These are current NIST research to identify meaningful metrics and measures in context to understand the effectiveness and resource needs of different cybersecurity technical measures.
Measuring Security Risk in Enterprise Networks
Methodology to measure the overall system risk by combining the attack graph structure with the Common Vulnerability Scoring System (CVSS).
Research and prototype methods and tools to enable predictive risk analytics and identify cyber risk trends.
Security and Privacy: security measurement