“Security metrics is an area of computer security that has been receiving a good deal of attention lately,” the agency said in the draft of the new interagency report, titled “Directions in Security Metrics Research…. Advancing the state of scientifically sound, security measures and metrics would greatly aid the design, implementation, and operation of secure information systems,” the report states.
Formal Models of Security Measurement and Metrics: “The absence of formal security models and other formalisms needed to improve the relevance of security metrics to deployed systems have hampered progress.”
Historical Data Collection and Analysis: “Predictive estimates of the security of software components and applications under consideration should be able to be drawn from historical data collected about the characteristics of other similar types of software and the vulnerabilities they experienced.
At the very least, insight into security measurements would likely be gained by applying analytical techniques to such historical collections to identify trends and correlations, to discover unexpected relationships and to reveal other predictive interactions that may exist.”
Practicable Concrete Measurement Methods: “The current practice of security assessment, best illustrated by lower level evaluations under the Common Criteria, emphasizes the soundness of the evaluation evidence of the design and the process used in developing a product over the soundness of the product implementation.
Under the Federal Information Security Management Act, the CSD is responsible for providing agencies with standards, specifications and guidance in implementing requirements of the act.
Toward that end, NIST issued 18 special publications offering management, operational and technical security guidance, and has updated several Federal Information Processing Standard publications covering hash algorithms and digital signatures.
http://gcn.com/articles/2009/03/09/nist-security-metrics.aspx