y con ols
- Beginning o boa d-le el
a en ion
2013–
2016
- Ta ge b each (2013)
- OPM b each (2015)
- Rise o ansomwa e
a acks
- Execu i e O de 13636 (2013)
- NIST Cybe secu i y F amewo k (CSF)
1.0 elease (2014)
- Cybe secu i y Ac (2015)
- Adop ion o olun a y
s anda ds model
- Expansion o in o ma ion-
sha ing p og ams
- Heigh ened boa d-le el
cybe secu i y engagemen
2017–
2020
- WannaC y and No Pe ya
a acks (2017)
- Equi ax b each (2017)
- G ow h o cloud adop ion
- Execu i e O de 13800 (2017)
- NYDFS Cybe secu i y Regula ion
(2017)
- GDPR’s in luence on U.S. p i acy laws
- Inc eased supply chain
secu i y ocus
- Rise o sec o -speci ic
egula ions
- In eg a ion o cybe secu i y
wi h business unc ions
2021–
P esen
- Sola Winds supply chain
a ack (2020)
- Colonial Pipeline
ansomwa e (2021)
- Accele a ion o digi al
ans o ma ion
- Execu i e O de 14028 (2021)
- SEC p oposed cybe secu i y ules
(2022)
- Eme gence o s a e p i acy laws wi h
cybe secu i y p o isions
- Ze o T us A chi ec u e
adop ion
- Emphasis on so wa e supply
chain secu i y
- Enhanced ope a ional
echnology p o ec ions
- AI in eg a ion in o secu i y
ope a ions
Sou ce: Resea ch indings based on li e a u e e iew and in e iew da a.
Mo e ecen ly, he Sola Winds supply chain comp omise and Colonial Pipeline ansomwa e a ack ha e u he
ans o med he landscape, p omp ing new execu i e o de s, egula o y equi emen s, and cong essional ac ions
ocused on enhancing na ional cybe secu i y (Whi e House, 2021). These e en s ha e in ensi ied p essu e on
o ganiza ions o implemen obus secu i y measu es while main aining ope a ional e iciency pa icula ly as digi al
ans o ma ion accele a es ac oss all sec o s.
1.2. The Secu i y-E iciency Challenge in Ame ican O ganiza ions
U.S. o ganiza ions ace a dis inc i e e sion o he secu i y-e iciency dilemma. On one hand, Ame ica's li igious business
en i onmen and g owing egula o y equi emen s c ea e s ong incen i es o comp ehensi e secu i y con ols.
Secu i ies and Exchange Commission (SEC) disclosu e obliga ions, Fede al T ade Commission (FTC) en o cemen
ac ions, and he g owing body o da a b each li iga ion es ablish signi ican consequences o secu i y ailu es (Schwa z
& Pei e , 2017).
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1748
On he o he hand, he Ame ican business cul u e s ongly p io i izes e iciency, inno a ion, and compe i i e ad an age.
U.S. en e p ises ope a e in a ma ke en i onmen ha ewa ds apid adap a ion and penalizes excessi e ic ion o
cons ain s on business agili y. This c ea es pa icula ension be ween secu i y impe a i es and ope a ional demands,
wi h o ganiza ions seeking app oaches ha sa is y bo h equi emen s.
This ension has been u he complica ed by he pandemic-accele a ed shi o emo e wo k, cloud adop ion, and digi al
business models. As one echnology execu i e obse ed, "COVID comp essed 10 yea s o digi al ans o ma ion in o 18
mon hs, bu ou secu i y and isk managemen app oaches s uggled o keep pace" (Caimi e al., 2021, p. 7).
O ganiza ions mus now secu e as ly expanded digi al oo p in s while suppo ing unp eceden ed ope a ional
lexibili y.
1.3. Volun a y S anda ds in he Ame ican App oach
The Uni ed S a es has pionee ed a dis inc i e model o olun a y cybe secu i y s anda ds de elopmen h ough public-
p i a e pa ne ships. The NIST Cybe secu i y F amewo k (CSF), i s eleased in 2014 and upda ed in 2018, exempli ies
his app oach de eloped h ough ex ensi e s akeholde consul a ion and designed o lexible, olun a y adop ion
(NIST, 2018). This model e lec s Ame ican p e e ences o indus y leade ship, adap able app oaches, and ma ke -
d i en solu ions a he han p esc ip i e egula ion.
The NIST CSF has achie ed ema kable adop ion, wi h an es ima ed 50% o U.S. o ganiza ions implemen ing i in some
o m (Na ional Cybe Secu i y Alliance, 2022). I s success has spawned addi ional olun a y amewo ks, including he
NIST P i acy F amewo k, NIST AI Risk Managemen F amewo k, and a ious sec o -speci ic adap a ions. While hese
amewo ks a e echnically olun a y, hey ha e inc easingly become de ac o equi emen s h ough egula o y
e e ences, p ocu emen equi emen s, and hei ole in es ablishing easonable secu i y s anda ds in li iga ion
(Kosse , 2018).
The Ame ican s anda ds landscape is u he complica ed by sec o -speci ic amewo ks wi h a ying deg ees o
p esc ip i eness. These include he Heal h Insu ance Po abili y and Accoun abili y Ac (HIPAA) Secu i y Rule o
heal hca e, he No h Ame ican Elec ic Reliabili y Co po a ion C i ical In as uc u e P o ec ion (NERC CIP) s anda ds
o he elec ic sec o , and he New Yo k Depa men o Financial Se ices (NYDFS) Cybe secu i y Regula ion o
inancial ins i u ions. O ganiza ions mus na iga e his complex ecosys em o o e lapping amewo ks, many o which
con ain simila bu no iden ical equi emen s.
1.4. Eme ging Technologies in Ame ican Cybe Risk Managemen
Figu e 1 Cybe secu i y Budge Alloca ion Compa ison (U.S. s. Global)
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1749
The Uni ed S a es leads global in es men in cybe secu i y echnologies, wi h U.S. o ganiza ions alloca ing an a e age
o 10-14% o hei IT budge s o secu i y signi ican ly highe han global a e ages o 6-8% (Ga ne , 2023). This
in es men e lec s bo h he high h ea en i onmen and he Ame ican p e e ence o echnological solu ions o
complex challenges.
Eme ging echnologies show pa icula p omise o add essing he secu i y-e iciency dilemma in U.S. o ganiza ions.
Secu i y au oma ion and o ches a ion ools can educe he ope a ional bu den o secu i y con ols while main aining
o enhancing p o ec ion. Ad anced analy ics can imp o e isk isibili y wi hou equi ing addi ional manual
assessmen . And in eg a ed go e nance, isk, and compliance (GRC) pla o ms can s eamline amewo k
implemen a ion and demons a ion (Shackle o d, 2021).
Howe e , hese echnologies also in oduce new challenges, including implemen a ion complexi y, po en ial
dependencies, and some imes hei own secu i y isks. The e ec i eness o echnological app oaches depends
signi ican ly on o ganiza ional ma u i y, go e nance s uc u es, and alignmen wi h business p ocesses ac o s ha
a y conside ably ac oss he Ame ican business landscape.
1.5. Resea ch Objec i es and Ques ions
This esea ch aims o in es iga e how U.S. o ganiza ions balance secu i y and ope a ional e iciency h ough he
applica ion o olun a y s anda ds and eme ging echnologies wi hin hei cybe isk managemen amewo ks. The
s udy add esses ou p ima y esea ch ques ions:
• How do U.S. o ganiza ions adap and implemen olun a y cybe secu i y amewo ks o add ess hei speci ic
egula o y landscape and business equi emen s?
