Evaluating incident response beyond basic cybersecurity metrics

How to Evaluate Incident Response Beyond Basic Security KPIs

In today’s digital world, cyber incidents come with outrageous consequences. 

A single data breach can cost organizations $4.35 million. System downtimes, on the other hand, cost an average of $100,000 in lost revenues, maintenance charges, and employee productivity. 

The same research also found that 15% of the major outages cost over $1 million worldwide. Delta Airlines, for example, lost around $150 million after a network-wide IT outage in 2017.

With so much at stake, it’s more critical than ever for organizations to start tracking incident response KPIs and use their findings to detect, contain, resolve, and (hopefully) prevent future incidents. 

The good news is, if you have an in-house incident response team, they might already be capturing a lot of useful data to help understand and improve your cyber security incident response plan.

But the downside is, having lots of data can sometimes cast a shadow over issues instead of illuminating them.

So what’s the best solution, then? Developing a cybersecurity incident response plan that evaluates issues beyond the basic cybersecurity incident response KPIs (key performance indicators).

In this article, we’re going to dive deep into the cybersecurity incident response topic, discuss its basic KPIs, and how to look beyond these basic KPIs to evaluate incident response.

What is an incident response?

Incident response refers to the process of responding to cybersecurity breaches in a timely manner. The process usually involves helping an organization detect security breaches, limit the scope of damages & blast radius, eradicate the root cause, and post-incident recovery.

Cybersecurity incident response cycle starts by detecting data security breaches, then limiting the extent of the damage, eliminating the root cause and generating post-incident recovery report.

Cybersecurity tools like CAASM can help to spot, flag, investigate, remediate, and recover from such incidents that require an immediate response.

A cybersecurity incident can vary depending on the type of cyber attack, such as violations of regulations (i.e. PCI DSS, GDPR, HIPAA), policies and laws, or authorized access to an organization’s data and cyber assets.

If cybersecurity incidents are not contained & resolved effectively, they could cost your organization millions of dollars and a tarnished reputation. 

That’s why it’s crucial for every organization to create a cybersecurity incident response plan to curb financial & reputational damages in the event of security breaches.

What is an incident response plan?

An incident response plan is a pre-planned & documented strategy for how an organization will act in the event of a security breach or incident. 

The plan generally includes the roles & responsibilities of the incident response team and key stakeholders, steps to detect & contain the incident, and procedures on how to recover & restore normal business operations.

The incident response plan also contains a communication plan to notify internal as well as external parties such as regulatory bodies, law enforcement, and customers whose data got affected.

Additionally, the plan also includes a process for post-incident analysis to identify weak areas and recommendations for improving cybersecurity.

What are the basic incident response KPIs?

There are plenty of incident response KPIs an organization can track and monitor to identify and diagnose security incidents and resolve them in a timely manner.

There are several metrics (KPIs) to measure the success of an incident response plan.

But first, an organization must figure out which incident response metrics it needs to prioritize to measure the success of its cybersecurity incident response plan.

Below, we’ve outlined the 9 most important incident response KPIs to help you stay on top of problem identification and remediation efforts.

  • Number of alerts created — If you use an incident response tool, it’s a good idea to start tracking how many alerts are usually generated in a specific time period (i.e. weekly, bi-weekly, monthly, etc.). 

Doing so will give you a baseline of how busy your incident response team is and also identify periods where there is a significant increase and decrease in alerts. 

  • Mean time to detect — Mean time to detect (MTTD) is a crucial metric as it tells you the average amount of time your team takes to detect a security incident in your organization’s network. 

To calculate MTTD, add the total amount of time your team takes to detect security incidents during a specific period and divide that by the number of total incidents. 

  • Mean time to acknowledge — Mean time to acknowledge (MTTA) measures the amount of time a member of your incident response team takes to notice and starts working on the problem after the system generates an alert. 

The higher the MTTA, the longer it will take to start working on resolving the incident.

  • Mean time to respond/resolve/recover — Mean time to respond/resolve/recover (MTTR) is the amount your incident response team takes to diagnose and resolve the problem and get the affected assets back up and running again. 

To calculate MTTR, take the total amount of downtime for a specific period and divide it by the number of incidents that occurred during the same period. 

  • Mean time to contain — Mean time to contain (MTTC) combines MTTD, MTTA, and MTTR together to create a holistic view of how well your organization is currently responding to cybersecurity incidents. 

Simply put, it tells you how long your incident response team takes to detect, acknowledge, and resolve a cybersecurity incident and prevent the same incident from occurring again in the future.

  • Mean time between failures — Mean time between failures (MTBF) helps organizations to measure the time between repairable system failures of an application, product, or system. 

Tracking these metrics is important because it helps to determine if systems are failing more regularly than expected so that they can analyze the root cause and prevent the same issue from repeating. 

  • Average incident response time — The average incident response time indicates how quickly your incident response team allocates responsibilities to the designated professional and resolve the threat. 

If you find the resolution times to be higher than they should be, organizations must examine the issue and figure out a solution to resolve it.

