{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T05:07:23Z","timestamp":1775538443892,"version":"3.50.1"},"reference-count":20,"publisher":"MDPI AG","issue":"7","license":[{"start":{"date-parts":[[2025,3,28]],"date-time":"2025-03-28T00:00:00Z","timestamp":1743120000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Electronics"],"abstract":"<jats:p>Cybersecurity is critical for mitigating the economic and reputational impacts of cyberattacks. To address these risks, frameworks like the NIST Cybersecurity Framework (NIST CSF) provide standardized guidelines for managing and reducing cybersecurity threats. This paper presents a maturity assessment approach aligned with the NIST CSF, incorporating a dual-survey methodology. The first survey engages cybersecurity experts to calibrate question importance, while the second targets organizations across management, IT staff, and other roles. The approach employs algorithms to deliver consistent evaluations and facilitate cross-organization comparisons. Results from case studies illustrate cybersecurity maturity levels for each NIST CSF function and highlight priority controls for enhancing organizational cybersecurity.<\/jats:p>","DOI":"10.3390\/electronics14071364","type":"journal-article","created":{"date-parts":[[2025,3,28]],"date-time":"2025-03-28T13:36:49Z","timestamp":1743169009000},"page":"1364","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["An Evaluation Framework for Cybersecurity Maturity Aligned with the NIST CSF"],"prefix":"10.3390","volume":"14","author":[{"given":"Lu\u00eds","family":"Bernardo","sequence":"first","affiliation":[{"name":"ADiT-Lab, ESTG, Instituto Polit\u00e9cnico de Viana do Castelo, 4900-348 Viana do Castelo, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5274-3733","authenticated-orcid":false,"given":"Silvestre","family":"Malta","sequence":"additional","affiliation":[{"name":"ADiT-Lab, ESTG, Instituto Polit\u00e9cnico de Viana do Castelo, 4900-348 Viana do Castelo, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6755-8901","authenticated-orcid":false,"given":"Jo\u00e3o","family":"Magalh\u00e3es","sequence":"additional","affiliation":[{"name":"CIICESI, ESTG, Instituto Polit\u00e9cnico do Porto, Rua do Curral, 4610-156 Felgueiras, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2025,3,28]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Malaivongs, S., Kiattisin, S., and Chatjuthamard, P. (2022). Cyber Trust Index: A Framework for Rating and Improving Cybersecurity Performance. Appl. Sci., 12.","DOI":"10.3390\/app122111174"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1109\/MSP.2017.3681063","article-title":"Cybersecurity Framework Adoption: Using Capability Levels for Implementation Tiers and Profiles","volume":"15","author":"Dedeke","year":"2017","journal-title":"IEEE Secur. Priv."},{"key":"ref_3","first-page":"267","article-title":"Analysis and evaluation of academic information system security using NIST SP 800-26 framework","volume":"7","author":"Poningsih","year":"2022","journal-title":"Sink. J. Dan Penelit. Tek. Inform."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"123","DOI":"10.17993\/3ctic.2021.102.123-141","article-title":"Methodology based on the NIST cybersecurity framework as a proposal for cybersecurity management in government organizations","volume":"10","author":"Esenarro","year":"2021","journal-title":"Cuad. Desarro. Apl. Las Tic"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Drivas, G., Chatzopoulou, A., Maglaras, L., Lambrinoudakis, C., Cook, A., and Janicke, H. (2020, January 13\u201317). A NIS Directive Compliant Cybersecurity Maturity Assessment Framework. Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Madrid, Spain.","DOI":"10.1109\/COMPSAC48688.2020.00-20"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Almuhammadi, S., and Alsaleh, M. (2017, January 25\u201326). Information Security Maturity Model for Nist Cyber Security Framework. Proceedings of the Sixth International Conference on Information Technology Convergence and Services, Sydney, Australia.","DOI":"10.5121\/csit.2017.70305"},{"key":"ref_7","unstructured":"(2012). A Business Framework for the Governance and Management of Enterprise IT (Standard No. COBIT 5)."