Method for Evaluating Cyber Risk Management Frameworks
摘要
The increasing sophistication of cyber threats has guided organizations to adopt cybersecurity risk management frameworks as a key strategy to address these challenges. However, effectively evaluating these frameworks remains a significant challenge. This study introduces the Evaluating Cyber Risk Frameworks (e-CRF) method, a systematic approach for assessing cybersecurity risk management frameworks based on criteria such as comprehensiveness, adaptability, effectiveness, and regulatory compliance. Although e-CRF has been tested with frameworks such as the NIST Cybersecurity Framework and CIS Controls, it is designed to apply to any framework, free or commercial. The e-CRF was validated by information security experts who used a software prototype to assign weights and scores to the evaluation criteria. The results show that e-CRF eases the standardization of the evaluation process, highlighting significant performance differences and providing valuable insights for selecting and continuously improving cybersecurity frameworks.