  • SLA compliance rate — This incident response KPI helps to measure the percentage of incidents that are handled as per the pre-defined service level agreement (SLA) timeframe. 

Tracking your SLA compliance rate is crucial because it helps to ensure that your cybersecurity incident response plan is fulfilling their pre-defined objectives & delivering the promised results.

  • Cost per incident — Finally, the cost per incident measures the average cost incurred by your organization to resolve and recover from each security breach or incident. 

Tracking this metric is important because it is helpful in assessing the financial impact of cybersecurity incidents, determine which methods are most effective, and prioritize investments to minimize future incidents.

These are the main metrics an organization should be tracking to measure the performance of their incident response plan. 

However, these metrics can vary significantly depending on your organization’s unique goals, data types, etc.

While these are all important metrics, sometimes they’re not enough to truly evaluate an incident response fully. That’s why, we always recommend asking certain questions to determine whether your incident response program is effective or not.

Here are a few questions you can ask your incident response team to figure out which metrics you need to track so that they can structure an effective plan for your organization. 

5 Questions to ask for evaluating incident response beyond basic KPIs

Evaluating the effectiveness of your cybersecurity incident response plan requires going beyond the above-mentioned KPIs. 

To truly assess the capability of your incident response plan, you need to ask the right questions.

Here are the five essential questions to ask for evaluating your incident response plan, and your team’s ability & efficiency to detect, resolve, contain, and recover from a security incident. 

Question #1 – Are our security teams properly aligned with roles and responsibilities?

One of the most critical aspects of incident response is ensuring that the right people are assigned to the right roles, and they’re well aware of their responsibilities in your incident response team.

Remember, a well-structured incident response team should have their roles and responsibilities clearly defined from day one so that all individuals on the team know what’s expected from them.

By asking this question, you can ensure that your incident response team is structured properly, reducing the likelihood of mistakes & inefficiencies. 

Question #2 – How is our organization keeping up with the growing attack surface?

The threat landscape is continuously evolving, expanding the attack surface as a result. 

For this reason, organizations must continually evaluate their incident response plan periodically to keep up with the growing attack surface and remain effective.

Asking this question will help organizations to ensure that their incident response plan is up-to-date and they’re always prepared to respond to the emerging cyber threats.

Question #3 – Are all essential tools in place to detect, contain, and resolve incidents?

Having the right tools in place is critical for detecting, resolving, and recovering from a security incident.

But, keep in mind that having too many cybersecurity tools can sometimes become a huge obstacle for the incident response team to act as quickly as possible. 

According to research, nearly 70% of organizations currently have at least 10 tools for security posture and incident management alone. 

But if these tools are not leveraged properly, it can hinder your incident response team’s ability to facilitate a rapid response to any incident, increasing the time it takes for them to detect, contain, resolve, and recover from an attack.

Question #4 – Does our incident response plan take blast radius into account?

Understanding the blast radius in incident response is extremely important because it helps organizations to determine the required scope of response.

For the uninitiated, blast radius refers to the potential impact an incident could have on your organization.

By including blast radius into account, organizations can respond to incidents that have great impact more quickly and effectively. 

Question #5 – Does our incident response plan include guidelines for vulnerability prioritization?

To respond to any incident effectively, organizations need to learn vulnerability management & prioritization, and address each accordingly. 

For this, organizations first need to gain a clear understanding of which vulnerabilities pose the highest risk and prioritize them based on the severity of consequences if not resolved in a timely manner.


Learning how to evaluate incident response beyond basic KPIs is critical for organizations to improve their cybersecurity strength. By tracking the right metrics and asking the right questions, organizations can gain a complete understanding of their incident response capabilities.

However, it’s important to note that even the most well-crafted incident response plan may not be enough to protect against every threat. Cybercriminals are becoming increasingly sophisticated, and the attack surface is growing every day. 

Therefore, organizations must adopt new processes, methods, strategies, and tools (i.e. CAASM) to remain vigilant and stay on top of emerging cyber threats.


What is incident response?

Incident response is a process that helps to detect, analyze, eradicate, and recover from a security incident as quickly and efficiently as possible to contain damage and restore operations.

What is incident response process?

The incident response process is a structured approach that an organization follows in the event of a security breach, threatening the confidentiality, integrity, or availability of its data, systems, or network.

What is incident response analysis?

Incident response analysis is the process of examining the details and circumstances of a security incident to determine its scope, the impact on the organization, and the potential root cause for developing a plan for containment and recovery.

How to measure incident response?

Measuring incident response requires tracking and analyzing the key performance indicators (KPIs) that assess the effectiveness of an automated incident response process. Some common KPIs used to measure incident response includes MTTD, MTTA, MTTR, MTTC, cost per incident, and so on.

How to choose incident response KPIs?

To choose the right incident response KPIs, you need to ensure they align with your business objectives, are measurable, reflect specific risks & threats, and provide meaningful insights into the effectiveness of your incident response process.

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Related Posts

An extensive compliance audit requires you to check certain boxes, but does […]

Risk assessment is critical to understanding any threats that your business faces […]

Cloud security is not just a one-time implementation. You must continuously monitor […]