• Wha go e nance s uc u es and p ocesses ha e p o en mos e ec i e o balancing secu i y and e iciency
wi hin he Ame ican business and egula o y con ex ?
• How a e U.S. o ganiza ions le e aging eme ging echnologies o enhance cybe isk managemen e ec i eness
while minimizing ope a ional ic ion?
• Wha dis inc i e pa e ns cha ac e ize success ul cybe isk managemen app oaches in di e en sec o s o he
U.S. economy?
By add essing hese ques ions, his esea ch seeks o de elop deepe unde s anding o e ec i e cybe isk managemen
app oaches wi hin he unique Ame ican con ex , p o iding p ac ical insigh s o secu i y p ac i ione s, echnology
endo s, and policymake s.
2. Li e a u e Re iew
2.1. The U.S. Regula o y and Policy Landscape
The Uni ed S a es main ains a dis inc i e app oach o cybe secu i y egula ion cha ac e ized by sec o al agmen a ion,
en o cemen h ough li iga ion, and subs an ial eliance on olun a y measu es. Unlike ju isdic ions wi h
comp ehensi e cybe secu i y legisla ion, he U.S. has de eloped wha Wol (2018) e ms a "pa chwo k quil " o
equi emen s a ying by indus y sec o , da a ype, and s a e ju isdic ion. This app oach e lec s Ame ican poli ical
p e e ences o limi ed ede al egula ion and p ese a ion o s a e au ho i y.
Signi ican esea ch has examined his agmen ed landscape. Kosse (2018) documen ed he e olu ion o wha he
e ms " egula o y amewo ks in he absence o comp ehensi e egula ion," iden i ying how agencies like he FTC, SEC,
and Fede al Communica ions Commission (FCC) ha e le e aged exis ing au ho i ies o es ablish de ac o cybe secu i y
equi emen s. Schwa z and Pei e (2017) analyzed he ole o en o cemen ac ions and li iga ion in es ablishing
cybe secu i y s anda ds, no ing ha cou decisions inc easingly e e ence olun a y amewo ks when de e mining
easonableness.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1750
Table 2 Compa ison o U.S. Regula o y App oaches Ac oss Sec o s
Indus y Sec o
Key Regula ions
P ima y Regula o y
Bodies
Key Requi emen s
En o cemen
Mechanisms
Financial
Se ices
- G amm-Leach-
Bliley Ac (GLBA)
- NYDFS
Cybe secu i y
Regula ion
- FFIEC Guidance
- SEC Regula ions
- Fede al Rese e
- O ice o he
Comp olle o he
Cu ency (OCC)
- Fede al Deposi
Insu ance Co po a ion
(FDIC)
- SEC
- S a e Banking
Au ho i ies
- Risk assessmen s
- Designa ed CISO
- Inciden epo ing
- Vendo managemen
- Boa d o e sigh
- mul i- ac o
au hen ica ion
- Regula o y
examina ions
- En o cemen
ac ions
- Ci il penal ies
- Sha eholde
li iga ion
Heal hca e
- HIPAA Secu i y
Rule
- HITECH Ac
- S a e medical
p i acy laws
- FDA medical de ice
guidance
- U.S. Depa men o
Heal h and Human
Se ices (HHS) O ice
o Ci il Righ s
- S a e A o neys
Gene al
- Food and D ug
Adminis a ion (FDA)
- Secu i y isk analysis
- P o ec ion o
elec onic p o ec ed
heal h in o ma ion
(ePHI)
- Access and audi
con ols
- B each no i ica ion
- Medical de ice
cybe secu i y
- OCR in es iga ions
- Resolu ion
ag eemen s
- Ci il mone a y
penal ies
- Co ec i e ac ion
plans
Ene gy/U ili ies
- NERC C i ical
In as uc u e
P o ec ion (CIP)
S anda ds
- TSA Pipeline
Secu i y Di ec i es
- DOE C2M2
F amewo k
- Fede al Ene gy
Regula o y Commission
(FERC)
- No h Ame ican
Elec ic Reliabili y
Co po a ion (NERC)
- T anspo a ion
Secu i y Adminis a ion
(TSA)
- Depa men o Ene gy
(DOE)
- C i ical asse
p o ec ion
- Elec onic secu i y
pe ime e s
- Inciden epo ing
- Reco e y planning
- Supply chain isk
managemen
- Regula o y audi s
- Financial penal ies
- Mi iga ion plans
- Compliance
moni o ing
Re ail/Consume
- FTC Ac Sec ion 5
- S a e da a b each
laws
- PCI DSS
- Cali o nia
Consume P i acy
Ac s (CCPA/CPRA)
- Fede al T ade
Commission (FTC)
- S a e A o neys
Gene al
- Paymen Ca d
Indus y o ganiza ions
- Reasonable secu i y
p ac ices
- Consume da a
p o ec ion
- B each no i ica ion
- P i acy no ices
- Consume igh s
managemen
- FTC consen
o de s
- Ci il li iga ion
- S a e en o cemen
ac ions
- PCI assessmen s
and ines
Public
Companies
- SEC Cybe secu i y
Disclosu e Guidance
- Sa banes-Oxley Ac
(indi ec )
- P oposed SEC
Cybe secu i y Rules
- Secu i ies and
Exchange Commission
(SEC)
- Public Company
Accoun ing O e sigh
Boa d (PCAOB)
- Disclosu e o isk
ac o s
- Repo ing o ma e ial
inciden s
- Boa d o e sigh o
cybe secu i y
- Go e nance and
p og am
documen a ion
- SEC in es iga ions
- Secu i ies
li iga ion
- Disclosu e con ol
en o cemen
- Di ec o liabili y
Fede al Agencies
- Fede al
In o ma ion Secu i y
Mode niza ion Ac
- O ice o Managemen
and Budge (OMB)
- Cybe secu i y and
- Secu i y
ca ego iza ion
- Implemen a ion o
- OMB o e sigh
- Cong essional
epo ing

Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1751
(FISMA)
- OMB Ci cula s
- Execu i e O de
14028
- NIST SP 800-se ies
In as uc u e Secu i y
Agency (CISA)
- Go e nmen
Accoun abili y O ice
(GAO)
- Agency Inspec o s
Gene al (IGs)
secu i y con ols
- Con inuous
moni o ing
- Annual assessmen s
- Plan o Ac ion and
Miles ones (POA&M)
managemen
- IG audi s
- Fede al IT
Acquisi ion Re o m
Ac (FITARA)
sco eca ds
Sou ce: Resea ch indings de i ed om egula o y analysis and in e iew da a wi h egula o y expe s.
Execu i e b anch ini ia i es ha e signi ican ly shaped he policy landscape, wi h Execu i e O de 13636 (2013)
es ablishing he NIST CSF, Execu i e O de 13800 (2017) manda ing i s use by ede al agencies, and Execu i e O de
14028 (2021) di ec ing sweeping imp o emen s in supply chain secu i y, h ea in o ma ion sha ing, and so wa e
de elopmen p ac ices. Shen (2022) analyzed hese execu i e ac ions, concluding ha hey ep esen "go e nance by
execu i e o de " ha has subs an ially in luenced p i a e sec o p ac ices despi e limi ed legisla i e ac ion.
Se e al esea che s ha e examined he dis inc i e Ame ican model o public-p i a e pa ne ship in cybe secu i y. Ca
(2016) cha ac e ized he U.S. app oach as " egula ed sel - egula ion," whe e go e nmen es ablishes b oad
expec a ions while indus y de e mines implemen a ion de ails. This model has d awn bo h p aise o i s lexibili y and
c i icism o po en ial inconsis ency, wi h T an (2021) ques ioning whe he i p o ides su icien p o ec ions o c i ical
in as uc u e and consume da a.
