Development of the Risk-Weighted Cybersecurity Maturity Index (RWCMI) Based on the NIST Cybersecurity Framework 2.0 for Multi-Entity Organizations
Downloads
The rapid growth of digital transformation has increased organizational dependence on interconnected technologies while simultaneously expanding cybersecurity risks, particularly in multi-entity organizations with diverse operational characteristics and information system environments. Conventional cybersecurity maturity assessments often provide general capability measurements but have limitations in representing variations in risk exposure across security domains. This study aims to develop the Risk-Weighted Cybersecurity Maturity Index (RWCMI) based on the NIST Cybersecurity Framework (CSF) 2.0 to provide a more contextual measurement of cybersecurity maturity by integrating risk weighting into the maturity assessment process. This research employed a quantitative, model-based evaluation approach using a case study of PTPN Group, consisting of one holding company and ten subsidiaries. Data were collected through cybersecurity maturity questionnaires, expert-based risk assessments, and supporting organizational documents. The RWCMI model integrates maturity scores from 22 NIST CSF 2.0 categories with normalized risk weights derived from expert judgments. The results indicate variations in cybersecurity maturity levels among entities, with several organizations achieving targeted maturity levels while others requiring fundamental improvements. The RWCMI approach successfully identified priority improvement areas, particularly in asset management, data security, identity management, and cybersecurity governance. In conclusion, RWCMI provides a more risk-sensitive cybersecurity maturity measurement framework that supports strategic decision-making, investment prioritization, and continuous improvement of cybersecurity governance in multi-entity organizations.
Aguilera, R. V., Judge, W. Q., & Terjesen, S. A. (2015). Corporate governance and multinational enterprises. Academy of Management Annals, 9(1), 483–531. https://doi.org/10.1080/19416520.2015.1024505
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1–13. https://doi.org/10.1016/j.ejor.2015.12.023
Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long Range Planning, 48(4), 265–276. https://doi.org/10.1016/j.lrp.2014.07.005
Büyüközkan, G., & Güler, M. (2025). Cybersecurity maturity model: Systematic literature review and a proposed model. Technological Forecasting and Social Change, 213, Article 123996. https://doi.org/10.1016/j.techfore.2025.123996
Cortez, E. (2022). Cybersecurity governance: Aligning cybersecurity with corporate governance frameworks. Journal of Cyber Policy, 7(2), 249–266. https://doi.org/10.1080/23738871.2022.2032464
Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: Literature review and theory-based research agenda. The TQM Journal, 33(7), 76–105. https://doi.org/10.1108/TQM-09-2020-0202
European Union Agency for Cybersecurity. (2023). ENISA threat landscape 2023. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023
Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk. John Wiley & Sons.
ISACA. (2019). COBIT 2019 framework: Governance and management objectives. ISACA.
International Organization for Standardization. (2018). ISO 31000:2018 risk management—Guidelines.
International Organization for Standardization. (2022). ISO/IEC 27001:2022 information security, cybersecurity and privacy protection—Information security management systems—Requirements.
Modi, C., Kuzminykh, I., & Ghita, B. (2023). Cybersecurity governance: A systematic literature review of governance mechanisms and organizational capabilities. Computers & Security, 124, Article 102992. https://doi.org/10.1016/j.cose.2022.102992
Modi, R., Kuzminykh, A., & Ghita, B. (2023). Cybersecurity metrics for governance decision-making: A systematic perspective. Computers & Security, 129, Article 103221. https://doi.org/10.1016/j.cose.2023.103221
National Institute of Standards and Technology. (2018). Risk management framework for information systems and organizations: A system life cycle approach for security and privacy (SP 800-37 Rev. 2). https://doi.org/10.6028/NIST.SP.800-37r2
National Institute of Standards and Technology. (2024). The NIST cybersecurity framework (CSF) 2.0. https://doi.org/10.6028/NIST.CSWP.29
Power, M. (2007). Organized uncertainty: Designing a world of risk management. Oxford University Press.
Rabii, A., Assoul, S., Touhami, O., & Roudies, O. (2020). Information and cyber security maturity models: A systematic literature review. Information & Computer Security, 28(4), 627–644. https://doi.org/10.1108/ICS-03-2019-0039
Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121–135. https://doi.org/10.1093/cybsec/tyw001
Teece, D. J. (2007). Explicating dynamic capabilities: The nature and microfoundations of (sustainable) enterprise performance. Strategic Management Journal, 28(13), 1319–1350. https://doi.org/10.1002/smj.640
Turel, O., Liu, P., & Bart, C. (2019). Board-level information technology governance effects on organizational performance. European Journal of Information Systems, 28(3), 321–337. https://doi.org/10.1080/0960085X.2019.1567025
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. https://doi.org/10.1016/j.cose.2013.04.004
Weill, P., & Ross, J. W. (2004). IT governance: How top performers manage IT decision rights for superior results. Harvard Business School Press.
Wiley, J. (2024). Adaptive cybersecurity maturity models for organizations with resource constraints. Journal of Cybersecurity and Privacy, 4(1), 45–62. https://doi.org/10.1002/isd2.12350
World Economic Forum. (2023). Global cybersecurity outlook 2023. https://www.weforum.org/publications/global-cybersecurity-outlook-2023
Yeoh, W., Liu, M., Shore, M., & Jiang, F. (2023). Zero trust cybersecurity: Critical success factors and a maturity assessment framework. Computers & Security, 132, Article 103412. https://doi.org/10.1016/j.cose.2023.103412
Yeoh, W., Wang, S., Popovič, A., & Chowdhury, N. H. (2022). A systematic synthesis of critical success factors for cybersecurity. Computers & Security, 118, Article 102724. https://doi.org/10.1016/j.cose.2022.102724
Copyright (c) 2026 Ekky Cahya Dhitia

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.



