Development of the Risk-Weighted Cybersecurity Maturity Index (RWCMI) Based on the NIST Cybersecurity Framework 2.0 for Multi-Entity Organizations

cybersecurity maturity risk-weighted maturity index NIST Cybersecurity Framework cybersecurity risk multi-entity organization

Authors

July 16, 2026

Downloads

The rapid growth of digital transformation has increased organizational dependence on interconnected technologies while simultaneously expanding cybersecurity risks, particularly in multi-entity organizations with diverse operational characteristics and information system environments. Conventional cybersecurity maturity assessments often provide general capability measurements but have limitations in representing variations in risk exposure across security domains. This study aims to develop the Risk-Weighted Cybersecurity Maturity Index (RWCMI) based on the NIST Cybersecurity Framework (CSF) 2.0 to provide a more contextual measurement of cybersecurity maturity by integrating risk weighting into the maturity assessment process. This research employed a quantitative, model-based evaluation approach using a case study of PTPN Group, consisting of one holding company and ten subsidiaries. Data were collected through cybersecurity maturity questionnaires, expert-based risk assessments, and supporting organizational documents. The RWCMI model integrates maturity scores from 22 NIST CSF 2.0 categories with normalized risk weights derived from expert judgments. The results indicate variations in cybersecurity maturity levels among entities, with several organizations achieving targeted maturity levels while others requiring fundamental improvements. The RWCMI approach successfully identified priority improvement areas, particularly in asset management, data security, identity management, and cybersecurity governance. In conclusion, RWCMI provides a more risk-sensitive cybersecurity maturity measurement framework that supports strategic decision-making, investment prioritization, and continuous improvement of cybersecurity governance in multi-entity organizations.