[The Measurement for Information Security program develops guidelines, tools, and resources to improve the quality and utility of information to support technical and high-level decision making.]
Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make go-ahead decisions by comparing scenarios that differ in projected cost with associated likely benefits and risk reduction. However, these scenarios are often based on a “best guess.” Increasingly, senior executives are asking for a more accurate and quantitative portrayal of these factors, their effectiveness and efficiency, and how they might change risk exposure. Providing reliable answers to these questions requires a systematic approach to cybersecurity measurement. That includes taking into account the limits of current knowledge. The goal of cybersecurity measurement efforts and tools is to enable and improve the quality and utility of information to support technical and high-level decision making. Those decisions made at the higher level can affect the entire enterprise and ideally should be made with broader and more purposeful management of risk in mind.
Even as cybersecurity-based risks and the costs of dealing with those risks are increasing, measuring cybersecurity remains an under-developed topic – one in which there is not even a standard taxonomy for terms such as “measurements” and “metrics.” Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution not only to the cybersecurity community but much more broadly. These measures would take into account not only the very specific performance of individual elements of a cybersecurity system but also the system-wide implications and impact on the wider enterprise. Measuring individual component performance is important. However, measuring the system’s overall ability to identify, protect, detect, respond, and recover from cybersecurity threats is the real aim of a robust cybersecurity measurement program installed by any enterprise.
Building on its previous efforts, NIST is undertaking a more focused program on measurements related to cybersecurity. The goal is to support the development and alignment of technical measurements to determine the effect of cybersecurity initiatives and responses on high-level organizational objectives that will support decision making by senior executives and oversight by boards of directors. The initiative will involve and rely upon extensive collaboration with the research, business, and government sectors, including those already offering measurement tools and services.
NIST plans to:
The near-term activities will focus on building consensus on definitions as well as developing common taxonomy and nomenclature. With further research and collaboration to provide a more rounded perspective, the road map will address shared objectives and activities that could eventually provide much more practical assistance to those who make cybersecurity deployment decisions.
The National Institute of Standards and Technology (NIST) is planning to update NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security. For more details on opportunity to provide input, please visit https://csrc.nist.gov/publications/detail/sp/800-55/rev-2/draft