Every organization wants maximum effect and value for its finite cybersecurity-related investments, including managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make decisions by comparing projected costs with potential benefits and risk reduction scenarios. Senior executives need accurate and quantitative methods to portray and assess these factors, their effectiveness and efficiency, and their effect on risk exposure. Providing reliable answers to these questions requires organizations to employ a systematic approach to cybersecurity measurement that considers current knowledge limits.
The Cyber Risk Analytics and Measurement program aims to develop cybersecurity risk analytics methods, tools, and measurement guides to improve the understanding of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners. Below are the internal and external collaborative activities of the program:
NIST is working to update Special Publication (SP) 800-55, Performance Measurement Guide for Information Security, to serve as a foundation for the selection, development, and aggregation of information security measures. While the current published version is primarily focused on Federal systems, the forthcoming update with be applicable to any type of organization or system and can be used in conjunction with any risk management and control framework. The update will include guidance for developing an information security measurement program, aggregating assessment results and measures, provide a common terminology for information security measurement, foundational concepts for information security measurement and assessment, and a process and considerations for developing and selecting the appropriate measures.
NIST is prototyping a survey tool be an educational resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their processes to minimize cyber supply chain risks. This effort includes developing capabilities to create a trusted and anonymized environment for risk owners and a reference capability to direct users to relevant guidance and standards.
The evidence-based approach to validate the effectiveness of cybersecurity guidelines and practices can provide valuable insights to mitigate cyber-related risks. With empirical evidence and improved information on cybersecurity performance profiles, organizations can target, prioritize, and strengthen their cyber defenses. This project focuses on the methods and tools to create a sandbox to enrich data from multiple data sources to facilitate collaborative research of patterns and trends in cyber-related incidents.
NIST SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, provides recommended guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities.
NIST Interagency Report (IR) 7358, PRISMA and its corresponding tool provides an approach to review the maturity of an organization's information security program across nine topics areas. Last updated in 2007, the review uses a combination of techniques and best practices at the time. The PRISMA project will be revisited to update its methodologies with current requirements, standards and guidelines.
Security and Privacy: risk management, security measurement