This document outlines common metrics to track the effectiveness of your incident response program based on the experience of the authors.
This is a good leadership-level metric to demonstrate critical support provided by the security team. This enables month over month reporting to highlight critical issues that come up requiring support. When using this metric be prepared to discuss the details of each high/critical incident.
From the time issue was reported to security, how long did it take for them to respond? This metric measures security responsiveness to reports and should align with an SLA defined by your incident manager.
This measures how long it took to resolve an issue from discovery to going live in production. These should align with, or be an improvement on critical/blocker remediation SLAs as definied by your vulnerability management SLAs.
This enables measuring how much time the security team spends supporting incidents. Useful for identifying possible resource allocation adjustments that may be needed, or possible optimizations that could be made using automation.
By tracking where the incident report came from, you can determine if processes are working and if people know how and where to report an incident.
Metrics version 1.5 copied from Sectemplates.com 2025