Journal of Cyber Policy, Volume 7, Issue 1 (2022)
Without assessment metrics and data, the cybersecurity community maintains no ability to evaluate the success or scope of operations. Calls for the collection of cybersecurity indicators are empty without strategic guidance on what indicators to collect, for what purpose, and for what method of analysis. This paper reviews the purpose, function and need for cybersecurity data and metrics with an in-depth review of United States metrics guidance offered in the National Defense Authorisation Act (NDAA) and National Institute of Standards and Technology (NIST) publications on metrics. Mission assessment is critical to evaluate the efficacy of ongoing and future cybersecurity efforts; assessments require quantitative metrics that place concrete values on indicators rather than subjective judgments.