The shiny new version of SP800-55, renamed “Performance Measurement Guide for Information Security“, takes a rather different tack but is still quite long (80 pages in total, half of which are appendices). I suspect the primary reason for its existence is to suport FISMA (the US Federal Information Security Management Act, essentially a set of information security policies mandated in law for US Government agencies) by imposing a standardized set of metrics that can be used to benchmark agencies and force the laggards to pull their socks up. It remains a highly beurocratic and costly response to a genuine management problem.
Another draft NIST standard, SP800-80 “Guide for Developing Performance Metrics for Information Security“, emphasises the process of developing and implementing security metrics. It includes a shorter list of STTCBM (‘candidate metrics’), but again takes a database approach with forms in the appendices characterising the metrics by ‘metric type’, ‘frequency of collection’ etc., details which, by the way, are organization and implementation-specific and really not that hard for grown-up security managers to figure out for themselves.