2.2. Volun a y F amewo k Implemen a ion in U.S. O ganiza ions
Resea ch on amewo k implemen a ion in U.S. o ganiza ions e eals dis inc i e adop ion pa e ns. The NIST CSF has
achie ed pa icula ly wide adop ion, wi h implemen a ion s udies by he In o ma ion Technology Indus y Council
(2020) indica ing ha app oxima ely 50% o U.S. o ganiza ions use i in some o m. Howe e , hese s udies also e eal
signi ican a ia ion in implemen a ion app oaches, wi h only abou 30% implemen ing he amewo k
comp ehensi ely.
Figu e 2 F amewo k Adop ion Ra es in U.S. O ganiza ions
Se e al esea che s ha e examined ac o s in luencing amewo k selec ion and adap a ion in Ame ican o ganiza ions.
Johnson e al. (2020) iden i ied i e p ima y d i e s o amewo k choice: egula o y equi emen s, indus y no ms,
business pa ne expec a ions, boa d di ec ion, and secu i y eam p e e ences. Thei esea ch indica ed ha
o ganiza ions in egula ed indus ies ypically begin wi h compliance-o ien ed amewo ks be o e adop ing mo e
comp ehensi e app oaches like he NIST CSF.
Resea ch on implemen a ion app oaches e eals a spec um om s ic compliance o isk-based adap a ion. Ve ma
and Domingos (2021) documen ed wha hey e m he "checkbox compliance ap," whe e o ganiza ions ocus on
amewo k equi emen s as ends in hemsel es a he han ools o isk educ ion. Con e sely, F iedbe g and
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1752
Skopik(2021) iden i ied o ganiza ions employing "s a egic amewo k usion," combining elemen s om mul iple
amewo ks o add ess hei speci ic isk p o iles while main aining compliance wi h ele an equi emen s.
Se e al s udies ha e examined amewo k adap a ion p ac ices unique o U.S. o ganiza ions. Mo gan and Chess (2020)
iden i ied dis inc i e pa e ns in how Ame ican o ganiza ions modi y amewo ks, including g ea e emphasis on legal
de ensibili y, inclusion o s a e-speci ic equi emen s, and in eg a ion o inciden disclosu e p ocesses. These
adap a ions e lec he li iga ion-o ien ed business en i onmen and complex egula o y landscape cha ac e is ic o he
Uni ed S a es.
2.3. Go e nance App oaches in U.S. O ganiza ions
Go e nance s uc u es o cybe isk managemen show dis inc i e pa e ns in U.S. o ganiza ions compa ed o
in e na ional coun e pa s. Resea ch by Deloi e (2021) ound ha 62% o Fo une 500 companies ha e es ablished
dedica ed cybe -secu i y commi ees a he boa d le el subs an ially highe han global a e ages o 34%. This e lec s
bo h heigh ened awa eness o cybe isks and ecogni ion o po en ial di ec o liabili y o secu i y ailu es.
Se e al s udies ha e examined epo ing s uc u es o cybe -secu i y unc ions. Bambe ge and Mulligan (2019)
documen ed he e olu ion o CISO oles in U.S. o ganiza ions, inding inc easing sepa a ion om IT epo ing lines and
g ea e alignmen wi h isk managemen and legal unc ions. Thei esea ch indica ed ha 47% o U.S. CISOs now epo
o he CEO, COO, o boa d signi ican ly highe han in mos o he egions.
Figu e 3 E olu ion o CISO Repo ing S uc u es in U.S. O ganiza ions (2018-2023)
Table 3 In e iew Pa icipan Demog aphics
Cha ac e is ic
Ca ego y
Coun
Pe cen age
Indus y Sec o
Financial Se ices
9
24.3%
Heal hca e
7
18.9%
Technology
6
16.2%
C i ical In as uc u e/Ene gy
5
13.5%
Re ail/Consume
4
10.8%
Manu ac u ing
3
8.1%
Go e nmen
3
8.1%
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1753
O ganiza ion Size
La ge (>10,000 employees)
17
45.9%
Medium (1,000-10,000 employees)
14
37.8%
Small (<1,000 employees)
6
16.2%
Pa icipan Role
CISO/CSO
14
37.8%
Secu i y Di ec o
8
21.6%
Chie Risk O ice
6
16.2%
Compliance O ice
4
10.8%
F amewo k Expe
5
13.5%
Geog aphic Region
No heas
12
32.4%
Wes
9
24.3%
Midwes
8
21.6%
Sou h
8
21.6%
Regula o y En i onmen
Highly Regula ed
18
48.6%
Mode a ely Regula ed
12
32.4%
Minimally Regula ed
7
18.9%
F amewo k Expe ience
Mul iple F amewo ks
31
83.8%
Single F amewo k Focus
6
16.2%
No e: To al pa icipan s = 37 om 34 dis inc o ganiza ions ac oss 12 s a es.
Resea ch on decision igh s and go e nance p ocesses e eals dis inc i e pa e ns in Ame ican o ganiza ions. Chen and
Gup a (2021) iden i ied wha hey e m " ede a ed go e nance models" whe e cen al secu i y unc ions es ablish
equi emen s and p o ide o e sigh while business uni s main ain signi ican implemen a ion au ho i y. This app oach
aligns wi h Ame ican o ganiza ional p e e ences o business uni au onomy and accoun abili y.
Se e al esea che s ha e examined he in eg a ion o cybe secu i y go e nance wi h b oade isk managemen
p ocesses. Ho man and Ramak ishna (2022) documen ed he eme gence o "in eg a ed isk go e nance" app oaches
in U.S. inancial ins i u ions, whe e cybe isks a e managed alongside o he ope a ional and s a egic isks h ough
common p ocesses and o e sigh s uc u es. This in eg a ion ep esen s a ma u a ion o go e nance app oaches
beyond siloed secu i y managemen .
2.4. Technology Adop ion in U.S. Cybe Risk Managemen
U.S. o ganiza ions demons a e dis inc i e pa e ns in cybe secu i y echnology adop ion compa ed o global
coun e pa s. Resea ch by Fo es e (2022) ound ha U.S. en e p ises in es 28% mo e in secu i y echnologies pe
employee han Eu opean coun e pa s and 43% mo e han Asia-Paci ic o ganiza ions. This highe in es men e lec s
bo h g ea e isk awa eness and he Ame ican p e e ence o echnological solu ions o business challenges.
Se e al s udies ha e examined echnology adop ion pa e ns ac oss di e en sec o s o he U.S. economy. Heal hca e
o ganiza ions show pa icula ly high adop ion o iden i y and access managemen solu ions, e lec ing HIPAA
equi emen s and conce ns abou p o ec ed heal h in o ma ion. Financial ins i u ions lead in aud de ec ion and
beha io al analy ics adop ion, while c i ical in as uc u e ope a o s emphasize ope a ional echnology (OT) secu i y
solu ions (McA ee, 2021).
Resea ch on au oma ion echnologies e eals accele a ing adop ion in U.S. o ganiza ions. Ga ne (2023) epo ed ha
67% o U.S. en e p ises now employ secu i y o ches a ion, au oma ion and esponse (SOAR) pla o ms up om 35%
in 2019. This apid g ow h e lec s in ensi ying s a ing challenges and he inc easing complexi y o secu i y ope a ions
in Ame ican o ganiza ions.
Se e al esea che s ha e examined he in eg a ion o a i icial in elligence in o U.S. cybe isk managemen p ac ices.
