Measurements for Information Security

Overview

The Measurements for Information Security Program aims to better equip organizations to purposefully and effectively manage their information security risk through the development of flexible approaches to the selection, assessment, and management of measures and metrics.

Four steps showing how the development of an information security program defines the types of measurement an organization can take. First, an organization can only set goals, as it develops implementation can being, followed by assessment results. A fully developed program can assess business/mission impact.

Information Security Measurement Guide

SP 800-55v1 Measurement Guide for Information Security – Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures.

SP 800-55v2 Measurement Guide for Information Security – Volume 2, Developing an Information Security Measurement Program, provides a flexible methodology and workflow for developing and implementing an information security measurement program.

Cybersecurity Metrics and Measures Community of Interest

In 2025 NIST Cybersecurity Risk Analytics and Measurement Team will be hosting a virtual round table to introduce the NIST’s Cybersecurity Metrics and Measures Community of Interest. The round table will feature a panel of experts to discuss the current state of information security performance metrics and measures. For more information contact cyber-measures@list.nist.gov.