Journal of Cyber Security and Risk Auditing

Analyzing Cybersecurity Risks and Threats in IT Infrastructure based on NIST Framework

by 

Osama Aljumaiah ;

Weiwei Jiang ;

Santosh Reddy Addula ;

Mohammed Amin Almaiah

PDF logoPDF

Published: 2025/04/04

Abstract

Due to the increasing frequency and complexity of cyberattacks in recent years, cybersecurity management has received significant attention, particularly concerning the critical infrastructure of targeted countries. Such infrastructure contains several vulnerabilities that may be readily exploited if not adequately managed. National cybersecurity regulators require critical infrastructure organizations to regularly monitor and report their cybersecurity activities. This study assesses whether the NIST framework can effectively address most threats facing critical infrastructure and identifies any notable gaps within the framework. In this literature review, most threats reported in critical infrastructure will be discussed and mapped according to the NIST cybersecurity functions, concluding with a discussion of the findings. The findings indicates that human vulnerabilities with (12 instances) represent one of the leading threats to critical infrastructure, appearing prominently in reviewed sources. Human errors, negligence, lack of awareness, insufficient training, and susceptibility to social engineering significantly increase the risk of successful cyberattacks.

Keywords

CyberattacksNIST frameworkIT InfrastructureRisk Analysis

Doi Link

https://doi.org/10.63180/jcsra.thestap.2025.2.2

How to Cite the Article

Aljumaiah, O., Jiang, W., Reddy Addula, S., & Amin Almaiah, M. (2025). Analyzing Cybersecurity Risks and Threats in IT Infrastructure based on NIST Framework. Journal of Cyber Security and Risk Auditing, 2025(2), 12–26.https://doi.org/10.63180/jcsra.thestap.2025.2.2

Analyzing Cybersecurity Risks and Threats in IT Infrastructure based on NIST Framework is licensed under CC BY 4.0CCBY

