From Government Technology:

One pressing problem is that while chief information security officers may know cyber hygiene and best practices, they’re often resorting to guesswork about whether, for example, $5 million should be spent on employee training or threat-hunting tools, said Paul Rosenzweig, resident senior fellow of cybersecurity and emerging threats at R Street.

That’s because precise metrics are hard to come by in cybersecurity, posing a serious roadblock to public and private efforts to achieve more informed, impactful defense strategies.

“We can tell you qualitatively what we think works,” Rosenzweig said. “We can tell you that multifactor authentication is good. But we can’t tell you how good.”

Answering such hanging questions is the goal of the commission’s yet-unrealized recommendation that the government create a Bureau of Cyber Statistics, Rosenzweig said. Such a body would aim to establish clearly definable cybersecurity metrics and to collect and analyze any relevant data. In theory, a Bureau of Cyber Statistics would be better positioned to identify broad trends about where and how bad actors are operating and predict future threats.

“The transition to ransomware in the bad guys’ panoply of activities in the last five years was a strategic surprise to us,” Rosenzweig said. “But that would have been no surprise had we been paying better attention to the antecedent signals for that, but we simply had no way of measuring it.”

Well-defined metrics could also help agencies evaluate the strength of companies’ cyber defenses, which could then guide government assistance efforts as well as insurance firms’ pricing decisions, Rosenzweig said.