The purpose of cyber security measurement is severalfold.
We know that there are a number of important purposes for cyber security performance measurement that serve the following:
Accountability – are you doing what should be doing, at the levels you should, with the right quality.
Transparency about results – are you achieving what you should be achieving, to what extent, and for whom?
Value for money – are you achieving results in the most cost-effective manner?
What this means is you need regular access to reliable information to manage the cyber security exposure, and determine whether your efforts are on track and take timely corrective action if needed. Listed or regulated companies, including critical national infrastructure must also report on their cyber security performance as part of their regulatory obligations, to demonstrate their effective stewardship and responsible business behaviour.