METHODOLOGY BASED ON THE NIST CYBERSECURITY FRAMEWORK AS A PROPOSAL FOR CYBERSECURITY MANAGEMENT IN GOVERNMENT ORGANIZATIONS

This research aims to propose the use of the methodology based on the NIST Framework for adequate management of cybersecurity in government organizations within the framework of the delivery of digital services. Many government organizations have been managing cybersecurity without a defined process; this generates that the management is deficient and without indicators. Concerning whether they are implementing the methodology based on the NIST cybersecurity framework”, shows that 36.8% of respondents present a level in disagreement, 31.6% (6) an undecided level, 15.8% (3) a level of agreement, 10.5% (2) a level totally in disagreement and 5.3% (1) a level totally in agreement. Meanwhile, the variable “The management of cybersecurity” shows that 36.8% (7) of the Ministries surveyed present a level in disagreement; 36.8% (7) an undecided level, 15.8% (3) a level of agreement, and 10.5% (2) a level totally in disagreement In conclusion: It has been shown that the use of the methodology based on the NIST cybersecurity framework influences cybersecurity management in government organizations and it is clear that they are currently not using it which causes a relatively poor level of leadership in the implementation of security measures concerning cybersecurity management.


INTRODUCTION
New information technologies have been developing more and more, giving rise to more significant interaction of the internet the person, which causes a large volume of information within cyberspace, such fact has led to the emergence of digital threats, which cause adverse effects on the lives of people and many institutions, being victims of information theft. Often cybercriminals can not be identified by the authorities, so States have to adapt their structures and use regulatory frameworks, strategies, or cybersecurity policies (Nagurney & Shukla, 2017). In the region, it is possible to highlight that there are already ten countries with a national cybersecurity policy or strategy. Recently, the Dominican Republic and Guatemala joined the list integrated by Colombia, Trinidad and Tobago, Jamaica, Panama, Chile, Costa Rica, Mexico, and Paraguay (Alvarez, 2018). In the case of Peru, it could be said that it is a country with insufficient awareness in terms of digital security, risks, and protection, being one of the countries that have legislated the least in terms of cyber defense and cybersecurity, i.e., there are no national security strategies. Therefore, there is a need to take protective measures against malicious attacks within both the public and private sectors (Montes, 2020).
In a comparison made in the Cybersecurity Report 2020, it can be observed that in Peru, there  To date, after the increase of digital processes due to the state of a health emergency, it is worrying the amount of sensitive information that is handled online and see that many of the institutions, both public and private, do not have a policy or strategy to help neutralize the loss or deterioration of information, also unauthorized access by cybercriminals, which steal the essential knowledge of the institutions (León, 2021). It is worth mentioning that, in these times, all organizations require and demand the use of technologies, but many of them do not know how to handle it; as far as cybersecurity is concerned, this means that they do not have a methodology for the detection of incidents. This is the reason for the great concern about the risks to which government institutions and citizens are exposed (Santos, 2020).
Cybersecurity has a value; today, we express it in the concept of digital trust, an approach that allows citizens, in general, to feel confident to use digital technologies and services (Presidency of the Council of Ministers. Government of Peru, 2018).
When the standards or methodologies that exist for adequate protection of technology are not respected and mismanaged, we find its weak point, which causes cybersecurity breaches to be created that compromise the confidentiality, integrity, or availability of technological assets.

NIST framework methodology
The Framework provides a common language for understanding, managing, and expressing cybersecurity risk for internal and external stakeholders. It can help identify and prioritize actions to reduce cybersecurity risk and align policy, business, and technology approaches to manage cybersecurity risk. It can also be used to manage cybersecurity risk across all parts of an organization or can be focused on the delivery of critical services within one part of the organization. Different types of entities, including sector coordination structures, associations, and organizations, can use the Framework for other purposes, including the creation of Common Profiles. The NIST framework, a set of activities and deliverables for a guide to assess organizational IT security, consists of 3 parts: -05 High-level functions.
-23 Categories, which cover technical aspects, people and processes, with a focus on results. It is worth mentioning that it is a tool for cybersecurity risk management, which fits any type of organization. In addition, it can be used as a key part of your systematic process, which does not replace existing processes. Rather, it determines gaps and improves them, optimizing costs and results (National Institute of Standards and Technology, 2018; Wallis, 2018; Almagro, 2019). The NIST Framework has five functions: Identify, Protect, Detect, Detect, Respond, and Recover; in each of these functions, you can see the framework categories that group strategies for managing cybersecurity in an organization (Gomez, 2019).

