U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Risk Analytics and Measurement CRA



Cyber risk analytics and measurement

Every organization wants maximum effect and value for its finite cybersecurity-related investments, including managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions.  Organizations frequently make decisions by comparing projected costs with potential benefits and risk reduction scenarios.  Senior executives need accurate and quantitative methods to portray and assess these factors, their effectiveness and efficiency, and their effect on risk exposure.  Providing reliable answers to these questions requires organizations to employ a systematic approach to cybersecurity measurement that considers current knowledge limits.


The Cyber Risk Analytics and Measurement program aims to develop cybersecurity risk analytics methods, tools, and measurement guides to improve the understanding of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners.  Below are the internal and external collaborative activities of the program:


Performance Measurement Guide

The working draft of the SP 800-55 Revision 2 Performance Measurement Guide for Information Security guides how an organization can use metrics to identify the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to justify security control investments adequately. The results of an effective metric program can provide valuable data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.


Cyber supply chain survey tool

NIST is prototyping a survey tool be an educational resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their processes to minimize cyber supply chain risks. This effort includes developing capabilities to create a trusted and anonymized environment for risk owners and a reference capability to direct users to relevant guidance and standards.


Incident data analytics

The evidence-based approach to validate the effectiveness of cybersecurity guidelines and practices can provide valuable insights to mitigate cyber-related risks. With empirical evidence and improved information on cybersecurity performance profiles, organizations can target, prioritize, and strengthen their cyber defenses. This project focuses on the methods and tools to create a sandbox to enrich data from multiple data sources to facilitate collaborative research of patterns and trends in cyber-related incidents.


Vulnerability reporting Guide

The draft SP 800-216 Recommendations for Federal Vulnerability Disclosure Guidelines provides recommended guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. Reports on suspected security vulnerabilities in information systems and a clear process to accept, assess, and manage vulnerability disclosure reports could help reduce known vulnerabilities.



CRA team

Hung Trinh

Katherine Schroeder


Security and Privacy: risk management, security measurement

Created September 07, 2018, Updated April 12, 2023