Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Using Performance Measurements to Evaluate and Strengthen Information System Security



Shirley M. Radack


This bulletin summarizes information disseminated in NIST Special Publication (SP) 800-55, Revision 1, Performance Measurement Guide for Information Security, by Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson. The guide provides specific advice on developing, selecting, and implementing information system-level and program-level performance measures, and then using the performance measures to evaluate the adequacy of existing security controls, policies, and procedures. The bulletin summarizes the information in NIST SP 800-55, and covers performance measurement processes that help managers decide what security controls are non-productive and where to invest in additional information security resources. The bulletin also addresses the performance measurement development and implementation processes and how measures can be used to adequately justify information security investments and support risk-based decisions.
ITL Bulletin -


Data collection, FISMA, information systems security, information technology, performance data, performance measurement, risk management, security controls, security management, security measurements.


Radack, S. (2008), Using Performance Measurements to Evaluate and Strengthen Information System Security, ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 22, 2024)
Created September 18, 2008, Updated October 15, 2008