The Paradox of Cyber Risk Controls: An Empirical Analysis of Readiness and Protection Inefficiencies in Thailand’s Financial Sector

Abstract

As Thailand’s financial sector accelerates its digital transformation, cybersecurity has transitioned from a mere technical support function to a strategic imperative that governs operational risk and financial stability. This study empirically examines the efficacy of cyber risk controls and their correlation with perceived organizational readiness. Utilizing a quantitative survey of 53 specialized practitioners (N = 53), we assessed maturity across the six dimensions of the Bank of Thailand’s Cyber Resilience Assessment regulatory framework: Governance, Identification, Protection, Detection, Response, and Third-Party Risk Management. While descriptive statistics indicate high overall maturity ($\overline{\mathrm{x}}$ = 4.19, S.D. = 0.37), multiple regression analysis uncovers a critical “Protection Paradox”. Specifically, the “Protection” dimension exhibits a statistically significant negative impact on readiness (β = −0.432, p = 0.01), suggesting that over-engineered technical controls induce operational friction. In contrast, “Identification” emerged as the primary positive driver of readiness (β = 0.627, p < 0.01), highlighting visibility as a superior strategic lever. Furthermore, a structural disconnect was identified between strategic “Governance” and “Third-Party Risk Management” (r = 0.46), highlighting a “Silo Effect” where board-level policy fails to effectively mitigate supply chain risks. These findings suggest that financial institutions must pivot from volume-based compliance to risk-optimized integration to bridge these strategic and operational gaps.

1. Introduction

In the modern digital economy, cybersecurity is no longer a mere technical function but a primary determinant of financial stability and operational resilience. The Basel Committee on Banking Supervision (2011) explicitly integrates cyber risk within the operational risk management (ORM) framework, mandating rigorous capital allocation for systemic protection. This global concern is echoed in the World Economic Forum (2024), which consistently ranks cyber instability as a top-tier threat capable of disrupting global financial infrastructures. The Bangladesh Bank heist serves as a critical example of how systemic vulnerabilities can lead to massive financial losses (Wired Staff 2016). It is generally recognized in emerging market contexts that as financial systems become more interconnected, the systemic impact of localized breaches can destabilize national economic confidence. In Thailand, as banks accelerate their transition toward virtual and open banking architectures, the attack surface expands, creating a complex interplay between rigid regulatory compliance and actual risk exposure.

Despite the proliferation of robust regulatory frameworks, a critical question remains regarding the Security Investment Efficiency of these controls. Financial institutions invest heavily in “Protection” technologies (e.g., zero-trust architectures, encryption, and multi-factor authentication) to satisfy compliance checklists. However, economic theories of information security, such as the Gordon–Loeb model, suggest a phenomenon of “diminishing returns” in security investments, where optimal investment does not necessarily equate to maximum technical protection (Gordon and Loeb 2002). Driven by the potential for “Security Friction”, this study challenges the traditional assumption of a positive relationship between controls and readiness, suggesting that over-engineered systems can paradoxically induce negative outcomes. This also suggests that the direction of the relationship is not always linear, as excessive or poorly integrated controls may induce operational friction, “security fatigue” among personnel, and paradoxically, a reduction in overall organizational readiness (Chua et al. 2019). This tension between strict Governance mandates and the practical realities of Protection and Third-Party Risk Management creates structural vulnerabilities that purely compliance-based assessments often fail to detect (Vance et al. 2014).

Existing research on cybersecurity in the financial sector has largely focused on qualitative policy analysis or technical threat quantification. In Thailand, research has often centered on the regulatory role of the central bank and the implementation of specific security standards (Wairak 2019; Kaewsa-ard and Utakrit 2021). While these studies provide a foundational understanding of the regulatory landscape, empirical research investigating the internal structural relationships of these risk management programs is scarce. Specifically, few studies have quantitatively assessed whether “Governance” policies effectively translate into “Operational” readiness, or whether organizational silos create blind spots in supply chain (Third-Party) risk management. This gap is particularly pronounced in Thailand, a strategic case study for emerging economies where a heavily regulated environment might prioritize “auditable” compliance over operational efficiency, a dynamic that requires urgent empirical investigation.

