Barney Fife Metrics: The Bullet That We Have but Don’t Use, and Why

Posted on in Presentations

Despite 20 years of research and practical application, security metrics programs have not matured as expected. The promise of a universal oracle has not been fulfilled and CIOs are still inundated with pointless or deceptive metrics. This session will explore research on why this is, how to overcome the cycle of stagnation and what measurement strategies have proven successful.

Learning Objectives:
1: Dispel incorrect assumptions and learn what makes a successful metrics program.
2: Spawn creative ideas for how to improve metrics, both within an organization and broadly.
3: Understand how and why literature and practical application differ regarding security metrics.

Basic understanding of the development, implementation and use of information security metrics.

Jon Boyens


Deputy Chief, National Institute for Standards and Technology (NIST)

Celia Paulsen


Cybersecurity Researcher, National Institute of Standards and Technology

Share With Your Community