Metrics abound, but who should be required to measure cyber effectiveness remains a key question

The government has suggested many ways to use metrics to measure the effectiveness of cybersecurity investments, but who should be using these measurement tools – and whether doing so should be required – remains open questions that will affect the scope and movement of these plans.

Industry remains somewhat divided on the role of metrics, while Republican lawmakers appear willing to mandate their use for federal agencies, setting up a debate on who should be required to use them and...