References

  1. Herzog, S. (2017). Ten years after the Estonian cyberattacks: Defense and adaptation in the age of digital insecurity. Geo. J. Int'l Aff., 18, 67.
  2. Qin, W., Chen, S., & Peng, M. (2020). Recent advances in Industrial Internet: insights and challenges. Digital Communications and Networks, 6(1), 1-13.
  3. Abdelkader, S., Amissah, J., Kinga, S., Mugerwa, G., Emmanuel, E., Mansour, D. E. A., ... & Prokop, L. (2024). Securing modern power systems: Implementing comprehensive strategies to enhance resilience and reliability against cyber-attacks. Results in engineering, 102647.
  4. Alrumaih, T. N., & Alenazi, M. J. (2025). ERINDA: A novel framework for Enhancing the Resilience of Industrial Networks against DDoS Attacks with adaptive recovery. Alexandria Engineering Journal, 121, 248-262.
  5. Balta, D. D., Kaç, S. B., Balta, M., Oğur, N. B., & Eken, S. (2025). Cybersecurity-aware log management system for critical water infrastructures. Applied Soft Computing, 169, 112613.
  6. Remili, K. D., Bouzourine, N., Hartani, R., & Belouchrani, A. (2025). Tech diplomacy and Critical Technologies: Case of the LEO satellite internet. Telecommunications Policy, 102947.
  7. Goranin, N., Čeponis, D., & Čenys, A. (2025). A Systematic Literature Review of Current Research Trends in Operational and Related Technology Threats, Threat Detection, and Security Insurance. Applied Sciences, 15(5), 2316.
  8. Atıcı, S., & Tuna, G. (2025). Impact of cybersecurity attacks on electrical system operation. In Cyber Security Solutions for Protecting and Building the Future Smart Grid (pp. 117-160). Elsevier.
  9. Dai, J., Dai, Z., Thing, V. L., & Engineering, S. T. (2025). Cyber-Resilience Enhancement with Cross-Domain Software-Defined Network for Cyber-Physical Microgrids against Denial of Service Attacks. IEEE Transactions on Industrial Cyber-Physical Systems.
  10. Said, D. (2022). A survey on information communication technologies in modern demand-side management for smart grids: Challenges, solutions, and opportunities. IEEE engineering management review, 51(1), 76-107.
  11. Möller, D. P. (2023). NIST cybersecurity framework and MITRE cybersecurity criteria. In Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices (pp. 231-271). Cham: Springer Nature Switzerland.
  12. Toussaint, M., Krima, S., & Panetto, H. (2024). Industry 4.0 data security: A cybersecurity frameworks review. Journal of Industrial Information Integration, 100604.
  13. Gomarga, C., Winata, G. J., Thungriallu, J. E., & Wiputra, R. (2024, December). Smart Contract Security Vulnerability Through The NIST Cybersecurity Framework 2.0 Perspective. In 2024 25th International Arab Conference on Information Technology (ACIT) (pp. 1-8). IEEE.
  14. Harish, V. S. K. V., Gupta, S., Bhatt, J. G., & Bansal, M. (2025). International standards, regulations, and best practices for cyber security of smart grid. In Cyber Security Solutions for Protecting and Building the Future Smart Grid (pp. 321-348). Elsevier.
  15. Gündüz, M. Z., Demirol, D., Daş, R., & Hanbay, K. (2025). Frameworks for smart grid cyber security analysis. In Cyber Security Solutions for Protecting and Building the Future Smart Grid (pp. 191-214). Elsevier.
  16. Busetti, S., & Scanni, F. M. (2025). Evaluating incident reporting in cybersecurity. From threat detection to policy learning. Government Information Quarterly, 42(1), 102000.
  17. Ramezan, C. A. (2025). Understanding the Chief Information Security Officer: Qualifications and Responsibilities for Cybersecurity Leadership. Computers & Security, 104363.
  18. Padmavathi, V., & Saminathan, R. (2025). Security for the Internet of Things. In Computer and Information Security Handbook (pp. 353-368). Morgan Kaufmann.
  19. Latsiou, A. C., Nygård, A. R., Katsikas, S., & Lambrinoudakis, C. (2025). Never Trust-Always Verify: Assessing the cybersecurity trustworthiness of suppliers in the Digital Supply Chain. Procedia Computer Science, 254, 98-107.
  20. Parmar, M., & Miles, A. (2024, May). Cyber Security Frameworks (CSFs): An Assessment Between the NIST CSF v2. 0 and EU Standards. In 2024 Security for Space Systems (3S) (pp. 1-7). IEEE.
  21. Gomarga, C., Winata, G. J., Thungriallu, J. E., & Wiputra, R. (2024, December). Smart Contract Security Vulnerability Through The NIST Cybersecurity Framework 2.0 Perspective. In 2024 25th International Arab Conference on Information Technology (ACIT) (pp. 1-8). IEEE.
  22. Molnar, V., & Sabodashko, D. (2024). Comparative analysis of cybersecurity in leading cloud platforms based on the NIST framework. Social Development and Security, 14(6), 68-80.
  23. Lund, B. D. (2024). Blockchain Applications in Higher Education Based on the NIST Cybersecurity Framework. Journal of Cybersecurity Education, Research and Practice, 2024(1).
