CYBER SECURITY METRICS AND MEASURES

PAUL E. BLACK, KAREN SCARFONE, AND MURUGIAH SOUPPAYA

National Institute of Standards and Technology, Gaithersburg, Maryland

1 INTRODUCTION

Cyber security metrics and measures can help organizations (i) verify that their security controls are in compliance with a policy, process, or procedure; (ii) identify their security strengths and weaknesses; and (iii) identify security trends, both within and outside the organization's control. Studying trends allows an organization to monitor its security performance over time and to identify changes that necessitate adjustments in the organization's security posture. At a higher level, these benefits can be combined to help an organization achieve its mission by (i) evaluating its compliance with legislation and regulations, (ii) improving the performance of its implemented security controls, and (iii) answering high-level business questions regarding security, which facilitate strategic decision making by the organization's highest levels of management. This article defines some terms, and then discusses the current state of security metrics, focusing on the measurement of operational security using existing data collected at the information system level. This article explains the importance of selecting measures that support particular metrics and then examines several problems with current practices related to the accuracy, selection, and use of measures and metrics. The article also presents an overview ...