To address this gap, this study empirically investigates the relationship between formal maturity dimensions (based on the Bank of Thailand’s framework) and perceived operational readiness (as a measure of execution confidence and resource sufficiency) within the Thai financial sector. We adopt the Bank of Thailand’s Cyber Resilience Assessment Framework as our theoretical lens. This framework, which aligns with international standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST 2018), categorizes risk management into six critical domains: Governance, Identification, Protection, Detection, Response, and Third-Party Risk Management (TPRM) (Bank of Thailand 2019). By analyzing data from 53 practitioners (N = 53), we aim to move beyond simple maturity scoring to reveal the structural dynamics and identify where these investments may reach a saturation point.

This paper makes a distinct contribution to the literature by identifying a “Protection Paradox”. Our findings reveal that while process-based Governance maturity is high, the operational implementation of Protection controls exhibits a statistically significant negative correlation with readiness, suggesting operational inefficiencies rather than enhanced resilience (Chua et al. 2019). Furthermore, we highlight a significant structural disconnect between strategic Governance and TPRM, pinpointing a systemic vulnerability in supply chain oversight. Unlike previous studies that seek universal parameter estimates, this research focuses on revealing the boundaries of structural relationships in a high-compliance, emerging market context. These insights provide critical implications for risk managers and regulators, arguing for a shift from volume-based security controls to risk-optimized, integrated strategies.

2. Literature Review

This section critically reviews the existing body of knowledge regarding quantitative cyber risk assessment, the regulatory landscape in emerging markets, and the theoretical underpinnings of operational friction and organizational silos.

2.1. From Compliance to Security Investment Efficiency

Historically, cybersecurity in the financial sector was treated as a qualitative “IT problem”, focusing on the deployment of technical controls. However, the paradigm has shifted towards Quantitative Risk Assessment (QRA) to align with financial risk models. Bouveret proposed a framework for quantifying cyber risk for financial groups, emphasizing the need to estimate potential losses (Value at Risk) rather than merely counting vulnerabilities (Bouveret 2018). This shift is critical for integrating cyber risk into broader Enterprise Risk Management (ERM) and capital planning as mandated by Basel III (Basel Committee on Banking Supervision 2011). Recent discourse (2021–2024) has caused a further evolution of this concept into “Security Investment Efficiency” or Return on Security Investment (ROSI). While models like Gordon–Loeb provide the economic justification for security investments, they also postulate a critical point of diminishing marginal returns, where additional spending on protection does not result in a proportional increase in security posture (Gordon and Loeb 2002).

2.2. The Regulatory Landscape and Emerging Market Context

In Thailand, the regulatory environment has evolved rapidly to address the digital transformation of the banking sector. Research by Wairak (2019) and Kaewsa-ard and Utakrit (2021) highlights the central role of the Bank of Thailand (BOT) in establishing mandatory security standards. These standards are heavily influenced by the NIST Cybersecurity Framework (CSF), which categorizes risk management into five core functions: Identify, Protect, Detect, Respond, and Recover (NIST 2018). However, the BOT framework specifically elevates “TPRM” to a sixth core domain (Bank of Thailand 2019). This localization is mirrored in other ASEAN nations; for instance, Indonesia’s central bank has similarly tightened regulations on digital service providers, reflecting a regional trend where regulatory pressure often drives the rapid adoption of technical controls. Tunyavikrom and Kulsawat (2021) noted that while legal compliance in the Thai financial sector is high, the practical application often struggles to keep pace with sophisticated threats.

2.3. The “Protection Paradox”: Security Friction and Fatigue

A critical theme emerging in the recent literature—and central to this study—is the concept of “Security Friction” or the unintended negative consequences of security controls. This study conceptualizes “perceived organizational readiness” as an operational outcome distinct from formal maturity. While the “Protection” domain is foundational, Chua et al. (2019) argue that adding complex security countermeasures can lead to “unintended harms”, where the operational burden of security tools degrades user performance and system resilience. This phenomenon is often described as “security fatigue”, defined as a state of weariness where users become overwhelmed by security requirements, leading to non-compliant shortcuts. Vance et al. (2014) utilized neuro-physiological measures to demonstrate that risk perception significantly influences security behavior. Similarly, Ng et al. (2009) applied the Health Belief Model to computer security, finding that if users perceive the “cost” (friction) of security behavior to outweigh the benefit, compliance drops. These theoretical underpinnings suggest a non-linear relationship: up to a certain point, protection increases readiness, but beyond that saturation point, the complexity and friction induce a “Protection Paradox”, where perceived organizational readiness actually declines as technical controls become more intrusive and poorly integrated.

