Imagine you’re the new head of cybersecurity at your company. Your team has made a solid start at mounting defenses to ward off hackers and ransomware attacks. As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details?
You might want a road map for creating a practical information security measurement program, and you’ll find it in newly revised draft guidance from the National Institute of Standards and Technology (NIST). The two-volume document, whose overall title is NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security, offers guidance on developing an effective program, and a flexible approach for developing information security measures to meet your organization’s performance goals. NIST is calling for public comments on this initial public draft by March 18, 2024.
The publication is designed to be used together with any risk management framework, such as NIST’s Cybersecurity Framework or Risk Management Framework. It is intended to help organizations move from general statements about risk level toward a more coherent picture founded on hard data.
“Everyone manages risk, but many organizations tend to use qualitative descriptions of their risk level, using ideas like stoplight colors or five-point scales,” said NIST’s Katherine Schroeder, one of the publication’s authors. “Our goal is to help people communicate with data instead of vague concepts.”
Achieving this goal, according to the authors, involves moving from qualitative descriptions of risk — perhaps using broad categories such as high, medium or low risk level — to quantitative ones that carry less ambiguity and subjectivity. An example of the latter would be a statement that 98% of authorized system user accounts belong to current employees and 2% belong to former employees.
The team developed the new draft guidance partly in response to public requests and feedback from a pre-draft call for comment. Much of that feedback cited the increased availability of security-related data together with uncertainty over how to put this data to effective use. While the resulting guidance is not prescriptive, Schroeder said its tailorable approach means it can help a variety of organizations create and then improve an information security measurement program that is right for them.
“We want people to be able to figure out the process of what to measure. You don’t necessarily need to crunch every number,” she said. “For example, you might want to figure out whether your organization is responding to incidents appropriately, and you might consider factors such as your response time and impact to the mission or business such as additional staff hours, resources needed, or impact to the bottom line. Then you can present that information in a way that makes sense, even if you’re not a statistician — so that you can figure out how to do better.”
The two volumes are aimed at different audiences within an organization. The first, written mainly for information security specialists, provides guidance on how an organization can prioritize, select and evaluate specific measures to determine the adequacy of security that is already in place. The second, aimed primarily at the C-suite, outlines how an organization can develop an information security measurement program and offers a multistep workflow for implementing it over time.
The authors point out that qualitative descriptions are appropriate in certain circumstances, and that some organizations might want to use a mixture of qualitative and quantitative approaches. But focusing on measurement can aid communication within an organization, potentially helping to improve both security and resource allocation.
“When technical teams communicate with management about information security, metrics provide a common language, using trends and numbers to bridge gaps in understanding,” the authors write. “Organizations want to be able to assess if controls, policies, and procedures are working effectively, efficiently, and how the organization is impacted. Metrics can be used to help prioritize areas for growth, improvement, or re-focusing resources.”
In the Notes to Reviewers, NIST is proposing the establishment of a Community of Interest (CoI) for those interested in information security measurement to work together to share expertise, refine the body of knowledge and resources, and identify opportunities for growth and improvement.
Individuals and organizations interested in joining the Information Security Measurement CoI or submitting comments on the two-volume draft should email cyber-measures [at] list.nist.gov (cyber-measures[at]list[dot]nist[dot]gov).