These are current NIST research to identify meaningful metrics and measures in context to understand the effectiveness and resource needs of different cybersecurity technical measures.
Measuring Security Risk in Enterprise Networks
Methodology to measure the overall system risk by combining the attack graph structure with the Common Vulnerability Scoring System (CVSS).
Cyber Risk Analytics and Measurement
Research and prototype methods and tools to enable predictive risk analytics and identify cyber risk trends. Develop guidelines to improve the assessment and measurement of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners.
Security and Privacy: analytics, modeling, risk management