A risk strategy, enterprise risk management, and security analytics models

Cheryl Ann Alexander; Lidong Wang

doi:10.55976/jdh.42025144088-95

Home /

Archives /

Journal of Digital Health, Volume 4 Issue 1, 2025 /

Perspective

A risk strategy, enterprise risk management, and security analytics models

Cheryl Ann Alexander ¹ ^* , Lidong Wang ²

1. Institute for IT Innovation and Smart Health, Mississippi, USA
2. Institute for Systems Engineering Research, Mississippi State University, Mississippi, USA

Correspondence: cannalexander68@gmail.com

DOI: https://doi.org/10.55976/jdh.42025144088-95

Received

30 July 2025
Revised

20 October 2025
Accepted

08 November 2025
Published

13 November 2025

Cybersecurity Risk metrics Healthcare Enterprise risk management (ERM) Artificial intelligence (AI) Digital health

Abstract

Risks and risk management are one of the significant aspects in cybersecurity. This paper presents a risk strategy and a strategic vision of cybersecurity and introduces enterprise risk management (ERM), ERM models, and risk management models in healthcare. A case study introducing ERM in healthcare is also presented. The case study includes the ERM framework, common approaches to measuring cyber risks, specific risk metrics and key performance indicators, and cyber threats and cybersecurity enhancement. A strategic vision of cybersecurity should be more oriented to advanced systems and cutting-edge technologies, including intrusion detection systems (IDS), intrusion prevention systems (IPS), big data analytics, blockchain, quantum computing, and artificial intelligence (AI)/machine learning (ML)/deep learning (DL). Risk metrics can use qualitative, quantitative, or hybrid methods. Developing, selecting, and implementing advanced risk metrics using quantitative methods is significant. The Health Insurance Portability and Accountability Act (HIPAA) provides a cybersecurity framework for healthcare.

