Abstract: This study examined the relationship between the National Institute of Standards and Technology (NIST) risk management framework (RMF) and cybersecurity effectiveness (CSE). Since the advent of the first piece of malware or the interconnection of systems across the internet, there has been a need for cybersecurity. As cyber-attacks continue to advance, the need for effective cybersecurity becomes more prevalent across public and private sector businesses, industries, and organizations. Most cybersecurity professionals face how to measure their effectiveness when it comes to preventing cyber-attacks. Using Enterprise Risk Management, in this case, NIST RMF, cybersecurity professionals know how to predict cybersecurity effectiveness. This analysis uses the variables within the NIST RMF: preparation of use of RMF (POR), categorization of risk (COR), selection of risk controls (SOR), implementation of risk controls (IOR), assessment of risk controls (AOR), authorization of risk controls (AUOR), and monitoring or risk controls (MOR) and analyzed them against CSE. The omnibus research question was: To what extent does the preparation of use of Risk management framework, categorization of risk, selection of risk controls, implementation of risk controls, assessment of risk controls, authorization or risk controls, and monitoring of risk controls correlate to cybersecurity effectiveness in the private sector? This quantitative nonexperimental correlation study identified the relationship between the RMF and CSE using a target population comprised of business management or IT and cybersecurity management within the private sector industry from the United States of America. SurveyMonkey collected respondent data for 81 participants who met the inclusion criteria of this study. Using Pearson correlation and multiple linear regression models, the data was analyzed to identify the NIST RMF and CSE\'s statistical significance. This analysis shows that each variable of the NIST RMF correlates to CSE but was not statistically significant. When combining each of the variables within the RMF (RMF Average) and analyzing the entire framework against CSE, there was a statistically significant correlation. This study shows that by using the NIST RMF in its entirety, there is a correlation with cybersecurity effectiveness that allows management within the private sector industry to allocate and align resources to combat cyber-attack threats and risks.
Keywords: Cyber-attack,Cybersecurity effectiveness,Enterprise risk management,National Institute of Standards and Technology (NIST),Malware,Risk controls,IT professionals, Cyber-threats