2.4. Organizational Silos and Third-Party Risk Management

The management of Third-Party Risk represents a significant structural challenge. The World Economic Forum (2024) highlights that a substantial portion of systemic cyber incidents originates from supply chain vulnerabilities, a risk that has intensified with the adoption of cloud-based financial services. However, the organizational literature suggests a prevalent disconnect between strategic “Governance” (often managed by Risk/Audit committees) and operational “TPRM” (often delegated to procurement or IT). This “Silo Effect” creates a blind spot where high-level policy does not effectively permeate vendor management practices. In emerging markets like Thailand, where digital ecosystems are rapidly expanding through FinTech partnerships, this disconnect is exacerbated by the lack of standardized security metrics across the supply chain. Empirical data verifying this governance–operational disconnect in Thailand remains limited; this is a gap that this study aims to fill by examining the structural correlations between these maturity domains.

3. Results

This section presents the empirical findings of the study, which are structured into sample characteristics, descriptive maturity analysis, and inferential testing of risk efficiency and structural relationships.

3.1. Participant Demographics

The demographic profile of the 53 respondents indicates a high level of professional experience, reinforcing the reliability of the data. As detailed in

Table 1. Demographic profile of survey respondents (N = 53).

Characteristic	Category	Frequency (n)	Percentage (%)
Gender	Male	40	75.5
	Female	13	24.5
	Total	53	100.0
Age Group	Below 25 years	2	3.8
	25–35 years	16	30.2
	36–45 years	33	62.2
	46–55 years	2	3.8
	Total	53	100.0
Education Level	Bachelor’s Degree	24	45.3
	Master’s Degree	29	54.7
	Total	53	100.0
Years of Service	Below 5 years	6	11.3
	5–10 years	8	15.1
	10+ years	39	73.6
	Total	53	100.0
Current Position	C-Level/Head of Security	1	1.9
	Cyber Operations Specialist	16	30.2
	Data Protection Officer (DPO)	2	3.8
	Data Processor	1	1.9
	Others	33	62.2
	Total	53	100.0

, the majority of participants (73.6%) possess over 10 years of experience in the financial or technology sectors. Furthermore, 54.7% hold a Master’s degree or higher. This profile suggests that the responses reflect informed perspectives from seasoned practitioners rather than entry-level staff.

3.2. Descriptive Analysis of Risk Maturity Domains

Table 2. Mean and standard deviation of perceived cybersecurity maturity levels (N = 53).

Cybersecurity Domain	Perception Level
	Mean ($\overline{\mathbf{X}}$)	Std. Deviation (S.D.)	Interpretation
Governance	4.38	0.50	High
Identification	4.28	0.51	High
Protection	4.11	0.58	High
Detection	4.09	0.57	High
Response and Recovery	4.08	0.55	High
Third-Party Risk Management	4.01	0.56	High
Overall	4.19	0.37	High

presents the mean scores and standard deviations for the six cyber resilience domains. The overall perceived maturity of the sector is high ($\overline{\mathrm{x}}$ = 4.19; S.D. = 0.37). Governance emerged as the highest-rated dimension ($\overline{\mathrm{x}}$ = 4.38), suggesting strong adherence to policy formulation. In contrast, while all dimensions remain in the high-maturity range, Third-Party Risk Management received the lowest mean score ($\overline{\mathrm{x}}$ = 4.01), followed closely by Response and Recovery ($\overline{\mathrm{x}}$ = 4.08) and Detection ($\overline{\mathrm{x}}$ = 4.09).

3.3. The Efficiency Paradox: Regression and Correlation Analysis

To isolate the determinants of perceived organizational readiness (Y), a multiple regression analysis was conducted across the six domains of the Bank of Thailand’s framework. The model yielded a robust fit (R² = 0.817; Adjusted R² = 0.793), indicating that the model explains approximately 79.3% of the variance in readiness. The predictive equation is as follows:

Y = 1.167 − 0.010X₁ + 0.627X₂ − 0.432X₃ + 0.187X₄ + 0.293X₅ + 0.050X₆ + ε

where

• X₁: Governance;
• X₂: Identification;
• X₃: Protection;
• X₄: Detection;
• X₅: Response and Recovery;
• X₆: Third-Party Risk Management.

