Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security Metrics Guide for Information Technology Systems

Published

Author(s)

Marianne M. Swanson, N Bartol, J Sabato, Joan Hash, L Graffo

Abstract

[Superseded by SP 800-55 Rev. 1 (July 2008): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=152183] This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or when to research the causes of nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.
Citation
Special Publication (NIST SP) - 800-55
Report Number
800-55

Keywords

metrics, performance measures, security controls

Citation

Swanson, M. , Bartol, N. , Sabato, J. , Hash, J. and Graffo, L. (2003), Security Metrics Guide for Information Technology Systems, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD (Accessed June 18, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created August 1, 2003, Updated February 19, 2017