Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Measurements for Information Security

[NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.]

Overview

Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make go-ahead decisions by comparing scenarios that differ in projected cost with associated likely benefits and risk reduction. However, these scenarios are often based on a “best guess.” Increasingly, senior executives are asking for a more accurate and quantitative portrayal of these factors, their effectiveness and efficiency, and how they might change risk exposure. Providing reliable answers to these questions requires a systematic approach to cybersecurity measurement. That includes taking into account the limits of current knowledge. The goal of cybersecurity measurement efforts and tools is to enable and improve the quality and utility of information to support technical and high-level decision making. Those decisions made at the higher level can affect the entire enterprise and ideally should be made with broader and more purposeful management of risk in mind. 

Even as cybersecurity-based risks and the costs of dealing with those risks are increasing, measuring cybersecurity remains an under-developed topic – one in which there is not even a standard taxonomy for terms such as “measurements” and “metrics.” Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution not only to the cybersecurity community but much more broadly. These measures would take into account not only the very specific performance of individual elements of a cybersecurity system but also the system-wide implications and impact on the wider enterprise. Measuring individual component performance is important. However, measuring the system’s overall ability to identify, protect, detect, respond, and recover from cybersecurity threats is the real aim of a robust cybersecurity measurement program installed by any enterprise.

Building on its previous efforts, NIST is undertaking a more focused program on measurements related to cybersecurity.  The goal is to support the development and alignment of technical measurements to determine the effect of cybersecurity initiatives and responses on high-level organizational objectives that will support decision making by senior executives and oversight by boards of directors. The initiative will involve and rely upon extensive collaboration with the research, business, and government sectors, including those already offering measurement tools and services.

Initiative scope and activities:

NIST plans to:

  • Create a compilation of tools, research, and standards and guidelines at NIST that address cybersecurity measurements.  These are referred to on this website. This portfolio of resources and activities will be expanded.
  • Participate actively in voluntary standards initiatives related to cybersecurity measurements.
  • Launch a collaboration space for the community to share views and resources relating to cybersecurity measurements.
  • Develop a roadmap to address and advance cybersecurity measurement challenges and solutions.

The near-term activities will focus on building consensus on definitions as well as developing common taxonomy and nomenclature.  With further research and collaboration to provide a more rounded perspective, the road map will address shared objectives and activities that could eventually provide much more practical assistance to those who make cybersecurity deployment decisions.

The National Institute of Standards and Technology (NIST) is planning to update NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security. For more details on opportunity to provide input, please visit https://csrc.nist.gov/publications/detail/sp/800-55/rev-2/draft

Created September 15, 2020, Updated September 24, 2020