3.3.1. Key Structural Dynamics

As summarized in

Table 3. Multiple regression results (N = 53).

Predictor Variables	Coef. (β)	t-Value	p-Value	VIF
(Constant)	1.167	5.203	<0.001 ***	-
X1: Governance	−0.010	−0.075	0.940	8.82
X2: Identification	0.627	2.751	0.008 **	25.02
X3: Protection	−0.432	−2.698	0.010 *	15.85
X4: Detection	0.187	1.365	0.179	11.22
X5: Response and Recovery	0.293	1.728	0.091	15.96
X6: Third-Party Risk Management	0.050	0.496	0.623	5.99

R² = 0.817, Adjusted R² = 0.793, and F = 34.15 (p < 0.001); * p < 0.05, ** p < 0.01, and *** p < 0.001. Robustness Check: Given the high VIF values inherent in interrelated maturity frameworks, 5000-resample bootstrapping was applied to ensure the stability of the parameter estimates and the reliability of the confidence intervals.

, the regression analysis reveals three critical structural dynamics that define the current state of cyber resilience in the Thai financial sector:

• The Dominant Driver: Identification (X₂, β = 0.627, p < 0.01): Identification emerged as the most powerful positive predictor of perceived organizational readiness. This suggests that the ability to accurately identify assets, systems, and risks is the primary factor driving operational confidence among practitioners. The high coefficient underscores that “visibility” and “risk awareness” are more effective strategic levers for readiness than the mere accumulation of protective tools.
• The Validated “Protection Paradox” (X₃, β = −0.432, p = 0.01): The statistically significant negative impact of the Protection dimension provides robust empirical evidence for the “Protection Paradox”. This finding indicates that as technical controls (e.g., access management and patch protocols) become more complex or over-engineered, they induce substantial “operational friction” and “security fatigue”. In the Thai financial context, excessive or poorly integrated protective measures appear to diminish overall organizational readiness rather than enhance it, likely due to the increased burden placed on personnel and systems.
• The Compliance–Performance Gap (Governance and TPRM): Interestingly, while Governance (X₁, β = −0.010) and Third-Party Risk Management (X₆, β = 0.050) often receive high maturity scores in descriptive assessments, their direct predictive power on perceived readiness is negligible in this model. This highlights a persistent “Compliance–Performance Gap”, where high scores in policy formulation and vendor management do not necessarily translate into real-world operational confidence or execution capability.

3.3.2. Correlation Analysis and the “Silo Effect”

Beyond individual predictors, the structural analysis reveals a critical disconnect within the risk management framework. Pearson’s Correlation Matrix (

Table 4. Pearson’s Correlation Matrix (N = 53).

Domains	(1)	(2)	(3)	(4)	(5)	(6)	(7)
(1) Governance (X1)	1
(2) Identification (X2)	0.87 **	1
(3) Protection (X3)	0.68 **	0.91 **	1
(4) Detection (X4)	0.53 **	0.76 **	0.89 **	1
(5) Response (X5)	0.57 **	0.68 **	0.78 **	0.89 **	1
(6) Third-Party (X6)	0.46 **	0.57 **	0.62 **	0.74 **	0.89 **
(7) Readiness (Y)	0.72 **	0.80 **	0.75 **	0.79 **	0.81 **	0.74 **	1

** Correlation is significant at the 0.01 level (2-tailed). The correlation between Governance (1) and Third-Party (6) at 0.46 represents the weakest structural link in the framework.

) was utilized to examine the interrelationships between the six domains and the dependent variable.

While most domains exhibit strong intercorrelations (with several coefficients exceeding r = 0.80), a notable anomaly was observed regarding the relationship between Governance (X₁) and Third-Party Risk Management (X₆). The correlation between these two domains is the weakest in the entire matrix (r = 0.46, p < 0.01).

This statistical gap provides evidence of a “Silo Effect” within Thai financial institutions, suggesting that strategic board-level policies (Governance) are not effectively integrated with the operational complexities of managing external vendors and supply chain risks (TPRM). This disconnect indicates that high-level security mandates may fail to permeate down to the practical management of Third-Party Ecosystems, leaving a structural vulnerability that purely compliance-based audits might overlook.

3.4. Summary of Research Findings

In summary, the empirical analysis of the Thai financial sector’s cyber resilience reveals a complex structural landscape characterized by both high compliance and operational friction. The results from the multiple regression analysis confirm that Identification (X₂) is the most significant positive driver of organizational readiness, emphasizing the critical importance of asset visibility and risk awareness.

