This document discusses key performance indicators (KPIs) for security operations and incident response. It defines KPIs and explains why they are important to measure to assess business goals and make data-driven decisions. The document recommends focusing on a few high-quality KPIs that measure important components like analyst skills, detection success, key risks, and workload. It provides examples of potential KPIs like number of monitored devices and number of security events per location.

1. King Faisal University
School of Business
Management
Information Systems
Department
Key Performance Indicators (KPIs) for
Security Operations and Incident
Response
Information System Security
Prepared by:
Fatemah Alnjm, Maryam Alhumam
Instructor: Dr.Abdelnasser Abdelaal
Spring - 2019

2. Table of Contents
Key Performance Indicates ( KPIs) …………………. 3
Why Measure KPIs ? ………………………………... 4
Which KPIs Should be Measured? ………………...... 5
How Many KPIs Should be Measured? …………….. 7
Final Thoughts ……………………………………..... 8
Examples about KPIs ……………………………….. 9

3. Key Performance Indicators (KPIs)
• A way of measuring the success or a failure of a
business goal, function or objective.
• A means of providing actionable information on which
decisions can be based.
• The goals of business units are clearly defined. Most
security operations goals are more focused on
positive or negative trends over time than achieving a
specific target.

4. Why Measure (KPIs)?
Much of the security operations process focuses around the analysis of data and
identification of patterns and trends.
This is true of both tactical and strategic functions of security operations – identifying
program gaps and making long-term program decisions. This can have a tremendously
positive impact on both tactical and strategic functions.
The quality of KPIs serve as a security program enabler and driver for continuous
improvements.
The threat landscape is a dynamic and ever-changing environment.
KPIs help ensure that a security operations program continues to remain effective and
that any process or technology gaps are addressed appropriately.

5. Which KPIs Should be Measured?
• Determining which KPIs should be measured
shouldn’t start with KPIs at all. KPIs should focus on
assessing a goal or function and providing actionable
information on which decisions can be made.
• When choosing KPIs to measure, quality should be
valued above quantity.There are many different
methods to evaluating the effectiveness of a KPI; for
example:
S M A R TSimple Measurable Actionable Relevant Time-based

6. Which KPIs Should be Measured? Cont.
• SMART KPIs will be different for each organization; it
is simply not possible to create a one size kits all list
of KPIs.
• Most security operations KPIs should be targeted at
assessing at least one of these common components.
The six most common components of a successful
security operations program are:
ü Analyst Skills
ü Detection Success
ü Key Risks
ü Mitigation Success
ü Process Success
ü Workload

7. How Many KPIs Should be Measured?
• KPIs provide the critical information required to
make fact-based decisions.Tracking too many KPIs
place decisions makers in a state of information
overload.
• It vary from one organization to another based on
what is right for the program and the organization is
far more important than any hard number.
• Brainstorming process determine the most effective
and efficient drivers of success for the security
operations program.

8. Final Thoughts
• There will never be a set of “correct” KPIs to
measure.
• The key to choosing KPIs which will have a real,
actionable impact on the organization’s security
program is to ensure that the KPIs are SMART, focus
on the six most common components of a successful
security operations program, and are used to further
the security program..

9. • Effective KPIs are selected based on the SMART criteria.
Here are some examples of KPIs which should be
applicable at some level to most organizations.
Example Key Performance Indicators (KPIs)
KPI Why Do We Care? Possible Measurements Assessment of
Number of devices
being monitored
· How many devices are
being monitoring?
· Is the number
increasing or
decreasing? Why?
· Number of devices
· Number of devices /
analyst
· Workload
Number of events
per location
·How many events are
received per geographic
location, office, etc.?
· Are certain locations
more prone to security
events? Why?
· Number of events /
department
· Number of events /
office
· Number of events /
region
· Key risks

10. Thank you