Zhang and Rod iguez (2021) documen ed eme ging applica ions o machine lea ning in h ea de ec ion, ulne abili y
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1754
p io i iza ion, and use beha io analy ics. Thei esea ch indica ed ha inancial se ices and echnology i ms lead in
AI adop ion, while heal hca e and go e nmen o ganiza ions demons a e mo e cau ious app oaches due o
explainabili y conce ns and egula o y cons ain s.
2.5. Sec o -Speci ic Cha ac e is ics in U.S. Cybe Risk Managemen
Resea ch e eals signi ican a ia ion in cybe isk managemen app oaches ac oss di e en sec o s o he U.S.
economy, e lec ing di e se egula o y equi emen s, h ea landscapes, and ope a ional cons ain s.
The inancial se ices sec o demons a es he mos ma u e cybe isk managemen p ac ices, in luenced by egula ions
including he G amm-Leach-Bliley Ac , NYDFS Cybe secu i y Regula ion, and Fede al Financial Ins i u ions Examina ion
Council (FFIEC) guidance. Resea ch by he Financial Se ices In o ma ion Sha ing and Analysis Cen e (FS-ISAC, 2021)
ound ha 83% o inancial ins i u ions implemen mul iple amewo ks simul aneously and 76% employ dedica ed
GRC pla o ms o amewo k managemen .
The heal hca e sec o shows dis inc i e app oaches shaped by HIPAA equi emen s, connec ed medical de ice
conce ns, and li e-c i ical ope a ional cons ain s. S udies by he Heal hca e In o ma ion and Managemen Sys ems
Socie y (HIMSS, 2022) e ealed ha heal hca e o ganiza ions ypically emphasize access con ols and da a p o ec ion
while s uggling wi h legacy sys ems, esou ce cons ain s, and compe ing p io i ies o pa ien ca e echnology
in es men s.
C i ical in as uc u e sec o s including ene gy, wa e , and anspo a ion demons a e inc eased ocus on ope a ional
echnology secu i y and cybe -physical sys ems. Resea ch by he Indus ial Con ol Sys ems Join Wo king G oup
(2021) ound ha 64% o U.S. c i ical in as uc u e ope a o s now implemen he NIST CSF alongside sec o -speci ic
amewo ks like NERC CIP o Ame ican Wa e Wo ks Associa ion (AWWA) cybe secu i y guidance.
Go e nmen agencies a ede al, s a e, and local le els ace unique challenges including p ocu emen cons ain s, legacy
sys ems, and public accoun abili y equi emen s. A Go e nmen Accoun abili y O ice s udy (GAO, 2022) ound
signi ican a ia ion in ma u i y ac oss agencies, wi h ci ilian agencies gene ally lagging behind Depa men o De ense
and in elligence communi y o ganiza ions in amewo k implemen a ion and echnology adop ion.
2.6. Resea ch Gaps
Despi e subs an ial esea ch on cybe isk managemen in U.S. o ganiza ions, se e al impo an gaps emain. Fi s ,
while nume ous s udies ha e examined amewo k adop ion, ela i ely ew ha e in es iga ed how o ganiza ions
e ec i ely adap hese amewo ks o achie e app op ia e secu i y-e iciency balance wi hin he unique Ame ican
egula o y and business en i onmen . Second, esea ch on go e nance app oaches has ypically ocused on o mal
s uc u es a he han decision p ocesses ha e ec i ely balance secu i y equi emen s wi h business impe a i es.
Thi d, s udies o echnology adop ion ha e gene ally ocused on speci ic ools a he han comp ehensi e s a egies o
echnology-enabled isk managemen . Finally, c oss-sec o al compa isons emain limi ed, wi h ew s udies examining
how success ul p ac ices a y ac oss di e en indus ies wi hin he U.S. economy.
This esea ch aims o add ess hese gaps h ough comp ehensi e in es iga ion o how U.S. o ganiza ions balance
secu i y and e iciency h ough he in eg a ion o olun a y s anda ds and eme ging echnologies wi hin hei cybe
isk managemen app oaches.
3. Me hodology
3.1. Resea ch Design
This s udy employed a sequen ial explo a o y mixed-me hods design o in es iga e how U.S. o ganiza ions balance
secu i y and ope a ional e iciency in cybe isk managemen . The esea ch ollowed a quali a i e-led app oach, wi h
ini ial in-dep h in e iews in o ming he de elopmen o a quan i a i e su ey ins umen . This design was selec ed
based on i s sui abili y o explo ing complex o ganiza ional phenomena whe e con ex ual unde s anding is essen ial
(C eswell & Plano Cla k, 2018).
The sequen ial app oach allowed indings om he quali a i e phase o in o m and enhance he quan i a i e ins umen ,
imp o ing i s ele ance and alidi y. In eg a ion o quali a i e and quan i a i e me hods p o ided complemen a y
insigh s: in e iews o e ed ich con ex ual unde s anding o p ac ices and decision-making p ocesses, while su ey
da a enabled es ing o pa e ns ac oss a la ge , mo e ep esen a i e sample.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1761
4.2.4. Risk Accep ance and Excep ion P ocesses
A c i ical go e nance unc ion ha eme ged in he esea ch in ol es p ocesses o isk accep ance and con ol
excep ions. U.S. o ganiza ions demons a e pa icula ly s uc u ed app oaches o hese p ocesses, e lec ing he
li iga ion-awa e en i onmen and need o documen ed isk decisions.
• E ec i e excep ion p ocesses iden i ied in he esea ch sha ed se e al cha ac e is ics:
• Clea documen a ion o business jus i ica ion and isk implica ions
• Time-limi ed excep ions wi h manda o y eassessmen
• App op ia e app o al au ho i ies based on isk le el
• Al e na i e compensa ing con ols whe e easible
• Regula epo ing o o e sigh bodies
• A echnology sec o secu i y leade desc ibed hei app oach:
"Ou excep ion p ocess is designed o be igo ous bu no obs uc i e. We equi e business jus i ica ion, isk
assessmen , and app op ia e app o als based on he isk le el. Excep ions a e always ime-bound wi h scheduled
eassessmen . This p ocess acknowledges ha one-size- i s-all secu i y doesn' wo k, bu ensu es we make and
documen hough ul isk decisions a he han accumula ing undocumen ed excep ions." (Pa icipan 27, Technology)
Quan i a i e analysis e ealed ha o ganiza ions wi h well-de ined excep ion p ocesses epo ed be e secu i y-
business ela ionships (mean a ing 4.4/5) compa ed o hose wi h ad hoc o unclea p ocesses (2.9/5).
4.3. Technology In eg a ion in U.S. Risk Managemen
U.S. o ganiza ions demons a e dis inc i e pa e ns in how hey le e age echnology o enhance cybe isk managemen
while minimizing ope a ional ic ion. Se e al echnology ca ego ies eme ged as pa icula ly impo an enable s o
e ec i e secu i y-e iciency balance.
4.3.1. Au oma ion and O ches a ion
Secu i y au oma ion and o ches a ion echnologies showed pa icula ly high adop ion in U.S. o ganiza ions, wi h 72%
o su ey esponden s epo ing implemen a ion o some o m o au oma ion pla o m. This high adop ion a e e lec s
bo h he signi ican secu i y s a ing challenges in he U.S. ma ke and he Ame ican p e e ence o echnology-d i en
e iciency imp o emen s.
• The mos commonly au oma ed unc ions included:
• Vulne abili y scanning and managemen (implemen ed by 83% o au oma ion adop e s)
• Secu i y con igu a ion assessmen (76%)
• Use access e iews and ce i ica ion (67%)
• Secu i y inciden esponse (62%)
• Compliance e idence collec ion (58%)
O ganiza ions implemen ing comp ehensi e au oma ion epo ed signi ican ime sa ings (a e age 24 hou s pe week
pe secu i y eam membe ) and imp o ed co e age o secu i y ac i i ies (a e age 37% inc ease in asse s egula ly
assessed).