However, this study provides compelling evidence for the “Protection Paradox”, as the Protection (X₃) domain exhibited a statistically significant negative relationship with perceived readiness. This suggests that the current implementation of technical controls may reach a point of diminishing returns, where added complexity induces “security fatigue” rather than enhanced capability. Furthermore, the correlation analysis identified a persistent “Silo Effect” between strategic Governance and Third-Party Risk Management, pointing to a disconnect between high-level policy and supply chain oversight. These findings are the foundation for the subsequent discussion on optimizing security investments and bridging the gap between compliance and operational reality.

4. Discussion

This study set out to empirically assess the cyber resilience of the Thai financial sector. While the descriptive results indicate a high level of overall maturity ($\overline{\mathrm{x}}$ = 4.19), the inferential analysis uncovers critical structural inefficiencies that challenge the traditional “defense-in-depth” paradigm.

4.1. The Risk–Efficiency Paradox: When More Protection Means Less Readiness

Our findings support the Gordon–Loeb economic model of information security, which postulates that security investments eventually reach a point of diminishing marginal returns (Gordon and Loeb 2002). The significant negative correlation observed in Protection (X₃, β = −0.432; p = 0.01) strongly suggests that financial institutions in Thailand may have reached a saturation point where the complexity of security controls generates “Operational Friction”. As argued by Chua et al. (2019), excessive countermeasures can create “unintended harms”, such as user fatigue and workflow bottlenecks. When security mechanisms become too cumbersome, staff may bypass protocols to maintain productivity, paradoxically increasing the organization’s vulnerability. This aligns with the concept of “security fatigue”, where users actively circumvent controls to avoid operational friction. These findings suggest a potential “Compliance-over-Function” mindset, where tools may be deployed primarily to satisfy regulatory checklists rather than enhancing operational resilience.

Furthermore, while Identification (X₂, β = 0.627) emerged as the strongest positive driver, the results for Response (X₅, β = 0.293) were not statistically significant. This suggests that the mere existence of response protocols does not necessarily translate into operational confidence. Without regular, realistic drills and active testing, these protocols remain as theoretical constructs rather than actionable capabilities.

4.2. The Strategic Disconnect: Governance vs. Third-Party Risk

Our analysis revealed a structural “silo” between Governance (X₁) and Third-Party Risk Management (X₆), evidenced by their relatively weak correlation (r = 0.46). While “Governance” received the highest maturity score ($\overline{\mathrm{x}}$ = 4.38), reflecting strong board-level policy formulation, this strategic intent does not effectively permeate the supply chain management processes.

In the context of ORM, this disconnect represents a classic Principal–Agent problem. The Board (Principal) sets the risk appetite, but the operational units managing vendors (Agents) may lack the integrated tools or authority to enforce these standards externally. Given that the World Economic Forum (2024) identifies supply chain attacks as a leading systemic threat, this gap implies that while Thai banks are “policy-rich”, they remain “implementation-poor” regarding external dependencies.

4.3. Implications for Risk Management and Insurance

For risk managers, these findings argue for a strategic pivot from “Volume-based Security” (adding more tools) to “Risk-Optimized Integration” (reducing friction). Future investments should focus on Identification and Detection—which showed strong positive associations with readiness—rather than adding more layers of intrusive protection.

For Cyber Insurance underwriters, this study suggests that premium pricing models should not rely solely on the number of protective controls installed. Instead, assessment criteria should heavily weigh the integration level of these controls and the specific connectivity between governance bodies and Third-Party Vendors.

5. Materials and Methods

This section details the methodological framework employed to empirically investigate the cybersecurity maturity and operational efficiency of Thailand’s financial sector. It outlines the research design, participant demographics, the data collection instrument derived from the Bank of Thailand’s regulatory standards, and the statistical procedures utilized to analyze the structural relationships between governance and operational resilience.

To ensure the methodological rigor and reproducibility of the findings, this study adopted a systematic quantitative research design structured into three sequential phases, which are comprehensively detailed in Figure 1.

Phase 1: Instrument Development. The questionnaire, derived from the Bank of Thailand’s Cyber Resilience Assessment Framework, underwent rigorous validation. Content validity was verified by five subject matter experts, retaining only items with an Item–Objective Congruence (IOC) index ≥ 0.8. Reliability was subsequently confirmed via pilot testing, achieving a Cronbach alpha coefficient of α = 0.8, indicating high internal consistency.

