--- tags: - metrics Related: - "[ISO_27002_2022_5.24_PE Information security incident management planning and preparation](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.24_PE%20Information%20security%20incident%20management%20planning%20and%20preparation.md)" --- # KPIs in Incident Response Here are 20 essential KPIs, with short definitions to guide your tracking and improvement efforts: 1. Mean Time to Detect (MTTD): Avg. time taken to identify an incident. 2. Mean Time to Respond (MTTR): Avg. time between detection and first mitigation action. 3. Mean Time to Contain (MTTC): Avg. time to stop the incident from spreading. 4. Mean Time to Resolve (MTTRv): Avg. time to fully fix and close the incident. 5. Number of Incidents Detected: Total incidents identified in a time period. 6. Percentage of Incidents by Severity Level: Distribution of incidents by criticality. 7. First Response Time: Time from detection to initial analyst response. 8. Number of Reopened Incidents: Count of incidents reopened after closure. 9. False Positive Rate: Percentage of alerts flagged as incidents that weren’t real. 10. Detection Accuracy: Ratio of true positives to total alerts. 11. SLA Compliance Rate: % of incidents resolved within agreed SLA timelines. 12. Incident Recurrence Rate: Rate at which similar incidents reoccur. 13. User-Reported vs. System-Detected Incidents: Comparison of manually vs. automatically detected issues. 14. Cost per Incident: Average financial impact of each incident. 15. Time to Escalation: Time from detection to escalation to a higher tier/team. 16. Incident Closure Rate: % of incidents resolved within a defined period. 17. Incident Root Cause Categories: Classification of underlying causes. 18. Volume of Phishing/Malware/Ransomware Incidents: Count of incidents by type. 19. Percentage of Automated vs. Manual Responses: Share of responses handled automatically. 20. Resolution SLA Breach Rate: % of incidents resolved after SLA deadlines. Tracking these helps teams reduce downtime, improve security posture, and meet business expectations.