<h5>1. Introduction</h5>
A risk strategy, enterprise risk management, and security analytics models are significant for the cybersecurity of enterprises, especially in healthcare systems. Risk assessment and risk metrics can use qualitative, quantitative, or hybrid methods <a href="#reference_list_0">[1]</a>. How the development of a risk-averse cybersecurity ecosystem brings value to an organization was discussed. Evidence-based (scientific) methods in cybersecurity risk management should be promoted. Seeking improvements with more quantitative and scientifically sound methods in risk management and decision-making should be encouraged <a href="#reference_list_1">[2]</a>.
Many efforts for improvements have been made, and researchers have presented a dynamic systemic approach for cyber risk management of enterprise networks using a principal-agent framework to deal with the relationships between the principal (asset owner) and the agent (cyber risk manager). The principal delegates risk management tasks, such as network monitoring and software patching, to the agent, as illustrated in Figure 1 <a href="#reference_list_2">[3]</a>.
<img src="https://file.luminescience.cn/69153fad40e011763000237" alt="" width="504" height="300" />
Figure 1. Cyber risk management for an enterprise network <a href="#reference_list_2">[3]</a>
Some quantitative and scientifically sound methods in risk management have been developed. For example, a deep reinforcement learning-assisted network awareness, risk perception, and prevention model (DRL-NARPP) has been developed to detect malicious activities in IoT networks. The DRL-NARPP model is shown in Figure 2 <a href="#reference_list_3">[4]</a>. Data pre-processing involves converting raw data into a comprehensible format, including normalizing, standardizing, and scaling data. Cyber data encoding enables feature mapping of a dataset. Researchers have explored the application of reinforcement learning (RL) in network awareness, risk perception, and prevention <a href="#reference_list_3">[4]</a>.
<img src="https://file.luminescience.cn/6915400e4dca11763000334" alt="" width="750" height="298" />
Figure 2. A proposed DRL-NARPP model <a href="#reference_list_3">[4]</a>
The primary purpose of the research in this paper is to deal with risk strategy and a strategic vision of cybersecurity, ERM, ERM models, and risk management models in healthcare. The remainder of this paper is organized as follows: the second section presents a risk strategy and a strategic vision of cybersecurity; the third section introduces ERM and ERM models; the fourth section presents risk management models in healthcare; the fifth section is a case study of ERM in healthcare, including the ERM framework, common approaches to measuring cyber risks, specific risk metrics and key performance indicators, and cyber threats and cybersecurity enhancement in the Emerald Healthcare System in Texas, USA; the sixth section is the conclusion.
<h5>2. A risk strategy and a strategic vision of cybersecurity</h5>
A security intelligence model can be implemented as part of a cybersecurity strategy. The Open Systems Interconnect Model is shown in Figure 3 <a href="#reference_list_4">[5]</a>. The security intelligence model is the same as the Open Systems Interconnect Model. It is designed to be operated completely each time it is employed to achieve optimal effectiveness. A user of this model starts in the upper left, goes down to the bottom left, proceeds to the bottom right through the physical medium for interconnection, and then goes up, ending in the upper right of the security intelligence model <a href="#reference_list_4">[5]</a>. A strategic vision of cybersecurity lies in adopting or utilizing advanced systems and technologies, including IDS/IPS, big data analytics, blockchain, AI/ML/DL, and quantum computing.
<img src="https://file.luminescience.cn/691541f74fe991763000823" />
Figure 3. The open systems interconnect model (used as a security intelligence model) <a href="#reference_list_4">[5]</a>
<h5>3. ERM and ERM models</h5>
ERM is an integrated and holistic approach to risk management that enables an organization to be more strategic. Table 1 <a href="#reference_list_5">[6]</a> shows a comparison between ERM and traditional risk management. The bow tie is a risk analysis and management tool utilized in ERM. It is a visual risk assessment tool that features the concepts of fault and event trees employed in quantitative risk assessment and has been used in various industries. However, it has not been applied widely in healthcare <a href="#reference_list_5">[6]</a>.
<img src="https://file.luminescience.cn/691542f34a3d01763001075" alt="" width="600" height="326" />
Many professionals consider risk management (RM) a holistic method. The holistic approach to RM, developed from a comprehensive perspective and employed by companies, is called enterprise risk management (ERM). ERM is presented as a cutting-edge method for controlling the risks of organizations. Data mining has been a very practical technology in ERM. ERM is categorized into four levels, as shown in Table 2 <a href="#reference_list_6">[7]</a>.
<img src="https://file.luminescience.cn/691545a46d7661763001764" alt="" width="700" height="675" />
Various maturity models for cybersecurity risk management in an organization are described, as illustrated in Figure 4 <a href="#reference_list_1">[2]</a>. The details are listed as follows <a href="#reference_list_1">[2]</a>:
<ul>
<li>The operational security metrics maturity model: a matrix of standard questions and data sources.</li>
<li>Sparse data analytics (SDA): Quantitative methods are used to model risks based on limited data at the earliest metrics stage for new security investments.</li>
<li>Functional security metrics: Aimto optimize the effectiveness of vital operational security areas.</li>
<li>Security data marts: Measure across security domains usinglarge datasets.</li>
<li>Prescriptive security analytics: Provide optimized security recommendations for decision-making.</li>
</ul>
<img src="https://file.luminescience.cn/691545ee70abb1763001838" alt="" width="450" height="346" />
Figure 4. Security analytics maturity models <a href="#reference_list_1">[2]</a>
Proactively recognizing and dealing with risks is urgent. A model that significantly contributes to risk resilience throughout the enterprise security risk management cycle is illustrated in Figure 5 <a href="#reference_list_7">[8, 9]</a>.
<img src="https://file.luminescience.cn/6915461042d8a1763001872" alt="" width="300" height="302" />
Figure 5. An enterprise security risk management cycle <a href="#reference_list_7">[8, 9]</a>
<h5>4. Risk management models in healthcare</h5>
An AI model was proposed to manage risks in healthcare institutions. A trendy data source, social media, and user interactions are utilized in the model to identify or assess potential risks. Natural language processing (NLP) was applied to analyze users’ tweets. Big data analytics (BDA) was employed for the dimensional reduction of data and effective data management. A framework linking risk management, healthcare, and BDA of social media was presented, including risk monitoring, identification, assessment, and control in the framework <a href="#reference_list_9">[10]</a>. The effectiveness of ERM models in healthcare can be measured using qualitative, quantitative, or hybrid methods.