  24. Lopes, S., Leite, P., Carvalho, S., & Teixeira, P. (2024, April). Using ITIL as part of the NIST Cybersecurity Framework. In 2024 12th International Symposium on Digital Forensics and Security (ISDFS) (pp. 1-6). IEEE.
  25. Khaleefah, A. D., & Al-Mashhadi, H. M. (2024). Methodologies, requirements, and challenges of cybersecurity frameworks: A review. Iraqi Journal of Science, 468-486.
  26. Krumay, B., Bernroider, E. W., & Walser, R. (2018). Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework. In Secure IT Systems: 23rd Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings 23 (pp. 369-384). Springer International Publishing.
  27. Möller, D. P. (2023). NIST cybersecurity framework and MITRE cybersecurity criteria. In Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices (pp. 231-271). Cham: Springer Nature Switzerland.
  28. White, G. B., & Sjelin, N. (2022). The NIST cybersecurity framework. In Research anthology on business aspects of cybersecurity (pp. 39-55). IGI Global.
  29. Almuhammadi, S., & Alsaleh, M. (2017). Information security maturity model for NIST cyber security framework. Computer Science & Information Technology (CS & IT), 7(3), 51-62.
  30. Delgado, M. F., Esenarro, D., Regalado, F. F. J., & Reátegui, M. D. (2021). Methodology based on the NIST cybersecurity framework as a proposal for cybersecurity management in government organizations. 3 c TIC: cuadernos de desarrollo aplicados a las TIC, 10(2), 123-141.
  31. Alshar'e, M. (2023). Cyber security framework selection: Comparision of NIST and ISO27001. Applied computing Journal, 245-255.
  32. Kwon, R., Ashley, T., Castleberry, J., Mckenzie, P., & Gourisetti, S. N. G. (2020, October). Cyber threat dictionary using mitre att&ck matrix and nist cybersecurity framework mapping. In 2020 Resilience Week (RWS) (pp. 106-112). IEEE.
  33. Rohan, R., Papasratorn, B., Chutimaskul, W., Hautamäki, J., Funilkul, S., & Pal, D. (2023, December). Enhancing cybersecurity resilience: A comprehensive analysis of human factors and security practices aligned with the NIST cybersecurity framework. In Proceedings of the 13th International Conference on Advances in Information Technology (pp. 1-16).
  34. Roy, P. P. (2020, February). A high-level comparison between the nist cyber security framework and the iso 27001 information security standard. In 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications (NCETSTEA) (pp. 1-3). IEEE.
  35. Taherdoost, H. (2022). Understanding cybersecurity frameworks and information security standards—a review and comprehensive overview. Electronics, 11(14), 2181.
  36. Koza, E. (2022). Semantic analysis of ISO/IEC 27000 standard series and NIST cybersecurity framework to outline differences and consistencies in the context of operational and strategic information security. Med. Eng. Themes, 2, 26-39.
  37. Goodwin, S. (2022, March). The need for a financial sector legal standard to support the NIST Cybersecurity Framework. In SoutheastCon 2022 (pp. 89-95). IEEE.
  38. Khaleefah, A. D., & Al-Mashhadi, H. M. (2024). Methodologies, requirements, and challenges of cybersecurity frameworks: A review. Iraqi Journal of Science, 468-486.
  39. Udroiu, A. M., Dumitrache, M., & Sandu, I. (2022, June). Improving the cybersecurity of medical systems by applying the NIST framework. In 2022 14th International Conference on Electronics, Computers and Artificial Intelligence (ECAI) (pp. 1-7). IEEE.
  40. Alexander, R. D., & Panguluri, S. (2017). Cybersecurity terminology and frameworks. Cyber-Physical Security: Protecting Critical Infrastructure at the State and Local Level, 19-47.
  41. Cybersecurity, C. I. (2018). Framework for improving critical infrastructure cybersecurity. URL: https://nvlpubs. nist. gov/nistpubs/CSWP/NIST. CSWP, 4162018(7).
  42. Maclean, D. (2017). The NIST risk management framework: Problems and recommendations. Cyber Security: A Peer-Reviewed Journal, 1(3), 207-217.
  43. Moreira, F. R., Da Silva Filho, D. A., Nze, G. D. A., de Sousa Júnior, R. T., & Nunes, R. R. (2021). Evaluating the performance of NIST's framework cybersecurity controls through a constructivist multicriteria methodology. Ieee Access, 9, 129605-129618.
  44. Giuca, O., Popescu, T. M., Popescu, A. M., Prostean, G., & Popescu, D. E. (2021). A survey of cybersecurity risk management frameworks. In Soft Computing Applications: Proceedings of the 8th International Workshop Soft Computing Applications (SOFA 2018), Vol. I 8 (pp. 240-272). Springer International Publishing.
  45. Toussaint, M., Krima, S., & Panetto, H. (2024). Industry 4.0 data security: A cybersecurity frameworks review. Journal of Industrial Information Integration, 100604.