Security Metrics: Measurements to Support the Continued Development of Information Security Technology | NIST

These observations on measurements are relevant to our use of information technology (IT). Organizations rely on IT to carry out their daily operations and to deliver products and services to the public. Managers are challenged to use IT effectively and to protect their systems and information from security threats and risks. There have been many past efforts to develop security measurements that could help organizations make informed decisions about the design of systems, the selection of controls, and the efficiency of security operations. But the development of standardized measurements for IT has been a difficult challenge, and past efforts have been only partly successful.