Development and Validation of a Cybersecurity Model for Ransomware Mitigation Based on NIST CSF 2.0: The Case Study of a Peruvian Micro-Small Enterprise

This study proposes a pragmatic cybersecurity model grounded in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 to mitigate ransomware in Peruvian Micro and Small Enterprises (MSEs). Through a single-case study of a transportation-sector MSE and a case study methodology proposed in a previous study, the research advances in three stages: (1) cybersecurity posture diagnosis, (2) model design, and (3) expert validation. The model’s five-phase structure, Organizational Profile Scope Definition, Critical Assets Identification, Risk Analysis, Cybersecurity Control Selection, and Action Plan Development, addresses MSEs’ resource constraints while aligning with NIST CSF 2.0 functions. Expert evaluation yielded an average score of 3.74 out of 5 across nine assessment categories, with a Standard Deviation (SD) of 0.21, and with categories such as "Risk Assessment" and "Sustainability and Adaptability" achieving the highest given scores of 4 out of 5. This modular, cost-free approach bridges the framework adoption gap in resource-constrained enterprises and presents a feasible alternative to existing cybersecurity standards. Although validated through a single case, the proposed framework provides practical guidance for MSEs and establishes a foundation for future research across diverse sectors and geographic locations.