What measures are provided by 800-55 Performance Measurement Guide for Info Systems?

Measuring how well security controls work is the core focus here. The 800-55 Performance Measurement Guide for Information Security provides a framework and a set of metrics specifically designed to assess the effectiveness of the security controls applied to information systems. It helps organizations establish a formal measurement program, select metrics that reflect how well controls reduce risk and meet security objectives, collect reliable data, and interpret results to drive improvements in the security posture. This emphasis on effectiveness means the metrics are about whether controls are doing their job—detecting, preventing, and mitigating threats, and enabling timely remediation of weaknesses—not merely counting incidents, user opinions, or how long systems stay down. While incident counts, user satisfaction, or downtime can appear in reports, they aren’t the primary focus of the guide. The goal is to quantify how well the security controls actually reduce risk and support ongoing protection of information systems.