A Technology-Centric Cyber Resilience Evaluation Framework Using MITRE D3FEND for Bridging the Policy Technology Gap in Financial and Enterprise Environments

Existing Cyber Resilience Assessment Guidelines, including those of the Bank of Korea (BoK), focus on governance-oriented compliance and lack quantitative criteria for measuring the operational effectiveness of security technologies—a Policy–Technology Gap also common in general enterprise settings. To address this gap, this study proposes D3-CREF, a technology-centric cyber resilience evaluation framework that maps the MITRE D3FEND taxonomy to financial security domains and introduces a Normalized Resilience Index (NRI) aggregating four dimensions—Coverage, Maturity, Automation, and Timeliness—via a closed-form weighted geometric mean with AHP-elicited weights (consistency ratio CR = 0.04). All NRI indicators are anchored to MITRE ATT&CK techniques and exemplar CVE entries, enabling threat-informed measurement. The framework was validated through a three-round Delphi study with 50 experts (Kendall’s W = 0.78, p < 0.001; Cronbach’s α = 0.89; CVR 0.68–0.92) and a Cyber Range-based simulation. For three institutions with identical BoK scores (92/100), NRI yielded discriminative values of 0.83, 0.44, and 0.09 (CV = 0.68 vs. 0.00 for the baseline), confirming a shift from compliance-based to performance-driven assessment.