Risk Management and Insider Threats Mitigation in a Digital Environment: An Empirical Study

Insider threats remain one of the most persistent and damaging risks to organizational information security, largely because trusted access, human behavior, and governance weaknesses allow them to bypass traditional perimeter-based controls. As organizations increasingly adopt digital transformation, cloud computing, and remote work arrangements, the scale and complexity of insider threats continue to grow. This study empirically examines the role of enterprise risk management (ERM) in enhancing the effectiveness of insider threat mitigation by integrating governance, technical, and human-centric controls.
Using a quantitative, cross-sectional research design, data were collected from 210 cybersecurity, risk management, audit, and compliance professionals across multiple industries in North America and Europe. The study employs descriptive statistics, correlation analysis, hierarchical multiple regression, and moderation analysis to evaluate the relationships among ERM maturity, access control enforcement, monitoring and analytics capability, security awareness training, and insider threat mitigation effectiveness.
The results indicate that ERM maturity is a significant predictor of insider threat mitigation effectiveness, accounting for a substantial proportion of the variance in organizational outcomes. Furthermore, access controls, continuous monitoring, and security awareness independently contribute to improved mitigation effectiveness. Importantly, interaction effects reveal that security awareness training positively moderates the effectiveness of technical controls, demonstrating a complementary relationship between human-centric and technical measures

Insider threats; Enterprise Risk Management

1. Alshaikh, A. A. (2024). Enterprise risk management and insider threat mitigation: Governance perspectives for organizational resilience. Computers & Security, 136, 103530. (https://doi.org/10.1016/j.cose.2023.103530) [Google Scholar] [Crossref]

2. Behl, A., & Behl, K. (2017). Cyberwar: The next threat to national security and what to do about it. Oxford University Press. [Google Scholar] [Crossref]

3. Bishop, M., Gates, C., Frincke, D. A., & Greitzer, F. L. (2009). Insider threat detection: A framework for understanding and mitigating insider threats. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 1(1), 1–21. [Google Scholar] [Crossref]

4. Cappelli, D. M., Moore, A. P., Trzeciak, R. F., & Shimeall, T. J. (2012). Common sense guide to mitigating insider threats (4th ed.). Carnegie Mellon University, CERT Division. [Google Scholar] [Crossref]

5. Chen, H., Behl, A., & Behl, K. (2024). Human-centric cyber risk management and insider threat resilience: An empirical investigation. Journal of Information Security and Applications, 78, 103687. https://doi.org/10.1016/j.jisa.2023.103687 [Google Scholar] [Crossref]

6. Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise risk management—Integrating with strategy and performance. AICPA. [Google Scholar] [Crossref]

7. Greitzer, F. L., & Frincke, D. A. (2010). Combining traditional cyber security audit data with psychosocial data: Towards predictive modeling for insider threat mitigation. IEEE Security & Privacy, 8(5), 61–65. https://doi.org/10.1109/MSP.2010.128 [Google Scholar] [Crossref]

8. Greitzer, F. L., Moore, A. P., Cappelli, D. M., Andrews, D. H., Carroll, L. A., & Hull, T. D. (2014). Psychosocial modeling of insider threat risk based on behavioral and organizational factors. IEEE Security & Privacy, 12(3), 20–28. https://doi.org/10.1109/MSP.2014.65 [Google Scholar] [Crossref]

9. International Organization for Standardization. (2018). ISO 31000: Risk management—Guidelines. ISO. [Google Scholar] [Crossref]

10. International Organization for Standardization. (2022). ISO/IEC 27001: Information security management systems—Requirements. ISO. [Google Scholar] [Crossref]

11. Ponemon Institute. (2023). Cost of insider threats: Global report. Ponemon Institute LLC. [Google Scholar] [Crossref]

12. Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6–7), 849–855. https://doi.org/10.1016/j.aos.2009.06.001 [Google Scholar] [Crossref]

13. Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Flynn, L., & Shimeall, T. (2012). Common sense guide to mitigating insider threats (3rd ed.). Carnegie Mellon University, CERT Division. [Google Scholar] [Crossref]

14. Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503–522. https://doi.org/10.2307/25750691 [Google Scholar] [Crossref]

15. Willison, R., & Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20. https://doi.org/10.25300/MISQ/2013/37.1.01 [Google Scholar] [Crossref]

• LeafQuest: A Mobile-Based Augmented Reality for Plant Placement, Discovery, and Growth
• Participatory Ergonomic Intervention Approach on Musculoskeletal Disorder (MSD) in Construction Sectors: A Systematic Review
• Integrating GIS into Traffic Incident Management: A Web-Based System
• RideSmart: A Personalized Motorcycle Product Recommendation System Using TF-IDF and Descriptive Analytics for Javidson Motorshop
• Educational Technology Course Design in Pre-Service Teachers Education: A Bibliometric Review of the Research Landscape