A inancial se ices CISO desc ibed hei au oma ion jou ney:
"We' e sys ema ically iden i ied manual, epe i i e secu i y asks ha consumed signi ican s a ime while adding
limi ed alue h ough human judgmen . By au oma ing hese unc ions ulne abili y scanning, access e iews,
con igu a ion checks, compliance e idence collec ion we' e eed ou analys s o ocus on asks equi ing human insigh .
This hasn' jus imp o ed e iciency; i 's ac ually enhanced ou secu i y by ensu ing consis en execu ion o baseline
ac i i ies." (Pa icipan 8, Financial Se ices)
4.3.2. Go e nance, Risk, and Compliance Pla o ms
In eg a ed go e nance, isk, and compliance (GRC) pla o ms show pa icula ly s ong adop ion in U.S. o ganiza ions
compa ed o global a e ages. Su ey esul s indica ed ha 64% o esponden s use some o m o GRC pla o m o
suppo amewo k implemen a ion and compliance managemen subs an ially highe han he 43% global adop ion
a e epo ed in compa able in e na ional s udies.

Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1762
Table 6 GRC Implemen a ion S a is ics
Me ic
Value
U.S. Adop ion Ra e
64%
Global Adop ion Ra e
43%
A e age Time Sa ings
38.9%
Sa is ac ion Ra ing
3.9 / 5
Figu e 6 GRC Pla o m Bene i s
4.3.3. These pla o ms se e se e al key unc ions in U.S. o ganiza ions
• Mapping con ols ac oss mul iple amewo ks o educe duplica ion
• Au oma ing e idence collec ion and compliance epo ing
• T acking isk accep ance decisions and excep ions
• Managing assessmen and audi p ocesses
• P o iding dashboa d isibili y o execu i e s akeholde s
O ganiza ions using ma u e GRC implemen a ions epo ed signi ican e iciency imp o emen s in compliance
ac i i ies, wi h a e age ime educ ions o 34% o amewo k assessmen s and 41% o e idence collec ion.
A heal hca e compliance di ec o explained hei GRC implemen a ion:
"Wi h ou egula o y bu den spanning HIPAA, s a e equi emen s, and PCI DSS, we we e d owning in edundan
compliance ac i i ies. Ou GRC pla o m maps hese equi emen s o a common con ol amewo k, allowing uni ied
assessmen and e idence collec ion. Wha p e iously equi ed mul iple sepa a e e o s now happens h ough a single
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1763
assessmen p ocess, d ama ically educing he bu den on ope a ional eams while imp o ing ou compliance isibili y."
(Pa icipan 22, Heal hca e)
4.3.4. Analy ics and Visualiza ion Technologies
Ad anced analy ics and isualiza ion echnologies ep esen a g owing a ea o in es men o U.S. o ganiza ions seeking
o enhance isk isibili y wi hou inc easing assessmen bu den. Su ey esul s indica ed ha 58% o esponden s now
employ some o m o secu i y analy ics pla o m, wi h adop ion highes in inancial se ices (76%) and echnology
sec o s (72%).
These echnologies suppo secu i y-e iciency balance h ough se e al mechanisms:
• Au oma ed isk sco ing and p io i iza ion educing manual assessmen
• Visualiza ion ools imp o ing execu i e unde s anding and decision-making
• P edic i e analy ics iden i ying eme ging isks o p oac i e mi iga ion
• Benchma king capabili ies enabling a ge ed imp o emen in es men s
O ganiza ions implemen ing ad anced analy ics epo ed imp o ed abili y o ocus secu i y e o s on he mos
signi ican isks (mean a ing 4.3/5) compa ed o hose using adi ional assessmen app oaches (3.1/5).
A c i ical in as uc u e secu i y leade desc ibed hei analy ics app oach:
"Ou analy ics pla o m inges s da a om mul iple secu i y sys ems o c ea e a dynamic isk pic u e wi hou equi ing
addi ional manual assessmen s. I au oma ically iden i ies ou highes - isk asse s based on ulne abili ies, h ea s, and
business alue. This ensu es ou limi ed esou ces ocus on he con ols and sys ems ha ma e mos o ou isk p o ile,
a he han ea ing e e y hing wi h equal p io i y." (Pa icipan 29, Ene gy)
4.3.5. Iden i y and Access Managemen Solu ions
Iden i y and access managemen (IAM) echnologies eme ged as pa icula ly c i ical enable s o secu i y-e iciency
balance in U.S. o ganiza ions. These echnologies simul aneously s eng hen secu i y con ols while imp o ing use
expe ience di ec ly add essing he secu i y-e iciency ension.
Su ey esul s indica ed ha 79% o esponden s ha e implemen ed ad anced IAM solu ions, wi h pa icula ly high
adop ion o :
• Single sign-on (SSO) echnologies (83% o IAM adop e s)
• Mul i- ac o au hen ica ion (MFA) solu ions (78%)
• P i ileged access managemen (PAM) sys ems (71%)
• Iden i y go e nance and adminis a ion (IGA) pla o ms (64%)
• Risk-based au hen ica ion sys ems (52%)
O ganiza ions wi h ma u e IAM implemen a ions epo ed bo h secu i y imp o emen s (a e age 67% educ ion in
c eden ial-based inciden s) and e iciency bene i s (a e age 24 minu es sa ed pe use pe week).
A echnology sec o CISO explained:
"Ad anced IAM has been ou mos success ul secu i y in es men om a secu i y-e iciency pe spec i e. I s eng hens
au hen ica ion while educing ic ion h ough SSO. I au oma es access e iews and ce i ica ion p ocesses ha
p e iously consumed housands o hou s. And i p o ides g anula access con ols ha le us implemen leas p i ilege
wi hou dis up ing legi ima e wo k. I 's a e o ind secu i y echnologies ha so clea ly imp o e bo h secu i y and
ope a ional e iciency." (Pa icipan 15, Technology)
4.3.6. Implemen a ion Challenges
Despi e hei bene i s, echnology implemen a ions p esen se e al challenges o U.S. o ganiza ions. The mos
equen ly epo ed challenges in he su ey included:
• In eg a ion di icul ies wi h exis ing sys ems (ci ed by 76%)
• Skills gaps o e ec i e implemen a ion and ope a ion (69%)
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1764
• Cos jus i ica ion and ROI demons a ion (65%)
• P io i iza ion among compe ing echnology in es men s (61%)
• Vendo isk managemen conce ns (58%)
Quali a i e indings e ealed ha echnology implemen a ion challenges o en e lec ed b oade o ganiza ional issues.
A e ail sec o secu i y leade obse ed:
"The echnology i sel a ely causes implemen a ion ailu es. The eal challenges a e o ganiza ional unclea
equi emen s, insu icien execu i e sponso ship, inadequa e change managemen , and business p ocesses ha a en'
eady o he echnology. We' e lea ned o in es as much in o ganiza ional eadiness as in he echnology i sel ."