Blockchain for healthcare risk management was studied in a conceptual model of information management for managing healthcare risks, and how blockchain can solve concurrent problems in the management of healthcare risks was also explored. Figure 6 <a href="#reference_list_10">[11]</a> presents a proposed risk management process.
<img src="https://file.luminescience.cn/691546632b59c1763001955" alt="" width="300" height="250" />
Figure 6. A risk management process <a href="#reference_list_10">[11]</a>
The clinical risk management (CRM) model was proposed based on root cause analysis (RCA), failure mode and effects analysis (FMEA), and the systems engineering initiative for patient safety (SEIPS) model. The cumulative burden of healthcare-related adverse events (HAEs) reflects both the severity and the rate of each HAE and has been proven to be a useful output parameter of the CRM model. The elements of the CRM model are shown in Table 3 <a href="#reference_list_11">[12]</a>.
<img src="https://file.luminescience.cn/6915472172c8f1763002145" alt="" width="700" height="738" />
<h5>5. A case study of ERM in healthcare</h5>
Emerald Healthcare System is a not-for-profit corporation dedicated to developing medical programs, healthcare services, and research. The system’s three hospital campuses, plus several outpatient facilities, provide a broad spectrum of care. Services provided by over 1,550 medical staff members and more than 10,300 employed professionals make Emerald Healthcare System one of the largest healthcare providers in Texas, USA.
The ERM framework in the Emerald healthcare system
ERM offers many benefits. In the Emerald Healthcare System, ERM provides 1)  a complete framework intended for making risk management decisions; 2) superior efficiency; and 3) improved risk management, providing an all-inclusive and interconnected visibility into risks and efficient allocation of resources for managing risks. To help entities assess, identify, and prepare for probable cyber risks, the ERM model provides a substantial framework in the Emerald Healthcare System that lays out procedures, processes, and instruments for governing risks at the enterprise level. It functions in the following manner:
<ul>
<li>Tailored risk assessment: ensures customizedrisk management practices for different units.</li>
<li>Holistic risk management: providesinclusive visibility, which is crucial for successfully and steadily managing risk across the healthcare system.</li>
</ul>
HIPAA implements controls to secure and protect the privacy of electronic health information and provides a cybersecurity framework that requires healthcare organizations to establish controls for safeguarding and protecting the privacy of electronic health information. HIPAA is implemented in the Emerald Healthcare System.
Common approaches to measuring cyber risks in the Emerald healthcare system
<ul>
<li>Perform comprehensive assessments on risk and vulnerability. Risk assessment includes risk analysis and risk prioritization. Risk analysis can involve qualitative and quantitative risk models to analyze the impact and likelihood of cyber threats.</li>
<li>Both quantitative and qualitative risk models are used. Qualitative analysis maps specific risks depending on their probability of occurrence (very low to very high) as opposed to their impacts (very low to very high). A risk with "high impact, high probability"indicates a severe risk that needs immediate Quantitative risk assessment measures a cyber risk (from a statistical perspective) to quantify a precise cost or likelihood of the incidence of the risk.</li>
</ul>
Specific risk metrics and key performance indicators in the Emerald healthcare system
To guarantee the security of data and the safety of the healthcare system, the Emerald Healthcare System uses metrics and key performance indicators (KPIs). Metrics can be used to track quantitative data to ensure the protection of data and other technological assets. Popular cybersecurity metrics and KPIs in the Emerald Healthcare System include the number of security incidents, phishing attacks, intrusion attempts, mean-time metrics and KPIs, such as mean-time to detect, mean-time to respond, and mean-time to resolve.
Cyber threats and cybersecurity enhancement in the Emerald healthcare system
The top cybersecurity threats in 2024 are ransomware, social engineering, third-party exposure, and artificial intelligence cyber threats. Instances of healthcare cyber threats include ransomware, social engineering attacks, third-party data breaches, phishing, and hacking of IoMT (Internet of Medical Things) devices. For example, insulin pumps, pacemakers, or other IoMT devices can be hacked to dangerously alter their functions. Such IoMT devices can be fatally hacked or hijacked. Phishing is one of the most predominant cybersecurity threats in healthcare.     
The protection of patient data is one of the primary and crucial roles of cybersecurity in healthcare. The Emerald Healthcare System uses strong passwords, changes them regularly, employs firewalls, installs and maintains anti-virus software, controls access to protected health information and protects mobile devices to improve cybersecurity in healthcare.
<h5>6. Conclusion</h5>
Because cybercriminals also use advanced technologies such as AI, a strategic vision for cybersecurity should be more oriented to advanced systems and cutting-edge technologies, including IDS/IPS, big data analytics, blockchain, AI/ML/DL, and quantum computing. The benefits of ERM and maturity models should be explored for specific cyber risk environments. Risk metrics can be qualitative, quantitative, or in hybrid methods. Developing, selecting, and implementing advanced risk metrics using quantitative methods is significant and should be encouraged in many situations. Protecting patient data is one of the primary and crucial roles of cybersecurity in healthcare. HIPAA implements controls to secure and protect the privacy of electronic health information, providing a cybersecurity framework for healthcare. There is much work to do on how to achieve the strategic objective and what additional methodologies or tools should be developed. Although part of the strategic objective has been achieved or is being achieved, some methods or tools are still under development to complete the fulfillment of the strategic objective, which is a limitation of this study. 
<h5>Acknowledgement</h5>
The authors would like to express their thanks to Technology and Healthcare Solutions, USA, for its help and support.
<h5>Conflict of interest</h5>
The authors declare that there is no conflict of interest.
<h5>Funding</h5>
No external funding was received for this research.
<h5>Authors' contributions</h5>
Conceptualization: CAA, LW; writing the original draft: CAA; manuscript editing, reviewing, and revisions: CAA, LW.
<h5>Availability of data and materials</h5>
Not applicable.

