CYBERSECURITY RISK MANAGEMENT USING NIST CSF 2.0

Abstract

The article examines the issue of cybersecurity risk management using the NIST Cybersecurity Framework (CSF), which
is one of the most common and flexible tools in the field of cybersecurity. The relevance of the study is due to the rapid growth
in the complexity and frequency of cyberattacks that threaten business continuity, personal data security, and national security.
In modern conditions, organizations face the challenges of adapting to new types of threats, such as attacks on supply chains,
abuse of artificial intelligence technologies, as well as a chronic shortage of qualified personnel. A systemic approach to risk
management is proposed, based on the NIST CSF version 2.0 framework, which covers six functional domains: from asset and
vulnerability identification to strategic cybersecurity management. Based on the criteria of organizational maturity and the level
of criticality of control measures, a method for building a cybersecurity profile is presented, which allows you to identify gaps
and determine priorities for improvement. The study emphasizes the advantages of NIST CSF as an adaptive, universal and
scalable tool suitable for different types and sizes of companies. The practical significance of the results lies in the possibility
of their application in Ukrainian companies with limited resources that require an effective mechanism for identifying
vulnerabilities, building cyber protection policies and achieving compliance with international standards. The proposed
recommendations are aimed at increasing resilience to cyber threats and reducing the impact of digital threats on critical
processes of the organization.
Keywords: information security, risk management system, standard, NIST CSF, security measures.

References
1. Global Cybersecurity Outlook 2025 URL: https://www.weforum.org/publications/global-cybersecurityoutlook-2025.
2. NIST Cybersecurity Framework // National Institute of Standards and Technology. URL: https://
www.nist.gov/cyberframework
3. NIST Cybersecurity Framework Version 2.0 // National Institute of Standards and Technology. URL:
https://www.nist.gov/news-events/news/2024/02/nist-releases-draft-update-cybersecurity-framework-version-20.
4. ISO/IEC 27001: Information Security Management // International Organization for Standardization URL:
https://www.iso.org/isoiec-27001-information-security.html.
5. Кухарська Н.П., Семенюк С.А., Полотай О. І. (2025). Ключові аспекти оновленого стандарту
ISO/IEC 27002:2022. Сучасний захист інформації, №2, https://doi.org/10.31673/2409-7292.2025.023969.
6. COBIT Framework // ISACA. URL: https://www.isaca.org/resources/cobit.
7. CIS Controls // Center for Internet Security. URL: https://www.cisecurity.org/controls.
8. Kitsios, F., Chatzidimitriou, E., & Kamariotou, M. (2023). The ISO/IEC 27001 Information Security
Management Standard: How to Extract Value from Data in the IT Sector. Sustainability, 15(7), 5828.
https://doi.org/10.3390/su15075828
9. Utomo, D., Wijaya, M., Suzanna, S., Efendi, E., & Sagala, N. T. M. (2022). Leveraging COBIT 2019 to
Implement IT Governance in SME Context: A Case Study of Higher Education in Campus A. CommIT (Communication
and Information Technology) Journal, 16(2), 129–141. https://doi.org/10.21512/commit.v16i2.8172.
10. Edwards, J. (2024). Critical security controls for effective cyber defense. In Apress eBooks.
https://doi.org/10.1007/979-8-8688-0506-6.
11. Alshar’e, M. (2023). Cyber security framework selection: comparison of NIST and ISO 27001. Applied
Computing Journal, 3(1), 245-255. https://doi.org/10.52098/acj.202364.
12. Udroiu, A. M., Dumitrache, M., & Sandu, I. (2022, June). Improving the cybersecurity of medical systems by
applying the NIST framework. In 2022 14th International Conference on Electronics, Computers and Artificial
Intelligence (ECAI) (pp. 1-7). IEEE. https://doi.org/10.1109/ECAI54874.2022.9847498.