HOW DO RISK MANAGEMENT PRACTICES MEDIATE THE RELATIONSHIP BETWEEN CYBERSECURITY STRATEGY IMPLEMENTATION AND ORGANIZATIONAL PERFORMANCE?

Abstract

In the era of rapid digital transformation and increasing interconnectivity, healthcare organizations face an alarming rise in sophisticated cyber threats. Despite considerable global investment in cybersecurity, healthcare institutions continue to experience costly ransomware attacks, exposing persistent vulnerabilities in cyber risk governance. This study empirically examines how risk management practices mediate the relationship between cybersecurity strategy implementation and organizational performance. Grounded in General Deterrence Theory, the research utilizes a quantitative methodology to analyze data collected from 269 senior cybersecurity professionals in Saudi Arabia. Findings reveal that risk management practices significantly enhance the effectiveness of cybersecurity strategies. Organizations with fully integrated risk management frameworks reported higher perceived effectiveness and better alignment with business outcomes. Mediation analysis confirmed that integration, not the frequency of risk assessments, plays a critical role in translating cybersecurity initiatives into improved organizational performance. Furthermore, respondents overwhelmingly affirmed the financial and strategic benefits of cybersecurity investments, particularly through mechanisms such as multi-factor authentication, continuous employee training, and cultivating a cybersecurity-aware culture. Widely used frameworks like the NIST Cybersecurity Framework and HIPAA were associated with stronger organizational resilience. This research fills a critical gap in the existing literature by providing empirical insights into how strategic risk management influences the impact of cybersecurity on performance. The findings underscore the importance of embedding cybersecurity into broader risk governance structures and offer practical guidance to healthcare organizations seeking to strengthen their cybersecurity posture.