Exploring Critical Success Factors in Compliance-Driven Cyber Insurance within Malaysian Organizations: A COBIT 5 enabler approach

Nor Hasnul Azirah Abdul Hamid; Mazita Mokhtar; Wan Khairul Anuar Wan Abd Manan; Husna Hashim

doi:10.21834/e-bpj.v10iSI31.6936

Authors

Nor Hasnul Azirah Abdul Hamid College of Computing, Informatics and Mathematics, UiTM Cawangan Terengganu Kampus Kuala Terengganu, Malaysia
Mazita Mokhtar Faculty of Industrial Management, Universiti Malaysia Pahang Al-Sultan Abdullah, Malaysia
Wan Khairul Anuar Wan Abd Manan Faculty of Industrial Management, Universiti Malaysia Pahang Al-Sultan Abdullah, Malaysia
Husna Hashim Faculty of Industrial Management, Universiti Malaysia Pahang Al-Sultan Abdullah, Malaysia

DOI:

https://doi.org/10.21834/e-bpj.v10iSI31.6936

Keywords:

Cyber Insurance, Compliance-Driven, Critical Success Factors, COBIT 5 enablers

Abstract

In today's cybersecurity landscape, simply acquiring cyber insurance is insufficient; its effectiveness relies on adherence to cybersecurity standards. This study explores critical success factors (CSFs) for compliance-driven cyber insurance in Malaysian organizations using the COBIT 5 enablers. The research identifies key factors essential for effective compliance-driven cyber insurance implementation through semi-structured interviews with industry experts. The findings align ten themes and seventeen sub-themes from qualitative analysis with the seven COBIT 5 enablers, emphasizing a holistic approach to enhance governance, risk management, and organizational resilience. This research offers valuable insights for organizations aiming to strengthen cyber resilience through compliance-aligned insurance strategies.

References

Abd Rahman, N. H., Raju, R., Ariffin, S., Abdul Hamid, N. H. A., & Ahmad, A. (2022). Adoption of Cyber Insurance in Malaysian Organisations. International Journal of Innovative Computing, 12(2), 45–51. doi: https://doi.org/10.11113/ijic.v12n2.380 DOI: https://doi.org/10.11113/ijic.v12n2.380

Abdul Hamid, N. H. A., Mat Nor, N. I., Hussain, F. M., Raju, R., Naseer, H., & Ahmad, A. (2022). Barriers and Enablers to Adoption of Cyber Insurance in Developing Countries: An Exploratory Study of Malaysian Organizations. Computers & Security, 102893. doi: https://doi.org/10.1016/j.cose.2022.102893 DOI: https://doi.org/10.1016/j.cose.2022.102893

Aziz, B., Suhardi, & Kurnia. (2020). A systematic literature review of cyber insurance challenges. 2020 International Conference on Information Technology Systems and Innovation (ICITSI). doi: https://doi.org/10.1109/icitsi50517.2020.9264966 DOI: https://doi.org/10.1109/ICITSI50517.2020.9264966

Braun, V., & Clarke, V. (2006). Using Thematic Analysis in Psychology. Qualitative Research in Psychology, 3(2), 77–101. doi: https://doi.org/10.1191/1478088706qp063oa DOI: https://doi.org/10.1191/1478088706qp063oa

Cremer, F., Sheehan, B., Mullins, M., Fortmann, M., Ryan, B. J., & Materne, S. (2024). On the insurability of cyber warfare: An investigation into the German cyber insurance market. Computers & Security, 142, 103886. doi: https://doi.org/10.1016/j.cose.2024.103886 DOI: https://doi.org/10.1016/j.cose.2024.103886

Dambra, S., Bilge, L., & Balzarotti, D. (2020). SoK: Cyber Insurance – Technical Challenges and a System Security Roadmap. IEEE Xplore. doi: https://doi.org/10.1109/SP40000.2020.00019 DOI: https://doi.org/10.1109/SP40000.2020.00019

Diesch, R., Pfaff, M., & Krcmar, H. (2020). A comprehensive model of information security factors for decision-makers. Computers & Security, 92(1), 101747. doi: https://doi.org/10.1016/j.cose.2020.101747 DOI: https://doi.org/10.1016/j.cose.2020.101747

Gioia, D. A., Corley, K. G., & Hamilton, A. L. (2013). Seeking Qualitative Rigor in Inductive Research. Organizational Research Methods, 16(1), 15–31. DOI: https://doi.org/10.1177/1094428112452151

Hasan, S., Ali, M., Kurnia, S., & Thurasamy, R. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58(1), 102726. doi: https://doi.org/10.1016/j.jisa.2020.102726 DOI: https://doi.org/10.1016/j.jisa.2020.102726

Hasani, T., O’Reilly, N., Dehghantanha, A., Rezania, D., & Levallet, N. (2023). Evaluating the adoption of cybersecurity and its influence on organizational performance. SN Business & Economics, 3(5). doi: https://doi.org/10.1007/s43546-023-00477-6 DOI: https://doi.org/10.1007/s43546-023-00477-6

Hwee, L.S., 2009. Cyber Risk Insurance Policy: a Proposed Framework for E-Business in Malaysia. Universiti Teknologi Malaysia [Master dissertation].

