The Cyber Risk Analytics and Measurement program aims to develop cybersecurity risk analytics methods, tools, and guides to improve the understanding of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners. Below are the internal and external collaborative activities of the program:
NIST is prototyping a survey tool be an educational resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their processes to minimize cyber supply chain risks. This effort includes developing capabilities to create a trusted and anonymized environment for risk owners and a reference capability to direct users to relevant guidance and standards.
The evidence-based approach to validate the effectiveness of cybersecurity guidelines and practices can provide valuable insights to mitigate cyber-related risks. With empirical evidence and improved information on cybersecurity performance profiles, organizations can target, prioritize, and strengthen their cyber defenses. This project focuses on the methods and tools to create a sandbox to enrich data from multiple data sources to facilitate collaborative research of patterns and trends in cyber-related incidents.
NIST SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, provides recommended guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities.
NIST Interagency Report (IR) 7358, PRISMA and its corresponding tool provides an approach to review the maturity of an organization's information security program across nine topics areas. Last updated in 2007, the review uses a combination of techniques and best practices at the time. The PRISMA project will be revisited to update its methodologies with current requirements, standards and guidelines.
Security and Privacy: analytics, risk management