(Pa icipan 10, Re ail)
Table 7 Technology Implemen a ion Challenges
Challenge
%
Repo ing
Desc ip ion
Mos A ec ed
Sec o s
E ec i e Mi iga ion
App oaches
In eg a ion wi h
Exis ing Sys ems
76%
Di icul y connec ing new secu i y
echnologies wi h legacy sys ems,
en e p ise apps, and exis ing ools
- Heal hca e
(88%)
- Go e nmen
(83%)
- Financial
Se ices (79%)
- API- i s selec ion
c i e ia
- In eg a ion p oo -o -
concep s
- Phased implemen a ion
plans
- C oss- unc ional
in eg a ion eams
Skills Gaps
69%
Sho age o expe ise o
implemen , con igu e, and
main ain complex secu i y
echnologies
- Manu ac u ing
(81%)
- Heal hca e
(76%)
- Ene gy (72%)
- Ta ge ed aining
p og ams
- Vendo p o essional
se ices
- S a egic hi ing
- Implemen a ion
pa ne ships
- Ce i ica ion p og ams
Cos Jus i ica ion
and ROI
65%
Di icul y demons a ing alue and
ROI o secu i y in es men s o
s akeholde s
- Re ail (78%)
- Manu ac u ing
(74%)
- Go e nmen
(72%)
- Business-aligned
me ics
- P e/pos
implemen a ion
measu emen
- Risk-based business
cases
- Ea ly wins
- Ope a ional e iciency
me ics
Compe ing
Technology
P io i ies
61%
Budge / esou ce compe i ion
be ween secu i y and o he
IT/business ini ia i es
- Technology
(77%)
- Re ail (69%)
- Heal hca e
(63%)
- Risk-based
p io i iza ion
- Alignmen wi h
business/ egula o y
goals
- Inc emen al unding
app oaches
Vendo Risk
Managemen
58%
Conce ns o e hi d-pa y secu i y
p ac ices and long- e m endo
iabili y
- Financial
Se ices (75%)
- Heal hca e
(67%)
- Go e nmen
(64%)
- Vendo isk
assessmen s
- Con ac ual secu i y
clauses
- Sou ce code esc ow
- Mul i- endo s a egy
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1765
- Ongoing endo
e alua ions
Business P ocess
Dis up ion
52%
Dis up ion o ope a ions,
wo k lows, and employee
esis ance du ing implemen a ion
- Financial
Se ices (63%)
- Heal hca e
(59%)
- Re ail (56%)
- Phased ollou
- Use in ol emen in
design
- Change managemen
p og ams
- Execu i e sponso ship
- Pa allel ope a ions
Da a Quali y
Issues
49%
Poo da a in eg i y impac ing
analy ics, au oma ion, and
de ec ion pla o ms
- Manu ac u ing
(64%)
- Go e nmen
(57%)
- Ene gy (53%)
- Da a cleansing
ini ia i es
- Sou ce sys em
imp o emen s
- Da a go e nance
p og ams
- Quali y moni o ing and
eedback
Pe o mance
Impac s
43%
Secu i y ools a ec ing sys em
pe o mance, UX, o ansac ion
speed
- Financial
Se ices (62%)
- Re ail (56%)
- Technology
(48%)
- Pe o mance es ing
- Sys em uning
- Deploymen
op imiza ion
- Ligh weigh agen
design
Go e nance and
Compliance
37%
Ensu ing compliance wi h
egula ions and in e nal policies in
new echnology deploymen s
- Heal hca e
(58%)
- Financial
Se ices (53%)
- Ene gy (45%)
- Ea ly compliance
in ol emen
- Regula o y mapping
- Compliance-by-design
- Au oma ed
documen a ion
Sou ce: Su ey da a (n = 156). Pe cen ages e lec esponden s iden i ying each challenge as signi ican o e y signi ican . Sec o da a ep esen s
p e alence o he challenge wi hin each indus y segmen .
O ganiza ions epo ing he mos success ul echnology implemen a ions demons a ed s uc u ed app oaches
including:
• Business case de elopmen wi h clea ly de ined success c i e ia
• Phased implemen a ion wi h de ined success me ics a each s age
• C oss- unc ional implemen a ion eams including business s akeholde s
• S uc u ed change managemen and use adop ion p ocesses
• Con inuous imp o emen cycles wi h egula eassessmen
4.4. Sec o -Speci ic Pa e ns in U.S. Risk Managemen
Analysis e ealed signi ican a ia ion in cybe isk managemen app oaches ac oss di e en sec o s o he U.S.
economy, e lec ing di e se egula o y equi emen s, h ea landscapes, ope a ional cons ain s, and ma u i y le els.
4.4.1. Financial Se ices Sec o
The U.S. inancial se ices sec o demons a ed he mos ma u e cybe isk managemen p ac ices among he indus ies
s udied. This sec o aces a complex egula o y landscape including G amm-Leach-Bliley Ac equi emen s, NYDFS
Cybe secu i y Regula ion, FFIEC guidance, and OCC s anda ds.
Dis inc i e cha ac e is ics o inancial sec o app oaches included:
• Comp ehensi e amewo k implemen a ion combining egula o y equi emen s wi h olun a y s anda ds
(a e age 3.7 amewo ks pe o ganiza ion)
• Sophis ica ed h ea in elligence capabili ies wi h sec o -speci ic h ea modeling
• Ad anced de ec ion and esponse capabili ies wi h hea y au oma ion in es men
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1766
• Subs an ial hi d-pa y isk managemen p og ams e lec ing supply chain conce ns
• Boa d-le el isk commi ees wi h dedica ed cybe secu i y expe ise
A banking sec o CISO desc ibed hei app oach:
"Ou isk managemen p og am balances h ee impe a i es egula o y compliance, h ea -based secu i y, and business
enablemen . We main ain a ma u e con ol en i onmen mapped o mul iple amewo ks, bu we' e equally ocused on
h ea in elligence and ad anced de ec ion. The egula o y equi emen s es ablish ou baseline, bu ou p og am
ex ends well beyond compliance o add ess he speci ic h ea s a ge ing inancial ins i u ions." (Pa icipan 6, Financial
Se ices)
Financial ins i u ions epo ed he highes echnology in es men le els among sec o s s udied (a e age 14% o IT
budge alloca ed o secu i y) and he mos ad anced go e nance s uc u es, wi h 82% epo ing dedica ed boa d isk
commi ees wi h cybe secu i y o e sigh .
4.4.2. Heal hca e Sec o
The heal hca e sec o demons a ed dis inc i e isk managemen pa e ns shaped by HIPAA equi emen s, pa ien
sa e y conce ns, and complex echnology en i onmen s spanning adi ional IT, clinical sys ems, and connec ed medical
de ices.
Key cha ac e is ics o heal hca e app oaches included:
• S ong emphasis on da a p o ec ion con ols e lec ing HIPAA equi emen s
• Challenges balancing secu i y wi h clinical ope a ional equi emen s
• Signi ican legacy echnology cons ain s limi ing secu i y implemen a ion op ions
• G owing ocus on medical de ice secu i y and clinical ne wo k segmen a ion
• Inc easing collabo a ion be ween secu i y and clinical enginee ing unc ions
A heal hca e secu i y di ec o explained hei sec o -speci ic challenges:
"Heal hca e p esen s unique secu i y challenges 24/7 ope a ions whe e minu es ma e o pa ien ca e, legacy clinical
sys ems ha can' be easily upg aded, and connec ed medical de ices wi h 10-15 yea li ecycles. Ou app oach
emphasizes s ong da a p o ec ion pe HIPAA bu ecognizes ha we mus balance secu i y wi h clinical impe a i es.
We ocus on de ense-in-dep h and compensa ing con ols whe e we can' implemen s anda d secu i y measu es due
o clinical cons ain s." (Pa icipan 19, Heal hca e)
Heal hca e o ganiza ions epo ed signi ican esou ce cons ain s compa ed o inancial and echnology sec o s, wi h
secu i y budge s a e aging 9% o IT spending. They also epo ed highe le els o secu i y excep ions (a e age 36 ac i e
excep ions pe o ganiza ion) e lec ing he challenges o secu ing complex clinical en i onmen s wi h pa ien ca e
p io i ies.