Phase 2: Data Collection. A purposive sampling approach was employed to gather perspectives from qualified practitioners within the Thai financial sector. To ensure data quality, participants were selected based on specific inclusion criteria, focusing on specialized industry expertise. A total of 53 valid responses (N = 53) were collected via an anonymized online platform.

Phase 3: Data Analysis and Robustness. The final phase involved a multi-stage analytical approach. Descriptive statistics established perceived maturity levels, while Pearson correlation diagnosed structural relationships (e.g., the “Silo Effect” between Governance and TPRM). Crucially, to address the specialized sample size, multiple regression analysis was supplemented by influential outlier screening (Cook’s Distance) and a bootstrapping procedure (5000 resamples) to ensure the stability of the parameter estimates.

5.1. Research Design and Population

This study employed a quantitative, cross-sectional survey design to empirically assess the structural dynamics of cyber resilience within Thailand’s financial sector. Given the highly specialized and technical nature of cybersecurity oversight in regulated industries, a purposive sampling method was adopted. This approach ensured that the data reflected the insights of “expert informants” who possess a deep understanding of both regulatory mandates and operational realities.

The target population was defined as practitioners currently holding roles in cybersecurity, information security, IT audit, or operational risk management within Thai financial institutions—including commercial banks, insurance companies, and non-bank financial service providers. To ensure the integrity of the findings, participants were required to meet specific inclusion criteria:

• Direct involvement in the implementation or oversight of the BOT’s Cyber Resilience Assessment Framework;
• Employment within a financial institution currently operating under BOT or related financial regulations in Thailand.

The final validated sample consisted of 53 qualified practitioners (N = 53). While the sample size is numerically modest, it represents a high-density concentration of expertise within a niche professional community. The demographic profile of the respondents underscores this expertise; the vast majority (88.7%, n = 47) are senior professionals with five or more years of direct experience in cybersecurity or risk management, while the remaining participants (11.3%, n = 6) are active practitioners in specialized technical roles, ensuring a balanced perspective between strategic oversight and operational execution.

Data collection was conducted through an anonymized online structured survey. To mitigate potential social desirability bias and ensure candid reporting of maturity levels, respondents were guaranteed full confidentiality, with no identifiable institutional data collected. This ethical safeguard was critical for obtaining an accurate reflection of the “Compliance–Performance Gap” inherent in highly regulated environments.

5.2. Measurement Instrument and Operational Definitions

The research instrument was a structured questionnaire designed to evaluate the cybersecurity posture of Thai financial institutions. The instrument was divided into three sections, utilizing a 5-point Likert scale for all self-assessment items (1 = Strongly Disagree to 5 = Strongly Agree). The complete survey instrument, including all measurement items for maturity and readiness constructs, is provided in Appendix A.

5.2.1. Independent Variables: Cyber Resilience Maturity (X)

The maturity of the organization’s cybersecurity processes was assessed using 18 items (Section 3 of the survey) based on the BOT’s Cyber Resilience Assessment Framework (Bank of Thailand 2019). This construct measures the formal existence and quality of security policies and processes across six critical domains (3 items per domain):

• Governance (X₁): Strategic alignment and risk oversight.
• Identification (X₂): Asset management and risk identification.
• Protection (X₃): Technical controls, patch management, and access security.
• Detection (X₄): Continuous monitoring and threat intelligence sharing.
• Response and Recovery (X₅): Incident response plans and escalation procedures.
• Third-Party Risk Management (X₆): Oversight of external vendors and supply chain security.

5.2.2. Dependent Variable: Perceived Organizational Readiness (Y)

To provide a distinct measure of operational effectiveness, perceived organizational readiness (Y) was operationalized as the mean score of 10 items located in Section 2 of the questionnaire. While the maturity domains (X) focus on regulatory compliance and process design, this scale captures the operational reality and resource sufficiency as perceived by practitioners. The measurement items for readiness include the following:

• Human and Technical Resources: Perceived adequacy of cybersecurity staff and monitoring personnel.
• Infrastructure and Endpoint Security: Confidence in the safety of data centers, servers, and endpoint devices.
• Execution Capability: Practical application of emergency plans, BYOD (Bring Your Own Device) security, and network protection protocols.

