ABSTRACT
Without assessment metrics and data, the cybersecurity community maintains no ability to evaluate the success or scope of operations. Calls for the collection of cybersecurity indicators are empty without strategic guidance on what indicators to collect, for what purpose, and for what method of analysis. This paper reviews the purpose, function and need for cybersecurity data and metrics with an in-depth review of United States metrics guidance offered in the National Defense Authorisation Act (NDAA) and National Institute of Standards and Technology (NIST) publications on metrics. Mission assessment is critical to evaluate the efficacy of ongoing and future cybersecurity efforts; assessments require quantitative metrics that place concrete values on indicators rather than subjective judgments.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 The term ‘strategic assessment’ includes metrics but is much too broad in its use; here we focus on the use of metrics to quantify cybersecurity actions.
Additional information
Notes on contributors
Brandon Valeriano
Brandon Valeriano (PhD Vanderbilt University) serves as a Senior Advisor to the Cyberspace Solarium Commission 2.0 and a Distinguished Senior Fellow at the Marine Corps University. He was most recently the Donald Bren Chair of Military Innovation at the Marine Corps University at the Krulak Center. Dr. Valeriano has published six books and dozens of articles on cyber security and international security.