4.4.3. C i ical In as uc u e Sec o s
C i ical in as uc u e sec o s including ene gy, wa e , and anspo a ion showed isk managemen app oaches hea ily
in luenced by ope a ional echnology (OT) conside a ions and inc easing egula o y a en ion ollowing ecen high-
p o ile inciden s.
Dis inc i e cha ac e is ics included:
• G owing con e gence o IT and OT secu i y p og ams wi h uni ied go e nance
• Subs an ial ocus on a ailabili y and eliabili y alongside con iden iali y conce ns
• Inc easing adop ion o indus ial-speci ic amewo ks and con ols
• Signi ican collabo a ion wi h go e nmen agencies on h ea in elligence
• Ad anced inciden esponse capabili ies o cybe -physical inciden s
An ene gy sec o secu i y leade desc ibed hei e ol ing app oach:
"C i ical in as uc u e secu i y has ans o med om p ima ily physical p o ec ion o a sophis ica ed cybe -physical
app oach. We' e mo ed beyond ai -gapped OT sys ems o acknowledge he eali y o IT/OT con e gence. Ou isk
managemen now spans adi ional IT asse s, ope a ional echnology, and indus ial con ol sys ems unde a uni ied

Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1767
go e nance model. We' e de eloped speci ic secu i y s anda ds o each en i onmen while main aining consis en isk
managemen p ocesses ac oss he o ganiza ion." (Pa icipan 25, Ene gy)
C i ical in as uc u e o ganiza ions epo ed inc easing egula o y p essu e ollowing he Colonial Pipeline inciden
and subsequen execu i e o de s, wi h 73% an icipa ing new compliance equi emen s wi hin he nex wo yea s. These
o ganiza ions we e also mos likely o epo ac i e pa icipa ion in public-p i a e pa ne ships o h ea in elligence
sha ing (78% compa ed o 52% ac oss all sec o s).
4.4.4. Technology Sec o
The U.S. echnology sec o demons a ed dis inc i e isk managemen app oaches e lec ing bo h ad anced capabili ies
and unique challenges as bo h secu i y consume s and p o ide s.
Key cha ac e is ics included
• Secu i y deeply in eg a ed wi h de elopmen and enginee ing p ocesses
• S ong emphasis on au oma ion and secu i y-as-code app oaches
• Ad anced applica ion secu i y p og ams wi h de elope - ocused ools
• Signi ican ocus on supply chain secu i y o bo h inpu s and p oduc s
• Challenge o balancing inno a ion speed wi h secu i y equi emen s
A echnology company CISO desc ibed hei sec o -speci ic app oach:
"As a echnology p o ide , we ace he dual challenge o secu ing ou own en i onmen while ensu ing ou p oduc s
a e secu e o cus ome s. Ou isk managemen app oach emphasizes in eg a ion in o de elopmen p ocesses secu e
by design, au oma ed secu i y es ing, and con inuous moni o ing h oughou he de elopmen li ecycle. We' e mo ed
beyond adi ional secu i y ga es ha slow inno a ion owa d au oma ed gua d ails ha enable secu e de elopmen a
speed." (Pa icipan 14, Technology)
Technology o ganiza ions epo ed he highes le els o secu i y au oma ion (92% implemen ing SOAR pla o ms) and
he mos ad anced De SecOps p ac ices, wi h 76% epo ing "signi ican " o "comp ehensi e" in eg a ion o secu i y
in o de elopmen p ocesses.
4.5. The USA Cybe Risk In eg a ion F amewo k
Figu e 7 USA Cybe Risk In eg a ion F amewo k
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1768
Building on he esea ch indings, we de eloped a USA Cybe Risk In eg a ion F amewo k ha syn hesizes e ec i e
app oaches o balancing secu i y and e iciency wi hin he unique Ame ican egula o y and business con ex as shown
igu e 7. This amewo k add esses he dis inc i e cha ac e is ics o U.S. o ganiza ions while p o iding a s uc u ed
app oach o e ec i e cybe isk managemen .
4.5.1. F amewo k Componen s
The USA Cybe Risk In eg a ion F amewo k comp ises i e in e connec ed componen s, each add essing c i ical
dimensions o balanced isk managemen :
S a egic Go e nance es ablishes he o ganiza ional s uc u es and p ocesses o aligning cybe secu i y wi h business
objec i es and egula o y equi emen s. This componen encompasses:
• Boa d-le el o e sigh s uc u es wi h app op ia e expe ise
• Execu i e s ee ing commi ees wi h c oss- unc ional ep esen a ion
• Fede a ed go e nance models balancing cen al o e sigh wi h business uni au onomy
• S uc u ed isk accep ance and excep ion p ocesses
• Clea delinea ion o secu i y accoun abili ies ac oss business unc ions
F amewo k Op imiza ion add esses he selec ion, adap a ion, and implemen a ion o cybe secu i y amewo ks o mee
o ganiza ional equi emen s while minimizing duplica ion and ine iciency. This componen includes:
• F amewo k selec ion me hodology based on egula o y and business equi emen s
• Mapping and ha moniza ion ac oss mul iple amewo ks
• Sec o -speci ic adap a ions and ex ensions
• Documen a ion app oach suppo ing legal de ensibili y
• Ma u i y model o p og essi e implemen a ion
Technology Enablemen ocuses on le e aging app op ia e echnologies o enhance isk managemen e ec i eness
while educing ope a ional ic ion. This componen co e s:
• Technology selec ion c i e ia aligned wi h isk p io i ies
• Au oma ion s a egy o high- olume, low-judgmen ac i i ies
• Analy ics capabili ies suppo ing isk-based decision-making
• GRC pla o m implemen a ion o s eamlined compliance
• Iden i y and access solu ions balancing secu i y wi h usabili y
Business In eg a ion add esses he alignmen o secu i y ac i i ies wi h business p ocesses and objec i es. This
componen encompasses:
• Secu i y in eg a ion in o business planning and s a egic ini ia i es
• Balanced me ics add essing bo h secu i y e ec i eness and business impac
• Tailo ed secu i y app oaches o di e en business unc ions
• Secu i y champions p og ams embedding expe ise in business uni s
• Execu i e engagemen model building secu i y unde s anding
Con inuous Adap a ion enables ongoing e olu ion o he secu i y p og am in esponse o changing h ea s, egula ions,
and business equi emen s. This componen includes:
• Th ea in elligence in eg a ion p ocesses
• Regula o y ho izon scanning capabili ies
• Feedback mechanisms o ope a ional impac assessmen
• Pe o mance measu emen and p og am op imiza ion
• Con inuous imp o emen me hodology
4.5.2. Implemen a ion App oach
The amewo k is designed o i e a i e implemen a ion, wi h o ganiza ions p og essing h ough ou phases o
inc easing ma u i y:
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1769
• Phase 1: Founda ion Building ocuses on es ablishing essen ial go e nance s uc u es, implemen ing basic
amewo k elemen s, and deploying ounda ional echnologies. This phase c ea es he necessa y in as uc u e
o e ec i e isk managemen while add essing he mos c i ical secu i y gaps.
• Phase 2: Op imiza ion and E iciency emphasizes s eamlining compliance ac i i ies, educing edundancy
ac oss amewo ks, and implemen ing au oma ion o ou ine secu i y p ocesses. This phase signi ican ly
imp o es ope a ional e iciency while main aining secu i y e ec i eness.
• Phase 3: Business In eg a ion add esses deepe alignmen be ween secu i y and business unc ions, wi h
secu i y con ols and p ocesses in eg a ed in o business wo k lows a he han ope a ing as sepa a e ac i i ies.