},{"key":"ref_8","unstructured":"(2022). Information Security, Cybersecurity and Privacy Protection\u2014Information Security Management Systems\u2014Requirements (Standard No. ISO\/IEC 27001:2022)."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Saritac, U., Liu, X., and Wang, R. (2022, January 11\u201313). Assessment of Cybersecurity Framework in Critical Infrastructures. Proceedings of the 2022 IEEE Delhi Section Conference (DELCON), New Delhi, India.","DOI":"10.1109\/DELCON54057.2022.9753250"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"531","DOI":"10.1016\/j.bushor.2020.03.010","article-title":"Calculated risk? A cybersecurity evaluation tool for SMEs","volume":"63","author":"Benz","year":"2020","journal-title":"Bus. Horizons"},{"key":"ref_11","unstructured":"Bougaardt, G., and Kyobe, M. (2011, January 27\u201328). Investigating the factors inhibiting SMEs from recognizing and measuring losses from cybercrime in South Africa. Proceedings of the ICIME 2011-Proceedings of the 2nd International Conference on Information Management and Evaluation: ICIME 2011 Ryerson University, Toronto, ON, Canada."},{"key":"ref_12","unstructured":"Stasiak, K. (2024, July 15). Middle Market Companies Underestimate Cybersecurity Risks, 2018. Available online: https:\/\/www.industryweek.com\/leadership\/article\/22026028\/middle-market-companies-underestimate-cybersecurity-risks."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"410","DOI":"10.1016\/j.future.2019.12.018","article-title":"Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis","volume":"105","author":"Gourisetti","year":"2020","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_14","first-page":"225","article-title":"Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF, COBIT, ISO\/IEC 27002 and PCI DSS","volume":"4","author":"Sulistyowati","year":"2020","journal-title":"JOIV Int. J. Inform. Vis."},{"key":"ref_15","unstructured":"(2022). Information Security, Cybersecurity and Privacy Protection\u2014Information Security Controls (Standard No. ISO\/IEC 27002:2022)."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Arenas, E., Palomino, J., and Mansilla, J.P. (2023, January 2\u20134). Cybersecurity Maturity Model to Prevent Cyberattacks on Web Applications Based on ISO 27032 and NIST. Proceedings of the 2023 IEEE XXX International Conference on Electronics, Electrical Engineering and Computing (INTERCON), Lima, Peru.","DOI":"10.1109\/INTERCON59652.2023.10326028"},{"key":"ref_17","unstructured":"(2012). Information Technology\u2014Security Techniques\u2014Guidelines for Cybersecurity (Standard No. ISO\/IEC 27032:2012)."},{"key":"ref_18","first-page":"1","article-title":"Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework","volume":"23","author":"Mbanaso","year":"2019","journal-title":"Afr. J. Inf. Commun."},{"key":"ref_19","unstructured":"L.Bernardo (2025, March 18). Proposta de uma metodologia de avalia\u00e7\u00e3o da maturidade da ciberseguran\u00e7a com base no NIST CSF. Mestrado em engenharia inform\u00e1tica, Escola Superior de Tecnologia e Gest\u00e3o, Instituto Polit\u00e9cnico de Viana do Castelo, 2023. Available online: http:\/\/hdl.handle.net\/20.500.11960\/3989."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"102164","DOI":"10.1016\/j.jksuci.2024.102164","article-title":"Systematic review of deep learning solutions for malware detection and forensic analysis in IoT","volume":"36","author":"Qureshi","year":"2024","journal-title":"J. King Saud Univ.\u2014Comput. Inf. Sci."}],"container-title":["Electronics"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2079-9292\/14\/7\/1364\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:04:40Z","timestamp":1760029480000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2079-9292\/14\/7\/1364"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,28]]},"references-count":20,"journal-issue":{"issue":"7","published-online":{"date-parts":[[2025,4]]}},"alternative-id":["electronics14071364"],"URL":"https:\/\/doi.org\/10.3390\/electronics14071364","relation":{},"ISSN":["2079-9292"],"issn-type":[{"value":"2079-9292","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,3,28]]}}}