By separating “Process Maturity” (the formal framework) from “Perceived Readiness” (the operational confidence), this study effectively isolates the perceived state of security readiness from formal compliance scores. This distinction is critical for identifying potential “Security Friction”, where high technical maturity may not necessarily translate into enhanced operational readiness.

5.3. Validity and Reliability

To ensure the methodological rigor of the study, the research instrument underwent a two-stage validation process focusing on content validity and internal consistency.

5.3.1. Content Validity

The initial draft of the questionnaire was subjected to a rigorous review by a panel of five subject matter experts (SMEs). To ensure a multi-dimensional perspective, the panel included senior cybersecurity regulators from the financial sector, academic experts in information security management, and professional risk auditors. Content validity was quantified using the IOC index. Each item was evaluated for its relevance to the Bank of Thailand’s Cyber Resilience Assessment Framework and its clarity for the target respondents. After receiving feedback from these experts, minor linguistic adjustments were made, and only items achieving an IOC score of 0.80 or higher were retained, ensuring high alignment between the theoretical constructs and the measurement items.

5.3.2. Reliability Analysis

Following the validity check, a pilot test was conducted with a representative group of practitioners to evaluate the instrument’s reliability. Internal consistency was measured using Cronbach’s alpha coefficient (α). The analysis demonstrated strong reliability across all scales, exceeding the widely accepted threshold of 0.70 (Cronbach 1990):

• Cyber resilience maturity scale (18 items): α = 0.80.
• Perceived organizational readiness scale (10 items): α = 0.82.

These results indicate that the instrument is a stable and reliable tool for assessing the structural relationships between regulatory maturity and operational readiness within the Thai financial context.

5.4. Data Analysis and Robustness Procedures

The data analysis was conducted using a multi-staged statistical approach to investigate the structural relationships between the six maturity domains and perceived organizational readiness. The analysis was performed using the procedures outlined below.

5.4.1. Descriptive and Correlation Analysis

Initially, descriptive statistics, including mean scores and standard deviations (S.D.), were calculated to establish the baseline maturity levels of the participating institutions. To identify the preliminary associations between variables and to diagnose the “Silo Effect” (specifically the disconnect between strategic Governance and operational TPRM), a Pearson Correlation Analysis was conducted. This step provided foundational evidence for the structural inconsistencies within the risk management programs.

5.4.2. Multiple Regression Analysis

To test the primary research objectives, a Multiple Linear Regression model was employed. This model assessed how the six maturity domains (X₁ to X₆) collectively and individually predict perceived organizational readiness (Y). The regression equation is defined as follows:

Y = β₀ + β₁x₁ + β₂x₂ + β₃x₃ + β₄x₄ + β₅x₅ + β₆x₆ + ε

where

• Y = perceived organizational readiness (mean of 10 items)
• X₁ … X₆ = maturity domains (Governance, Identification, Protection, Detection, Response, and TPRM)
• β₀ = constant term, with β₁ … β₆ = standardized regression coefficients
• ε = error term

5.4.3. Robustness Check via Bootstrapping

To address the methodological challenges associated with a specialized and niche sample size (N = 53), this study implemented a bootstrapping procedure with 5000 resamples. This non-parametric approach was utilized to estimate the stability of the parameter estimates and to generate robust 95% confidence intervals. By employing bootstrapping, the study ensures that the identified “Protection Paradox” (the negative coefficient of the Protection domain) is statistically significant and not a result of sampling fluctuations or distribution assumptions, thereby providing a higher level of inferential confidence.

5.5. Data Screening and Outlier Treatment

Prior to formal hypothesis testing, the dataset underwent a rigorous screening process to ensure the robustness of the regression model. Influential outliers were assessed using Cook’s Distance.

One specific observation (Case ID 17) was identified as a significant influential outlier, with a Cook Distance value exceeding the recommended threshold of 4/n (where n is the sample size). This indicated that the responses from Case ID 17 were not representative of the broader institutional trend and would have potentially distorted the standardized β estimates.

To enhance the precision, stability, and normality of the results, this case was excluded from the analysis, resulting in a final validated analytical sample of N = 53. Subsequent diagnostic tests confirmed that the exclusion of this influential case significantly improved the model’s homoscedasticity, reduced the standard error, and enhanced the overall reliability of the parameter estimates. This meticulous screening ensures that the identified “Protection Paradox” reflects a genuine structural phenomenon within the sector rather than an anomaly from a single respondent.

