Is the United States any safer in cyberspace than it was a year ago? If so, how could we prove it? If not, how should we reallocate resources to get there?

These are questions that we hope can be answered by a strong national cybersecurity metrics program—one that measures key indicators of security, success and failure across industry and government.

While a number of different companies and organizations already have their own cybersecurity individual metrics programs, the United States has yet to create a nationwide initiative designed to evaluate how we are doing as a country. Without a thorough accounting of where we currently stand and how existing cybersecurity policies impact our national security, it is almost impossible to ensure that we are allocating time, funding and effort to the things that matter most.

Join the R Street Institute for a virtual discussion on existing measurement work in the federal government, two major new federal cybersecurity metrics initiatives and a lively discussion on the broader potential for metrics to transform how we act on cybersecurity.

Resources: 

Short Backgrounder: What is a metric and how is it relevant for cybersecurity policy?

By the simplest definition, a cybersecurity metric is a process or standard for measuring relative or absolute levels of cybersecurity.

A metric can be a simple, direct unit of measurement evaluated by a company: How many attacks did we report fending off in 2022? How long do our systems spend offline following a ransomware incident? What is the cost of a cybersecurity incident to the company overall?

At the national level, the metrics tracked may be similar to those of an individual company, or they may be totally different: How cost-effective is a new security standard imposed on Defense Department contractors? Has the number of successful malicious cyber intrusions into the energy grid decreased or increased?

Much can be said, broadly, about cybersecurity metrics. It is more difficult to ensure everyone is talking about the same type. For example, metrics might be evaluated at different levels of abstraction: operational, technical or strategic. Efforts might also be based around access: Is the data already available? Can the data be made available? Does new data need to be generated? Efforts can even be categorized into types or products: vulnerabilities, threat actors, incidents, processes and procedures.

In turn, those metrics are aggregated and evaluated—ideally in order to help fine-tune policy decisions, optimize resource allocation, proactively identify deficiencies, gut-check assumptions and evaluate the efficacy of existing programs and systems.

Featured Publications