References

[1]He L. Assessing the smart city: A review of metrics for performance assessment, risk assessment and construction ability assessment. Cogent Economics & Finance. 2023; 11(2):2273651. doi: 10.1080/23322039.2023.2273651.

[2]Hubbard DW, Seiersen R. How to measure anything in cybersecurity risk. John Wiley & Sons; 2023.

[3]Chen J, Zhu Q, Başar T. Dynamic contract design for systemic cyber risk management of interdependent enterprise networks. Dynamic Games and Applications. 2021;11(2):294-325. doi: 10.1007/s13235-020-00363-y.

[4]Xie J. Application study on the reinforcement learning strategies in the network awareness risk perception and prevention. International Journal of Computational Intelligence Systems. 2024;17(1):112. doi: 10.1007/s44196-024-00492-x.

[5]Wittkop J. Building a comprehensive IT security program: practical guidelines and best practices. Apress Berkeley, CA; 2016.

[6]Elamir H. Enterprise risk management and bow ties: going beyond patient safety. Business Process Management Journal. 2020;26(3):770-85. doi: 10.1108/BPMJ-03-2019-0102.

[7]Akbaş MÇ. Measuring the impact of enterprise risk management on performance, value, and risk indicators of Borsa Istanbul XBANK companies with data mining prediction models. Humanities and Social Sciences Communications. 2024;11(1):1-9. doi:10.1057/s41599-024-03871-z.

[8]Allen B, Loyear R, Enterprise security risk management: concepts and applications. Rothstein Associates, Incorporated, Brookfield, Connecticut, USA, 2017.

[9]Marquez-Tejon J, Jimenez-Partearroyo M, Benito-Osorio D. Security as a key contributor to organisational resilience: a bibliometric analysis of enterprise security risk management. Security Journal. 2021;35(2):600. doi:10.1057/s41284-021-00292-4.

[10]Darwiesh A, El-Baz AH, Abualkishik AZ, Elhoseny M. Artificial intelligence model for risk management in healthcare institutions: towards sustainable development. Sustainability. 2022;15(1):420. doi: 10.3390/su15010420.

[11]Chung IB, Caldas C. Applicability of blockchain-based implementation for risk management in healthcare projects. Blockchain in Healthcare Today. 2022;5:10-30953. doi: 10.30953/bhty.v5.191.

[12]Kleymenova E, Matrosova E, Yashina L, Nazarenko G, Gerasimova N. Systemic approach to the clinical risks management in a healthcare organization. Procedia Computer Science. 2022;213:385-90. doi: 10.1016/j.procs.2022.11.082.

Download PDF

Download XML

How to Cite

Alexander, C. A., and L. Wang. “A Risk Strategy, Enterprise Risk Management, and Security Analytics Models”. Journal of Digital Health, vol. 4, no. 1, Nov. 2025, pp. 88-95, doi:10.55976/jdh.42025144088-95.

Download Citation

Issue

Journal of Digital Health, Volume 4 Issue 1, 2025

Section

Perspective

License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Copyright licenses detail the rights for publication, distribution, and use of research. Open Access articles published by Luminescience do not require transfer of copyright, as the copyright remains with the author. In opting for open access, the author(s) should agree to publish the article under the CC BY license (Creative Commons Attribution 4.0 International License). The CC BY license allows for maximum dissemination and re-use of open access materials and is preferred by many research funding bodies. Under this license, users are free to share (copy, distribute and transmit) and remix (adapt) the contribution, including for commercial purposes, providing they attribute the contribution in the manner specified by the author or licensor.

Home /

Archives /

Journal of Digital Health, Volume 4 Issue 1, 2025 /

Perspective

A risk strategy, enterprise risk management, and security analytics models

Abstract

How to Cite

Issue

Section

License

Follow Luminescience

Further Information

Home / Archives / Journal of Digital Health, Volume 4 Issue 1, 2025 / Perspective

A risk strategy, enterprise risk management, and security analytics models

Abstract

How to Cite

Issue

Section

License

Follow Luminescience

Further Information

Home /

Archives /

Journal of Digital Health, Volume 4 Issue 1, 2025 /

Perspective