6. Conclusions

This study provides an empirical analysis of cyber risk resilience in Thailand’s financial sector, utilizing the Bank of Thailand’s regulatory framework as a theoretical lens. By surveying experienced practitioners (N = 53), this research moves beyond traditional compliance checklists to diagnose the structural efficiency of risk management practices. While the sector demonstrates a high overall level of perceived maturity ($\overline{\mathrm{x}}$ = 4.19), this aggregate score masks a critical “Risk–Efficiency Paradox” that has significant implications for financial stability and operational risk management.

6.1. Synthesis of Findings: The Efficiency Paradox

The quantitative analysis identified two systemic vulnerabilities that challenge the efficacy of current “defense-in-depth” strategies:

• The Implementation Paradox: The “Protection” domain, despite being the focus of heavy capital investment, yielded a statistically significant negative impact on overall readiness (β = −0.432). This counterintuitive finding supports the economic theory of diminishing marginal returns in information security. This theory suggests that financial institutions have reached a saturation point where excessive, poorly integrated technical controls create “operational friction” and “security fatigue”, thereby degrading rather than enhancing the actual risk posture.
• The Power of Visibility: Conversely, Identification (X₂, β = 0.627) emerged as the strongest positive driver of readiness. This highlights that “knowing the environment” is a more effective strategic lever than simply “building higher walls”, which often leads to the aforementioned paradox.
• The Strategic Silo: A significant structural disconnect exists between strategic “Governance” and operational “Third-Party Risk Management” (r = 0.46). This implies a Principal–Agent failure where high-level board policies do not effectively permeate the supply chain management process. In an era where supply chain attacks are a primary vector for systemic risk, this silo represents a latent vulnerability that standard governance audits may overlook.

6.2. Policy Implications for Regulators

Based on these findings, we propose that regulatory bodies, such as the Bank of Thailand and the Office of Insurance Commission, shift their supervisory focus from “compliance-based” to “risk-based” integration:

• Transition to Performance-Based Regulation: Regulators should evolve audit frameworks from purely compliance-based checklists to a performance-based model. This involves explicitly assessing the correlation between internal governance protocols and external vendor controls. A high governance score should be flagged for review if not accompanied by equally robust Third-Party Oversight Mechanisms.
• Incentivize “Frictionless” Security: Given the negative regression of the “Protection” domain, regulatory standards should encourage the adoption of user-centric security designs (e.g., zero-trust architectures that are transparent to the user) rather than simply mandating an increasing volume of complex, intrusive controls.
• Cyber Insurance Standardization: For the insurance sector, this study suggests that underwriting models should not rely solely on the quantity of security tools installed. Instead, premium pricing should heavily weigh the Identification capabilities and the specific connectivity between the Board of Directors and Third-Party Vendors.

6.3. Managerial Implications for Financial Institutions

For practitioners (CISOs and CROs), the findings dictate a strategic pivot as follows:

• Bridge the Governance–Operational Silo: Institutions must elevate Third-Party Risk Management to a core strategic discipline, reporting directly to the Risk Management Committee to close the gap between policy intent and reality.
• Recalibrate Investment Strategies: Decelerate spending on over-engineered Protection (X₃) and reallocate budgets toward Identification (X₂) and Detection (X₄), which demonstrate a higher Return on Investment (ROI).
• Dynamic Capability Testing: Regarding Response (X₅), organizations must move from static documentation to regular Tabletop Exercises to bridge the confidence gap and convert this dimension into a positive driver of resilience.

6.4. Limitations

The findings of this study should be interpreted keeping in mind several limitations. First, the sample size (N = 53), while representative of the specialized practitioner community, limits statistical generalizability to other sectors. However, this sample represents a significant portion of the qualified experts in this niche, regulated environment. Second, the study relies on perceived maturity, which may be subject to social desirability bias. Finally, the cross-sectional design captures a snapshot in time and identifies predictive relationships rather than absolute causality.

6.5. Directions for Future Research

Future research should validate the “Protection Paradox” through mixed-methods approaches, such as in-depth interviews, to deconstruct the specific mechanisms of “security fatigue”. Additionally, longitudinal studies could track maturity scores against actual incident data over time to provide concrete economic evidence of the cost of operational friction.