Cybersecurity strategy, not compliance, drives investment across ASEAN

A new multi-country study has identified cybersecurity strategy as the strongest determinant of cybersecurity investment decisions across ASEAN organizations, revealing that how firms conceptualize their approach to digital threats matters more than regulatory mandates or budget size. The study, titled “Determinants of Cybersecurity Investment in ASEAN Organizations: An Integrated Structural Equation Modeling Approach,” was published in Frontiers in Communications and Networks.

Based on data from 317 cybersecurity and IT executives in six ASEAN nations, the study used structural equation modeling (SEM) to examine how risk management practices, financial considerations, and regulatory compliance influence investment decisions, both directly and indirectly via cybersecurity strategy. The results showed that while all three external factors play roles, it is the internal, strategic orientation that ultimately shapes where and how cybersecurity dollars are spent.

What factors influence cybersecurity investment most in ASEAN firms?

The study’s authors identified six hypotheses linking investment behavior to risk management (CRM), financial considerations (FIC), governance and compliance (CGC), and organizational cybersecurity strategy (OCS). Among these, the strongest direct effect on cybersecurity investment was cybersecurity strategy (β = 0.63), far outpacing direct contributions from risk management (β = 0.29) or governance and compliance (β = 0.19).

Risk management was found to significantly influence both investment directly and strategy formation (β = 0.54), suggesting that as organizations improve their threat assessment processes, their strategic planning and spending align more closely with actual risk exposure. Similarly, governance and compliance had a moderate impact on strategy (β = 0.42) and a marginal direct effect on investment.

Financial considerations, while important, were found to impact investment exclusively through their effect on strategy, indicating a full mediation. This suggests that even when organizations are financially constrained, they do not reduce cybersecurity spending arbitrarily. Instead, financial pressures reshape their strategies, which in turn drive smarter, more aligned investment decisions.

How does cybersecurity strategy mediate these effects?

Mediation analysis revealed that strategy plays a crucial role in translating external pressures into internal decision-making. For instance, the indirect effect of financial considerations on investment (0.36) was significant despite its lack of direct influence. In contrast, risk management and compliance both displayed partial mediation patterns, meaning they affect investment both directly and through strategy.

This finding reinforces the strategic function of cybersecurity planning within organizations. Strategy acts as a central hub through which risk assessments, budget pressures, and compliance requirements are synthesized into actionable decisions.

The study also observed that in critical infrastructure sectors, such as energy, telecommunications, and finance, the influence of governance and compliance was stronger. Here, compliance frameworks are more developed, and investments tend to follow clearer regulatory guidance, especially in jurisdictions like Singapore. In contrast, organizations in countries with emerging digital economies, such as Vietnam and Indonesia, showed stronger links between financial constraints and strategy formation.

How should organizations and regulators respond to these insights?

For businesses operating across ASEAN, the study's implications are both operational and strategic. Organizations are advised to embed security deeply into their overall strategy, ensuring that risk assessments, financial reviews, and regulatory mandates are all integrated into a unified planning process. The lack of such strategic frameworks was found to be linked to inefficient or misaligned investment decisions.

Practically, this means establishing formal strategic documents, scenario-based risk modeling, and performance-linked budgeting mechanisms. For example, critical infrastructure organizations should ensure that regulatory compliance is not just a checkbox process but is embedded within strategic goals to justify budget allocations. Conversely, firms in non-critical sectors may benefit from clearer prioritization of investment based on cost-benefit assessments driven by strategic planning.

For regulators and policymakers, the study offers a sobering reminder: compliance mandates alone are not sufficient to drive meaningful investment in cybersecurity. While governance frameworks do influence strategy, especially in regulated sectors, it is strategic planning, not regulatory pressure, that ultimately leads to increased investment.

The study recommends regionally harmonized regulations that encourage strategic planning rather than prescriptive controls. Additionally, sector-specific guidance for critical infrastructure and financial support mechanisms for smaller firms could improve both compliance and resilience.