Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity measurement

Overview

Performance Measurement Guide for Information Security: Annotated Outline Available for Comment
November 14, 2022

NIST has released a working draft of NIST Special Publication (SP) 800-55 Revision 2, Performance Measurement Guide for Information Security. The public is invited to provide input by February 13, 2023, for consideration in the update.


The NIST Cybersecurity Risk Analytics Team is hosting a virtual workshop to provide an overview of the proposed changes to the publication. The workshop will be held on December 13, 2022. Visit the workshop homepage at https://www.nist.gov/news-events/events/2022/12/cybersecurity-measurement-workshop for more details.

[The Measurement for Information Security program develops guidelines, tools, and resources to help organizations improve the quality and utility of information to support their technical and high-level decision making.]

Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make decisions by comparing scenarios that differ in projected cost with the associated likely benefits and risk reduction. Often these scenarios are based on a “best guess.” Senior executives are increasingly asking for more accurate and quantitative ways to portray and assess these factors, their effectiveness and efficiency, and how they might change risk exposure. Providing reliable answers to these questions requires organizations to employ a systematic approach to cybersecurity measurement that considers current knowledge limits.

Cybersecurity measurement efforts and tools should improve the quality and utility of information to support an organization’s technical and high-level decision making about cybersecurity risks and how to best manage them. Those decisions can affect the entire enterprise, and ideally should be made with broader management of risk in mind. NIST’s cybersecurity measurements program aims to better equip organizations to purposefully and effectively manage their cybersecurity risks.

Even as cybersecurity-based risks and costs are increasing, measuring cybersecurity remains an under-developed topic – one in which there is not even a standard taxonomy for terms such as “measurements” and “metrics.” Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution to the cybersecurity community and broader sectors of our economy and society. These measures would take into account not only the very specific performance of individual elements of a cybersecurity system, but also the system-wide implications and impact on the wider enterprise. Measuring individual component performance is important. However, measuring the system’s overall ability to identify, protect, detect, respond, and recover from cybersecurity risks and threats should be the real aim of a robust cybersecurity measurement program.

Building on its previous efforts, NIST is undertaking a more focused program on measurements related to cybersecurity.  NIST aims to support the development and alignment of technical measurements to determine the effect of cybersecurity risks and responses on an organization’s objectives. Doing that will support decision making by senior executives and oversight by boards of directors. The NIST initiative will involve and rely upon extensive collaboration with the research, business, and government sectors, including those already offering measurement tools and services.

Initiative scope and activities:

NIST plans to:

  • Create a compilation of tools, research, and standards and guidelines that address cybersecurity measurements.  These are referred to on this website. This portfolio of resources and activities will be expanded.
  • Participate actively in voluntary standards initiatives related to cybersecurity measurements.
  • Launch a collaboration space for the community to share views and resources relating to cybersecurity measurements.
  • Develop a roadmap to address and advance cybersecurity measurement challenges and solutions.

The near-term activities will focus on building consensus on definitions as well as developing common taxonomy and nomenclature.  With further research and collaboration to provide a more rounded perspective, the road map will address shared objectives and activities that could eventually provide much more practical assistance to those who make cybersecurity deployment decisions.