Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity

Citation
SafeGov.org, Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity (Mar. 2013) (full-text).

Overview
This Report recommends that rather than periodically auditing whether an agency's systems meet the standards enumerated in Federal Information Security Management Act of 2002 (FISMA) at a static moment in time, agencies and their inspectors general should keep running scorecards of "cyber risk indicators" based on continual IG assessments of a federal organization's cyber vulnerabilities.