Incident Detection Time – Time it takes to detect a security incident from the moment it occurs. For benchmarking, shoot for minutes to hours to detect an incident.
Incident Response Time – Time that it takes to respond to and mitigate a security incident once the incident has been detected. Targeted response should occur within minutes ideally, depending on the severity of the incident.
Mean Time to Identify (MTTI) – The average time taken to identify incidents
Mean Time to Respond (MTTR) – The average time taken to respond and mitigate incidents.
Number of Incidents Resolved Without Reoccurrence – Expressed as the percentage ****of incidents that are successfully resolved without reoccurrence. You want to shoot for a high percentage of incidents resolved permanently, most often 95% or better.
Number of False Positives – The number of incidents incorrectly identified as either false positives.
Number of False Negatives – The number of incidents incorrectly identified as either false negatives.
Percentage of Incidents Contained within a Defined Timeframe – You want to strive for a high percentage of incidents contained promptly, and ideally target 80% to 90% or higher.
Post-Incident Review Time – Time it takes to conduct a thorough post-incident review and analysis. Can range from days to weeks to conduct a thorough review.
Security Awareness Training Effectiveness For Employees – How effective are your employees at recognizing and reporting security incidents?
Time to Containment – Time that it takes to contain the impact of an incident and prevent further damage. Benchmark can be from hours to a day to contain, depending on the severity and complexity of the system.
Time to Recovery – Time that it takes to fully recover from a security incident and restore normal operations.
