Development and Validation of a Cybersecurity Model for Ransomware Mitigation Based on NIST CSF 2.0: The Case Study of a Peruvian Micro-Small Enterprise

Lorenzo Biggi; Jorge Rioja; Pedro Castaneda; Juan Mansilla-Lopez; Alberto Daniel Garcia-Nunez

doi:10.48084/etasr.12948

Authors

Lorenzo Biggi Information Systems Engineering Department, Universidad Peruana de Ciencias Aplicadas, Lima, Peru
Jorge Rioja Information Systems Engineering Department, Universidad Peruana de Ciencias Aplicadas, Lima, Peru
Pedro Castaneda Faculty of Systems Engineering and Electrical Mechanics, Universidad Nacional Toribio Rodriguez de Mendoza, Amazonas, Peru https://orcid.org/0000-0003-1865-1293
Juan Mansilla-Lopez Information Systems Engineering Department, Universidad Peruana de Ciencias Aplicadas, Lima, Peru https://orcid.org/0000-0003-0039-6044
Alberto Daniel Garcia-Nunez Universidad Pontificia Bolivariana, Medellin, Antioquia, Colombia https://orcid.org/0000-0002-9402-3785

Volume: 15 | Issue: 6 | Pages: 30015-30025 | December 2025 | https://doi.org/10.48084/etasr.12948

Received: 26 June 2025 | Revised: 23 August 2025 | Accepted: 2 September 2025 | Online: 8 December 2025

Corresponding author: Juan Mansilla-Lopez

Abstract

This study proposes a pragmatic cybersecurity model grounded in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 to mitigate ransomware in Peruvian Micro and Small Enterprises (MSEs). Through a single-case study of a transportation-sector MSE and a case study methodology proposed in a previous study, the research advances in three stages: (1) cybersecurity posture diagnosis, (2) model design, and (3) expert validation. The model's five-phase structure, Organizational Profile Scope Definition, Critical Assets Identification, Risk Analysis, Cybersecurity Control Selection, and Action Plan Development, addresses MSEs' resource constraints while aligning with NIST CSF 2.0 functions. Expert evaluation yielded an average score of 3.74 out of 5 across nine assessment categories, with a Standard Deviation (SD) of 0.21, and with categories such as "Risk Assessment" and "Sustainability and Adaptability" achieving the highest given scores of 4 out of 5. This modular, cost-free approach bridges the framework adoption gap in resource-constrained enterprises and presents a feasible alternative to existing cybersecurity standards. Although validated through a single case, the proposed framework provides practical guidance for MSEs and establishes a foundation for future research across diverse sectors and geographic locations.

Keywords:

cybersecurity, National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), ransomware, risk management, Micro and Small Enterprises (MSEs)

Downloads

Download data is not yet available.

References

COMEXPERU, "Micro and Small Enterprises in Peru: Results in 2022," 2022. [Online]. Available: https://www.comexperu.org.pe/upload/articles/reportes/reporte-mypes-2022.pdf.

S. Bowcut. "Digital safeguards: Navigating cybersecurity in transportation." Cybersecurityguide, Apr. 2025. [Online]. Available: https://cybersecurityguide.org/industries/transportation.

C. Tornaghi. "The Dramatic Cyberattack That Put Latin America on Alert." Americas Quarterly, Jul. 2023. [Online]. Available: https://www.americasquarterly.org/article/the-dramatic-cyberattack-that-put-latin-america-on-alert.

J. L. Del Campo. "Mypes in our country do not take cybersecurity into account: why this is a big mistake and how to remedy it." El Comercio, Feb. 2025. [Online]. Available: https://elcomercio.pe/tecnologia/ciberseguridad/las-mypes-en-nuestro-pais-no-toman-en-cuenta-la-ciberseguridad-por-que-esto-es-un-gran-error-y-como-remediarlo-intecnia-corp-bitdefender-ataques-informaticos-ciberdelincuentes-empresas-noticia.

P. Valdivia. "Peru stands as a focus of cyber attacks in Latin America." El Comercio, Aug. 2024. [Online]. Available: https://elcomercio.pe/tecnologia/ciberseguridad/peru-se-alza-como-un-foco-de-ataques-ciberneticos-en-latinoamerica-malwere-phishing-ransomware-noticia.

Economy Magazine. "SMEs in Peru register nearly 10 million cyber attack attempts." Revista Economia, Jun. 2024. [Online]. Available: https://www.revistaeconomia.com/pymes-de-peru-registran-cerca-de-10-millones-de-intentos-de-ciberataque.

Verizon Business. "Small Business Cyber Security and Data Breaches." Verizon. [Online]. Available: https://www.verizon.com/business/resources/articles/small-business-cyber-security-and-data-breaches.

E. I. Ahon, "Study on Cybersecurity in Senior Management," eBIZ, IALaw, Dec. 2024. Online]. Available: https://ebiz.pe/wp-content/uploads/2024/12/241231-Estudio-sobre-Ciberseguridad-en-la-Alta-Direccion-2024.pdf.

European Union Agency for Cybersecurity., Cybersecurity for SMEs: challenges and recommendations. LU: Publications Office, 2021.