This phase subs an ially imp o es he secu i y-e iciency balance h ough hough ul in eg a ion.
• Phase 4: S a egic Enablemen posi ions secu i y as a s a egic business enable a he han a compliance
unc ion, wi h secu i y capabili ies ac i ely suppo ing business inno a ion and compe i i e ad an age. This
phase ep esen s he highes ma u i y le el, whe e secu i y adds business alue beyond isk educ ion.
4.5.3. Sec o al Adap a ions
• The amewo k includes speci ic adap a ion guidance o di e en sec o s o he U.S. economy, ecognizing he
dis inc i e equi emen s and cons ain s ac oss indus ies:
• Financial Se ices Adap a ion emphasizes in eg a ion ac oss mul iple egula o y amewo ks, ad anced
h ea in elligence capabili ies, sophis ica ed hi d-pa y isk managemen , and alignmen wi h business
inno a ion ini ia i es.
• Heal hca e Adap a ion ocuses on balancing HIPAA compliance wi h clinical ope a ions, add essing medical
de ice secu i y challenges, implemen ing app op ia e compensa ing con ols o legacy sys ems, and aligning
secu i y wi h pa ien sa e y objec i es.
• C i ical In as uc u e Adap a ion add esses IT/OT con e gence challenges, a ailabili y- ocused isk
assessmen , sec o -speci ic h ea modeling, and collabo a ion wi h go e nmen pa ne s on in elligence and
inciden esponse.
• Technology Sec o Adap a ion emphasizes in eg a ion wi h de elopmen p ocesses, p oduc secu i y
conside a ions, supply chain isk managemen , and balancing inno a ion speed wi h secu i y equi emen s.
4.5.4. Valida ion and Applica ion
The amewo k was alida ed h ough expe e iew wi h 12 senio secu i y leade s and pilo applica ion in h ee
o ganiza ions ac oss di e en sec o s. Ini ial esul s indica e ha he amewo k p o ides p ac ical guidance o
o ganiza ions seeking o imp o e secu i y-e iciency balance, wi h pilo o ganiza ions epo ing enhanced s akeholde
sa is ac ion, imp o ed isk isibili y, and educed ope a ional ic ion.
The amewo k p o ed pa icula ly e ec i e in helping o ganiza ions:
• Iden i y and add ess go e nance gaps inhibi ing e ec i e balance
• S eamline compliance ac i i ies ac oss mul iple amewo ks
• Selec and implemen app op ia e enabling echnologies
• De elop mo e business-aligned secu i y app oaches
5. Discussion
5.1. The E olu ion o U.S. Cybe Risk Managemen
Ou indings e eal an ongoing ans o ma ion in how U.S. o ganiza ions app oach cybe isk managemen . The
adi ional compliance-o ien ed model cha ac e ized by checklis app oaches, echnology-cen ic con ols, and limi ed
business in eg a ion is gi ing way o mo e sophis ica ed app oaches ha balance secu i y impe a i es wi h ope a ional
equi emen s.
This e olu ion e lec s b oade ma u a ion o cybe secu i y as a business unc ion a he han a pu ely echnical
domain. As one pa icipan obse ed:
"We' e seen cybe secu i y e ol e om an IT sub- unc ion ocused on i ewalls and an i i us o a ue en e p ise isk
managemen discipline wi h boa d isibili y and business in eg a ion. This e olu ion pa allels he ans o ma ion o
o he business unc ions like quali y managemen , which simila ly p og essed om echnical specializa ion o
en e p ise-wide managemen sys em." (Pa icipan 1, Financial Se ices)
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 1746-1776
1770
The esea ch indica es ha his ans o ma ion occu s along mul iple dimensions simul aneously:
• Go e nance E olu ion: F om IT-domina ed commi ees o c oss- unc ional bodies wi h execu i e and boa d
ep esen a ion
• F amewo k Implemen a ion: F om s ic compliance app oaches o isk-based adap a ion and business
in eg a ion
• Technology Adop ion: F om poin solu ions add essing speci ic h ea s o in eg a ed pla o ms enabling
comp ehensi e isk managemen
• O ganiza ional Posi ioning: F om echnical suppo unc ion o s a egic business pa ne
O ganiza ions u he in his e olu ion demons a e signi ican ly be e secu i y-e iciency balance, sugges ing ha
ma u a ion na u ally add esses many adi ional ensions be ween secu i y and ope a ions.
5.2. The Dis inc i e Ame ican App oach
The esea ch highligh s se e al cha ac e is ics ha dis inguish U.S. cybe isk managemen app oaches om
in e na ional pa e ns desc ibed in he li e a u e. These dis inc i e elemen s e lec he unique Ame ican egula o y
landscape, business cul u e, and echnological en i onmen .
5.2.1. Legal and Regula o y In luences
The agmen ed U.S. egula o y landscape signi ican ly shapes isk managemen app oaches. Unlike ju isdic ions wi h
comp ehensi e cybe secu i y legisla ion, U.S. o ganiza ions mus na iga e sec o -speci ic egula ions, s a e-le el
equi emen s, and he implici obliga ions c ea ed h ough li iga ion and en o cemen ac ions.
This en i onmen c ea es wha one pa icipan e med "compliance ambigui y" whe e o ganiza ions lack clea ,
comp ehensi e s anda ds bu ace po en ial liabili y o secu i y ailu es. This ambigui y has d i en he s ong adop ion
o olun a y amewo ks as de ac o s anda ds o easonable secu i y. As a inancial se ices a o ney obse ed:
"The U.S. lacks a single, comp ehensi e cybe secu i y law, bu ha doesn' mean o ganiza ions ope a e wi hou
obliga ions. The combina ion o sec o al egula ions, FTC en o cemen , s a e laws, and he common law du y o ca e
c ea es signi ican compliance equi emen s. Volun a y amewo ks like he NIST CSF p o ide a s uc u ed app oach o
na iga e his complex landscape while es ablishing legal de ensibili y." (Pa icipan 35, Legal Expe )
This legal en i onmen pa icula ly in luences documen a ion p ac ices, wi h U.S. o ganiza ions demons a ing mo e
ex ensi e documen a ion o isk decisions, con ol implemen a ions, and secu i y go e nance han desc ibed in
in e na ional s udies. This documen a ion se es bo h ope a ional and legal pu poses, c ea ing an audi ail o
po en ial egula o y in es iga ions o li iga ion.
5.2.2. The Fede a ed Implemen a ion Model
The esea ch e ealed wha appea s o be a dis inc ly Ame ican app oach o implemen a ion h ough ede a ed
go e nance models. This app oach balances cen al o e sigh wi h signi ican business uni au onomy e lec ing
b oade Ame ican co po a e cul u e ha alues decen alized decision-making and business uni accoun abili y.
This model di e s om bo h he cen alized app oaches common in Eu opean o ganiza ions and he highly
decen alized app oaches some imes obse ed in Asian conglome a es. As one mul ina ional secu i y leade explained:
"In ou Eu opean ope a ions, we see mo e cen alized secu i y unc ions wi h s onge au ho i y o e business uni s.
In ou Asian ope a ions, secu i y is o en highly decen alized wi h limi ed en e p ise s anda ds. Ou U.S. app oach si s
be ween hese ex emes we es ablish en e p ise equi emen s and main ain cen al isibili y, bu business uni s ha e
signi ican implemen a ion lexibili y wi hin hose gua d ails." (Pa icipan 30, Manu ac u ing)
The ede a ed model appea s pa icula ly well-sui ed o he U.S. business en i onmen , allowing o ganiza ions o
main ain consis en secu i y pos u e while accommoda ing he ope a ional di e si y and au onomy alued in Ame ican
co po a e cul u e.