Measuring Cyber Risk Isn't Optional — It's National Security

Ziyu Wang's original metrics framework gives organizations — and the nation — a practical way to measure what matters.

The FBI's Internet Crime Complaint Center recorded $20.9 billion in cybercrime losses in 2025 — a 26% jump from the prior year. Attackers increasingly target critical infrastructure, and DHS Secretary Kristi Noem has called cybersecurity "a critical theater in defending our homeland." The threat is well-documented. The harder question is how to manage it — and that question has a measurement problem at its core.

Most organizations have security tools deployed. What they lack is systematic visibility into how well those tools actually work. They can confirm a control exists, but not whether it covers the entire environment, performs with the speed and accuracy real threats demand, or creates excessive operational drag on the teams that live with it daily.

Wang's Original Metrics Framework

Ziyu Wang, a senior data scientist with experience across cybersecurity, financial services, and Big Tech, has developed an original metrics framework that directly addresses this gap. His core insight: the industry already has a comprehensive taxonomy of what to secure — the NIST Cybersecurity Framework (CSF) 2.0, which organizes security outcomes into 6 Functions, 22 Categories, and 106 Subcategories. What has been missing is a systematic method for measuring how well each of those outcomes actually performs in practice.

Wang's contribution is the measurement methodology itself: three assessment dimensions — Breadth, Performance, and Friction — designed to be applied at either the Category or Subcategory level of NIST CSF 2.0.

Breadth measures the extent of protection — the percentage of assets, systems, users, or processes actually under a given control. It answers the fundamental question: how much of the environment is under control?
Performance evaluates whether controls operate with the speed, accuracy, and consistency real-world threats demand — detection accuracy, response speed, patch timelines, recovery success rates, and SLA adherence.
Friction quantifies the operational burden security imposes on the organization: engineering hours lost to authentication workflows, deployment delays from patch cycles, analyst time consumed by false-positive alerts. This dimension is Wang's sharpest departure from conventional cost analysis, which counts license fees and headcount but misses what security actually costs the rest of the organization.

Applying the Dimensions Across NIST CSF 2.0

Wang's metrics framework operates across the full NIST CSF 2.0 hierarchy. The table below illustrates this with one representative Category and Subcategory per Function.

Function	Category	Subcategory (example)	Breadth	Performance	Friction
Govern	Roles, Responsibilities & Authorities (GV.RR)	GV.RR-02: Roles for cybersecurity are established	% of business units with assigned risk owners	Time taken to approve or review risk exceptions; SLA adherence for policy updates	Hours leadership spends per review cycle; project delays waiting on risk-ownership decisions
Identify	Asset Management (ID.AM)	ID.AM-01: Hardware inventories are maintained	% of hardware and software assets inventoried	Time required to update inventory when new assets appear; accuracy of asset classification	Engineering hours per asset to maintain accurate inventory; cross-team coordination overhead when asset records are stale
Protect	Identity Mgmt, Auth & Access Control (PR.AA)	PR.AA-03: Users, services, and hardware are authenticated	% of users with MFA activated	Access request approval time for privileged accounts	Engineering hours lost to authentication workflows; support ticket volume for access issues; deployment delays from access-control gates
Detect	Continuous Monitoring (DE.CM)	DE.CM-01: Networks and network services are monitored	% of critical systems sending logs to SIEM; % of monitored assets covered by behavior-based analytics	Mean time to detect (MTTD) suspicious activity; true-positive rate for alert detection	Analyst hours per alert investigated; false-positive triage burden as % of SOC capacity
Respond	Incident Management (RS.MA)	RS.MA-02: Incident reports are triaged and validated	% of incident response workflows documented; % of staff included in incident notification procedures	Mean time to respond (MTTR) to high-severity incidents; % of incidents handled within SLA	Engineering hours diverted from product work during incident surges; cross-team coordination overhead per incident
Recover	Recovery Plan Execution (RC.RP)	RC.RP-03: Backup integrity is verified before restoration	% of systems with validated backups; % of business processes with tested recovery plans	Time required to restore systems from backup; % of recovery tests completed without errors	Engineering hours per recovery drill; system downtime during backup verification; team disruption from unscheduled recovery exercises

From Measurement to Investment Strategy

This three-dimensional view transforms how leadership allocates resources. An organization might score high on Breadth for monitoring — 95% of systems sending logs to SIEM — but discover poor Performance: mean time to detect at 12 hours and a 40% true-positive rate. Meanwhile, Friction metrics reveal analysts spending 70% of their time on false positives. The diagnosis is clear: investment should flow toward detection tuning, not more log ingestion. Without Breadth, Performance, and Friction measured together, that misdiagnosis goes undetected.

Adopted and Generalizable

Wang's metrics framework is not theoretical. It has been adopted at the major technology platform where he works, where its results inform CISO-level reporting and have driven a significant year-over-year improvement in security posture by surfacing gaps invisible under prior assessment methods. Because the framework layers onto NIST CSF 2.0, any organization can implement it without building a measurement program from scratch — the three dimensions are not tied to a specific technology stack, industry vertical, or organizational size.

This generalizability aligns directly with federal cybersecurity priorities. The 2025 Executive Order on digital security and CISA's ongoing guidance both call for measurable improvement across the private sector. A metrics framework anchored to the NIST standard that federal agencies already use provides a practical path for organizations to answer that call.

When every control has a measurable return and every gap has a quantified cost, cybersecurity stops being a cost center and becomes a strategic investment.

Ziyu Wang is a senior data scientist specializing in cybersecurity measurement; his framework is designed for adoption across sectors and company sizes.

Disclaimer

Please be advised this section of cybernews.com includes paid promotions and native advertisements, which are fluidly integrated into our editorial content. As a responsible media publisher, cybernews.com strives to maintain transparency and provide clarity to our readers about the nature of certain content on our platform.

The information presented in native ads is intended to inform and engage, but readers should note that these articles may promote products, services, or brands.

We encourage readers to exercise personal judgment and critical thinking when consuming native advertising content and/ or making any decisions based on the information provided in such content. The inclusion of native ads on our platform should not be interpreted as approval by our editorial team.

We take our editorial integrity seriously and strictly separate advertising and editorial content. Editorial decisions are always independent and remain unaffected by advertisers.

By using this website, you acknowledge and accept the terms outlined in this Press Release Disclaimer. For further inquiries, please contact us here.

Share

Post

Share