Cybersecurity
In essence, cybersecurity is dedicated to protecting everything that is safeguarded in the intangible medium of cyberspace, sensitive information concerning operating systems, media, national plans, innovations, and strategic infrastructure. For example, for criminals and terrorists, the connectivity of industrial control systems presents windows of opportunity for the attack at points where the impact on a nation's power is most significant, highlighting the dangers posed by cyber-attacks on critical infrastructure for public welfare economic development. Therefore, achieving cybersecurity is a joint work between government, private initiative, and citizens .
Cybersecurity is effective when cyberspace is considered reliable, secure, and flexible. Its primary objective was to prevent an attack from being carried out successfully. Currently, its goals are to prevent, detect, respond and recover. Most security professionals consider that it is impossible to avoid all attacks; that is why there must be planning and preparation that involves methods of detection and prevention of seizures (Leiva, 2015;ITU, 2018;Watson, 2019). Cybersecurity must contemplate the three components for its proper management, the focus on people that must be trained, the processes that must be written, defined, and implemented, and finally, the necessary technology to implement the technical controls. All three are interrelated and must be managed (Fadrell Grupo Tecnológico, 2020;Vilcarromero & Vilchez, 2018).
Defining a digital security strategy is necessary, identifying vulnerabilities and protecting against cyberattacks. To do so, the following actions are defined: -Perform backups (backups) of information and confirm the restoration process.
-Update information technology systems.
-Raise employee awareness of the importance of cybersecurity.
-Control the information environment.

Management
Management is generally defined as a social process and by the actors that embody it (Clegg, 2005;Déry, 2010). As a social process, management brings together the set of management devices that are implemented to make an organization effective and efficient. While effectiveness refers to achieving the objectives set, efficiency refers to optimizing the means about the aim. As many management specialists have shown, this distinction is not neutral in implementing management practices, with some managers favoring effectiveness and others essentially favoring efficiency.

METHOD
The Experimental Research design has been selected since it handles variables of the cause-effect type.
The independent variable is of interest to the researcher because the hypothesized variable (X) is one of the causes that produce the supposed effect. Level 4= Strongly agree.
The following results were obtained:    In the Nist Framework Phases dimension, 31.58% of the respondents were undecided, 21.05% agreed, and 10.53% disagreed. In Table 3, the procedures have been implemented for intrusion detection in the organization.  From Figure 3, it can be deduced that procedures for intrusion detection have been implemented in the organization.
According to Table 3 and Figure 3, 36.84% of the government organizations present an undecided level about implementing procedures for intrusion detection in the organizations. In the Nist Framework Phases dimension, 21.05% disagreed and agreed; 15.79% disagreed, and 5.26% agreed. In Table 4, a plan for incident management has been implemented.  In Figure 4, a plan for incident management has been implemented.
According to Table 4 and Figure 4, 42.11% of the government organizations present a level of Disagree on implementing a plan for incident management in the organizations. Incident Level Dimension, 36.84% an undecided level; 10.53% an agreed level and 5.26% a disagree level; decide on the deck. In Table 5, a plan has been implemented for communication between areas involved in an incident. In Figure 5, the implementation of a plan for communication between areas involved in an incident.
According to Table 5 and Figure 5, 42.11% of the government organizations present an undecided level on implementing a plan for communication between areas involved before an incident in the organizations. 21.05% disagreed and disagreed; 10.53% agreed, and 5.26% agreed. The Table 6 show all personnel are trained and informed.  Figure 6 shows that all personnel is informed.
According to Table 6 and Figure 6, 36.84% of the government organizations present an undecided level about the training and education of all personnel in the organizations. In the Capabilities dimension, 26.32% disagree; 21.05% disagree; 10.53% totally agree, and 5.26% agree. The Table 7 show there is training in cybersecurity issues.   Concerning the general statistical hypothesis, we have the following results: Hi: using the methodology based on the NIST framework does influence cybersecurity management in government organizations.
Ho: using the methodology based on the NIST framework does not influence cybersecurity management in government organizations.  According to Table 6, when the chi-square statistic was applied, a correlation coefficient value (p) of 0.433 was obtained. As the (p) value is less than the significance level (α = 0.5), it allows us to have sufficient evidence to accept the alternative research hypothesis and reject the null hypothesis. Therefore, the use of the methodology based on the NIST framework influences cybersecurity management in government organizations.

DISCUSSION
According to Alvarez, in the region, there are already ten countries with a national cybersecurity policy or strategy; however, Peru is not among them; this can be evidenced in the lack of proper cybersecurity management that is evident in this study. Santos (2020) also speaks of the great concern for the risks to which government institutions and citizens are exposed; in this sense, I reaffirm that it is only a concern, but it has not yet been transferred to the implementation of effective measures to manage cybersecurity.

CONCLUSIONS
It was observed that most government organizations do not have formalized cybersecurity, since they do not have incident statistics; this is due to poor management by untrained personnel. It has been shown that there is an influence between the use of the methodology based on the NIST framework and cybersecurity management in government organizations obtaining. As a result, Pearson's chi-square = 0.433.
It is recommended that government organizations adopt the NIST cybersecurity Framework methodology to measure cybersecurity improvement and management.