Performance Measurement Guide for Information Security: Annotated Outline Available for Comment
November 14, 2022
NIST has released a working draft of NIST Special Publication (SP) 800-55 Revision 2, Performance Measurement Guide for Information Security. The public is invited to provide input by February 13, 2023, for consideration in the update.
The NIST Cybersecurity Risk Analytics Team is hosting a virtual workshop to provide an overview of the proposed changes to the publication. The workshop will be held on December 13, 2022. Visit the workshop homepage at https://www.nist.gov/news-events/events/2022/12/cybersecurity-measurement-workshop for more details.
[The Measurement for Information Security program develops guidelines, tools, and resources to help organizations improve the quality and utility of information to support their technical and high-level decision making.]
Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make decisions by comparing scenarios that differ in projected cost with the associated likely benefits and risk reduction. Often these scenarios are based on a “best guess.” Senior executives are increasingly asking for more accurate and quantitative ways to portray and assess these factors, their effectiveness and efficiency, and how they might change risk exposure. Providing reliable answers to these questions requires organizations to employ a systematic approach to cybersecurity measurement that considers current knowledge limits.
Cybersecurity measurement efforts and tools should improve the quality and utility of information to support an organization’s technical and high-level decision making about cybersecurity risks and how to best manage them. Those decisions can affect the entire enterprise, and ideally should be made with broader management of risk in mind. NIST’s cybersecurity measurements program aims to better equip organizations to purposefully and effectively manage their cybersecurity risks.
Even as cybersecurity-based risks and costs are increasing, measuring cybersecurity remains an under-developed topic – one in which there is not even a standard taxonomy for terms such as “measurements” and “metrics.” Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution to the cybersecurity community and broader sectors of our economy and society. These measures would take into account not only the very specific performance of individual elements of a cybersecurity system, but also the system-wide implications and impact on the wider enterprise. Measuring individual component performance is important. However, measuring the system’s overall ability to identify, protect, detect, respond, and recover from cybersecurity risks and threats should be the real aim of a robust cybersecurity measurement program.
Building on its previous efforts, NIST is undertaking a more focused program on measurements related to cybersecurity. NIST aims to support the development and alignment of technical measurements to determine the effect of cybersecurity risks and responses on an organization’s objectives. Doing that will support decision making by senior executives and oversight by boards of directors. The NIST initiative will involve and rely upon extensive collaboration with the research, business, and government sectors, including those already offering measurement tools and services.
NIST plans to:
The near-term activities will focus on building consensus on definitions as well as developing common taxonomy and nomenclature. With further research and collaboration to provide a more rounded perspective, the road map will address shared objectives and activities that could eventually provide much more practical assistance to those who make cybersecurity deployment decisions.