Enhancing a NIST SP 800-53-Based Cybersecurity Risk Metamodel with COBIT 2019: A Governance-Centric Perspective

Youssef El Marzak; Abdelilah Chahid; Sophia Faris; Khalifa Mansouri

doi:10.48084/etasr.17097

Authors

Youssef El Marzak M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Mohammedia, Morocco
Abdelilah Chahid M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Mohammedia, Morocco
Sophia Faris M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Mohammedia, Morocco
Khalifa Mansouri M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Mohammedia, Morocco

Volume: 16 | Issue: 2 | Pages: 33689-33695 | April 2026 | https://doi.org/10.48084/etasr.17097

Received: 22 December 2025 | Revised: 26 January 2026 and 7 February 2026 | Accepted: 13 February 2026 | Online: 18 February 2026

Corresponding author: Youssef El Marzak

Abstract

As cybersecurity threats continue to increase in complexity and impact, organizations face challenges in aligning technical security controls with enterprise governance objectives. This paper represents a continuation of prior work on cybersecurity metamodeling and ontological integration. An enhanced hybrid cybersecurity risk metamodel is proposed, which integrates the Control Objectives for Information and Related Technologies (COBIT) 2019 governance framework into an existing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53–based structure. The proposed model combines governance objectives, organizational design factors, and performance indicators with technical security controls using Unified Modeling Language (UML) class diagrams, the Resource Description Framework (RDF), and Web Ontology Language (OWL) ontologies to ensure semantic consistency and end-to-end traceability. Design factors enable contextual adaptability by influencing the selection and prioritization of governance objectives and security controls according to organizational and regulatory environments. In addition, performance indicators establish monitoring and feedback loops that support continuous performance evaluation and dynamic risk management. Future work will focus on empirical validation and the integration of quantitative risk assessment approaches such as Factor Analysis of Information Risk (FAIR).

Keywords:

cybersecurity, risk management, governance, NIST SP 800-53, COBIT 2019, UML, RDF/OWL, metamodel

Downloads

Download data is not yet available.

References

D. Innomesanghan, E. Kiwamu, S. Butakov, and E. G. AbdAllah, "Streamlining Security: Mapping NIST SP 800-53, SOC 2, and US CJIS Policy to ISO/IEC 27001:2022 for Service Provider SMEs," presented at the 11th World Congress on Electrical Engineering and Computer Systems and Science, Paris, France, Aug. 2025.

H. Alzaabi, "Strategic Cyber-Risk Alignment: A New Framework for Financial Institutions Facing the Digital Future." Research Square (Pre-Print), Apr. 30, 2025.

M. Fadya and D. N. Utama, "Towards Secure Information Systems: Developing and Implementing an Information Security Evaluation Model Using NIST CSF and COBIT 2019," TEM Journal, pp. 182–191, Feb. 2025.

Y. El Marzak, K. Mansouri, and S. Faris, "A Comprehensive Metamodel for Cybersecurity: Based on NIST SP 800-53 Revision 5 Security and Privacy Controls," in Innovative Technologies on Electrical Power Systems for Smart Cities Infrastructure, I. Aboudrar, F. Ilahi Bakhsh, A. Nayyar, and I. Ouachtouk, Eds. Cham, Switzerland: Springer Nature Switzerland, 2025, pp. 268–280.

Y. El Marzak, A. Chahid, S. Faris, and K. Mansouri, "A Unified Ontological Framework Integrating Strategic Alignment, Governance, and Information Security," E3S Web of Conferences, vol. 680, 2025, Art. no. 00082.

Y. Kurii and I. Opirskyy, "Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013," in Cybersecurity Providing in Information and Telecommunication Systems, Kyiv, Ukraine, Oct. 2022, vol. 3288, pp. 21–32.

J. Y. Mambu, C. Lumingkewas, and G. M. W. Tangka, "IT Governance Maturity Assessment Using COBIT 2019 for System Enhancement and Strategic Decision Support," CogITo Smart Journal, vol. 11, no. 1, pp. 193–206, June 2025.

W. Mangoki, D. Manongga, and A. Iriani, "IT Governance Design in XY University Using COBIT 2019 Framework," Jurnal Sistem Informasi Bisnis, vol. 14, no. 2, pp. 111–122, Apr. 2024.

J. Boyens, A. Smith, N. Bartol, K. Winkler, A. Holbrook, and M. Fallon, "Cybersecurity Supply Chain Risk Management for Systems and Organizations," National Institute of Standards and Technology (U.S.), Gaithersburg, MD, USA, NIST SP 800-161r1, May 2022.

J. Edwards, A Comprehensive Guide to the NIST Cybersecurity Framework 2.0: Strategies, Implementation, and Best Practice, 1st ed. Hoboken, NJ, USA: Wiley, 2024.

"Enterprise Governance and Management of Information Technology Based on COBIT 2019," Economic and Social Alternatives, vol. 28, no. 2, pp. 144–150, June 2022.

T. J. Olorunlana, "Securing Healthcare Data in the Cloud under HIPAA and NIST Frameworks," International Journal of Science, Architecture, Technology and Environment, pp. 61–80, June 2024.

T. Huygh, D. Steuperaert, S. De Haes, and A. Joshi, "The Role of Compliance Requirements in IT Governance Implementation: An Empirical Study Based on COBIT 2019," in Hawaii International Conference on System Sciences, Virtual Event, Jan. 2022.

Sahrul and E. L. Hadisaputro, "Evaluation of Yankel Services Using DSS and MEA Domains Based on the 2019 COBIT Framework (Case Study of Kelurahan Manggar)," Seminastika, vol. 3, no. 1, pp. 138–145, Nov. 2021.

M. D. S. Antariksa, M. P. Angin, and A. P. Widodo, "COBIT 2019 Framework in IT Governance: A Systematic Literature Review of Implementation Challenges and Benefits Across Various Industry Sectors," Journal of Renewable Energy, Electrical, and Computer Engineering, vol. 5, no. 1, pp. 99–105, Mar. 2025.

D. Utomo, M. Wijaya, S. Suzanna, E. Efendi, and N. T. M. Sagala, "Leveraging COBIT 2019 to Implement IT Governance in SME Context: A Case Study of Higher Education in Campus A," Communication and Information Technology Journal, vol. 16, no. 2, pp. 129–141, June 2022.

A. Alshammari, "A Novel Security Framework to Mitigate and Avoid Unexpected Security Threats in Saudi Arabia," Engineering, Technology & Applied Science Research, vol. 13, no. 4, pp. 11445–11450, Aug. 2023.

Abhivardhan, "Data Governance," in Handbook of Human-Centered Artificial Intelligence, W. Xu, Ed. Singapore: Springer Nature Singapore, 2025, pp. 1–61.

S. Almuhammadi and M. Alsaleh, "Information Security Maturity Model for NIST Cyber Security Framework," in Computer Science & Information Technology, Sydney, Australia, Feb. 2017, pp. 51–62.

R. S. Hidayat, R. E. Indrajit, and E. Dazki, "Evaluation of Information Technology Governance Maturity Using COBIT 2019: A Case Study on the IT Security Industry," Journal La Multiapp, vol. 5, no. 4, pp. 478–487, Aug. 2024.

I. A. Essien et al., "Optimizing Cyber Risk Governance Using Global Frameworks: ISO, NIST, and COBIT Alignment," Journal of Frontiers in Multidisciplinary Research, vol. 3, no. 1, pp. 618–629, 2022.