Information Systems Audit and Control Association (ISACA) (2012). COBIT 5: enabling processes. ISACA.

Kshetri, N. (2020). The evolution of cyber-insurance industry and market: An institutional analysis. Telecommunications Policy, 44(8), 102007. doi: https://doi.org/10.1016/j.telpol.2020.102007 DOI: https://doi.org/10.1016/j.telpol.2020.102007

Lemnitzer, J. M. (2021). Why cybersecurity insurance should be regulated and compulsory. Journal of Cyber Policy, 1–19. doi: https://doi.org/10.1080/23738871.2021.1880609 DOI: https://doi.org/10.1080/23738871.2021.1880609

Malterud, K., Siersma, V. D., & Guassora, A. D. (2016). Sample size in qualitative interview studies: Guided by information power. Qualitative Health Research, 26(13), 1753–1760. https://doi.org/10.1177/1049732315617444 DOI: https://doi.org/10.1177/1049732315617444

Markopoulou, D. (2021). Cyber-insurance in EU policy-making: Regulatory options, the market’s challenges and the US example. Computer Law & Security Review, 43, 105627. doi: https://doi.org/10.1016/j.clsr.2021.105627 DOI: https://doi.org/10.1016/j.clsr.2021.105627

Mott, G., Turner, S., Nurse, J. R. C., MacColl, J., Sullivan, J., Cartwright, A., & Cartwright, E. (2023). Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Computers & Security, 128, 103162. doi: https://doi.org/10.1016/j.cose.2023.103162 DOI: https://doi.org/10.1016/j.cose.2023.103162

Rangu, C. M., Badea, L., Scheau, M. C., Gabudeanu, L., Panait, I., Radu, V. (2024). Cyber insurance risk analysis framework considerations. Journal of Risk Finance, 25 (2), 224-252. doi: https://doi.org/10.1108/jrf-10-2023-0245 DOI: https://doi.org/10.1108/JRF-10-2023-0245

Schlackl, F., Link, N., & Hoehle, H. (2022). Antecedents and consequences of data breaches: A systematic review. Information & Management, 59(4), 103638. doi: https://doi.org/10.1016/j.im.2022.103638 DOI: https://doi.org/10.1016/j.im.2022.103638

Schütz, F., Rampold, F., Kalisch, A., & Masuch, K. (2023). Consumer Cyber Insurance as Risk Transfer: A Coverage Analysis. Procedia Computer Science, 219, 521–528. doi: https://doi.org/10.1016/j.procs.2023.01.320 DOI: https://doi.org/10.1016/j.procs.2023.01.320

Wallace, S., Green, K. Y., Johnson, C. M., Cooper, J. T., & Gilstrap, C. M. (2020). An Extended TOE Framework for Cybersecurity Adoption Decisions. Communications of the Association for Information Systems, 47, 338–363. doi: https://doi.org/10.17705/1cais.04716 DOI: https://doi.org/10.17705/1CAIS.04716

Wrede, D., Stegen, T., & Graf von der Schulenburg, J.-M. (2020). Affirmative and silent cyber coverage in traditional insurance policies: Qualitative content analysis of selected insurance products from the German insurance market. The Geneva Papers on Risk and Insurance - Issues and Practice, 45(4), 657–689. doi: https://doi.org/10.1057/s41288-020-00183-6 DOI: https://doi.org/10.1057/s41288-020-00183-6

Yeoh, W., Wang, S., Popovič, A., & Chowdhury, N. H. (2022). A systematic synthesis of critical success factors for cybersecurity. Computers & Security, 118, 102724. doi: https://doi.org/10.1016/j.cose.2022.102724 DOI: https://doi.org/10.1016/j.cose.2022.102724

Zeller, G., & Scherer, M. A. (2020). A Comprehensive Model for Cyber Risk Based on Marked Point Processes and Its Application to Insurance. SSRN Electronic Journal. doi: https://doi.org/10.2139/ssrn.3668228 DOI: https://doi.org/10.2139/ssrn.3668228