NIST Special Publication 800-55 revision 1
Performance Measurement Guide for Information Security
Billed as “A guide to assist in the development, selection, and implementation of measures be used at the information system and program levels”, SP800-55 rev 1 (2008) is in fact primarily intended for use by US government agencies in support of their obligations under Federal Information Security Management Act (FISMA). Understandably, the US federal government is quite concerned to find out not only where the nation’s security dollars are disappearing, but whether they are being spent wisely.
SP 800-55 is remarkably thorough and methodical in just 80 pages. The processes it describes for specifying, developing and selecting metrics are very similar to those detailed in our book – not because we plagiarized them but because we converged on a common solution to the same problem. SP 800-55 doesn’t actually specify PRAGMATIC as such, but it does recommend selecting a set of metrics for initial implementation that have certain qualities. It even mentions scoring and weighting them. It just doesn’t go as far as to say how one might do that.
The Executive Summary states that “the following factors must be considered during development and implementation of an information security measurement program:
Measures must yield quantifiable information (percentages, averages, and numbers);
Data that supports the measures needs to be readily available;
Only repeatable information security processes should be considered for measurement; and
Measures must be useful for tracking performance and directing resources.”
The standard refers to three categories of measure:
Implementation measures “used to demonstrate progress in implementing information security programs, specific security controls, and associated policies and procedures”.
Effectiveness/efficiency measures “used to monitor if program-level processes and system-level security controls are implemented correctly, operating as intended, and meeting the desired outcome”.
Impact measures “used to articulate the impact of information security on an organization’s mission”.
SP 800-55 identifies just nineteen candidate measures - an admirably brief shortlist of metrics that is, however, acknowledged not to be comprehensive and in need of tailoring to suit each agency’s measurement requirements - and therein lies the rub: are agencies capable of determining their measurement requirements consistently and appropriately, given the differences in their information risks?
The standard is currently being revised again. Revision 2 is as yet unpublished, as of December 2021 - possibly on-hold, delayed by NIST’s federal funding crisis and/or COVID.