NRI Secure Blog. "NIST CSF 2.0: What’s New and Why It Matters." NRI Secure, Aug. 2025. [Online]. Available: https://www.nri-secure.com/blog/nist-csf-2.

W. N. E. W. M. Ludin, M. Mohd, and W. F. Paizi@Fauzi, "Comparative Analysis of Small and Medium-Sized Enterprises Cybersecurity Program Assessment Model," International Journal of Advanced Computer Science and Applications, vol. 15, no. 8, 2024. DOI: https://doi.org/10.14569/IJACSA.2024.0150878

M. L. Angelo Edú, G. P. Alexis, and W. P. Lenis, "Cybersecurity framework for SMEs in Peru based on ISO/IEC 27001 and CSF NIST controls," in 2023 18th Iberian Conference on Information Systems and Technologies (CISTI), Aveiro, Portugal, Jun. 2023, pp. 1–7. DOI: https://doi.org/10.23919/CISTI58278.2023.10211874

L. Bernardo, S. Malta, and J. Magalhães, "An Evaluation Framework for Cybersecurity Maturity Aligned with the NIST CSF," Electronics, vol. 14, no. 7, Mar. 2025, Art. no. 1364. DOI: https://doi.org/10.3390/electronics14071364

T. M. H. Mohamed, B. A. S. Al-rimy, and S. A. Almalki, "A Ransomware Early Detection Model based on an Enhanced Joint Mutual Information Feature Selection Method," Engineering, Technology & Applied Science Research, vol. 14, no. 4, pp. 15400–15407, Aug. 2024. DOI: https://doi.org/10.48084/etasr.7092

B. A. S. Al-rimy et al., "Redundancy Coefficient Gradual Up-weighting-based Mutual Information Feature Selection technique for Crypto-ransomware early detection," Future Generation Computer Systems, vol. 115, pp. 641–658, Feb. 2021. DOI: https://doi.org/10.1016/j.future.2020.10.002

M. Gazzan and F. T. Sheldon, "An Incremental Mutual Information-Selection Technique for Early Ransomware Detection," Information, vol. 15, no. 4, Mar. 2024, Art. no. 194. DOI: https://doi.org/10.3390/info15040194

N. Ibadah, C. Benavente-Peces, and M.-O. Pahl, "Securing the Future of Railway Systems: A Comprehensive Cybersecurity Strategy for Critical On-Board and Track-Side Infrastructure," Sensors, vol. 24, no. 24, Dec. 2024, Art. no. 8218. DOI: https://doi.org/10.3390/s24248218

A. Dimakopoulou and K. Rantos, "Comprehensive Analysis of Maritime Cybersecurity Landscape Based on the NIST CSF v2.0," Journal of Marine Science and Engineering, vol. 12, no. 6, May 2024, Art. no. 919. DOI: https://doi.org/10.3390/jmse12060919

T. Sobb, B. Turnbull, and N. Moustafa, "Supply Chain 4.0: A Survey of Cyber Security Challenges, Solutions and Future Directions," Electronics, vol. 9, no. 11, Nov. 2020, Art. no. 1864. DOI: https://doi.org/10.3390/electronics9111864

N. Rawindaran et al., "Enhancing Cyber Security Governance and Policy for SMEs in Industry 5.0: A Comparative Study between Saudi Arabia and the United Kingdom," Digital, vol. 3, no. 3, pp. 200–231, Aug. 2023. DOI: https://doi.org/10.3390/digital3030014

M. El-Hajj and Z. A. Mirza, "ProtectingSmall and Medium Enterprises: A Specialized Cybersecurity Risk Assessment Framework and Tool," Electronics, vol. 13, no. 19, Oct. 2024, Art. no. 3910. DOI: https://doi.org/10.3390/electronics13193910

National Institute of Standards and Technology, "The NIST Cybersecurity Framework (CSF) 2.0," National Institute of Standards and Technology, Gaithersburg, MD, NIST CSWP 29, Feb. 2024.

Vanta. "NIST CSF vs. ISO 27001: What’s the difference?." Vanta. [Online]. Available: https://www.vanta.com/collection/iso-27001/nist-csf-vs-iso-27001.

G. Volders. "COBIT’s Value for Small and Medium Enterprises." ISACA, Nov. 2021. [Online]. Available: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/cobits-value-for-small-and-medium-enterprises.

A. English. "The Fundamentals of ISO/IEC 27032 – What You Need to Know." PECB Insights, Aug. 2023. [Online]. Available: https://insights.pecb.com/fundamentals-iso-iec-27032-what-you-need-know.

W. C. Barker, W. Fisher, K. Scarfone, and M. Souppaya, "Ransomware risk management : a cybersecurity framework profile," National Institute of Standards and Technology (U.S.), Gaithersburg, MD, NIST IR 8374, Feb. 2022. DOI: https://doi.org/10.6028/NIST.IR.8374

Pivot Point Security. "ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?." Pivot Point Security, Sept. 2024. [Online]. Available: https://www.pivotpointsecurity.com/difference-between-iso-27001-vs-nist-cybersecurity-framework.

R. K. Yin, Case study research and applications: design and methods, Sixth edition. Los Angeles: SAGE, 2018.