Source: The Red Canary Blog: Information Security Insights Author: Brian Donohue URL: https://redcanary.com/blog/threat-detection/cybersecurity-metrics/

ONE SENTENCE SUMMARY:

Security operations centers should prioritize accuracy, volume, and timeliness metrics, carefully defining and consistently measuring them to avoid misleading interpretations.

MAIN POINTS:

1. Security metrics vary widely; clearly defined metrics ensure consistency and usefulness.
2. SOC metrics typically focus on accuracy, volume, and timeliness.
3. Mean-based metrics are problematic due to susceptibility to extreme outliers.
4. Median metrics offer a more accurate representation of typical SOC performance.
5. Definitions of detection, response, and mitigation significantly impact metric results.
6. Clarifying when measurement begins and ends is crucial to meaningful SOC metrics.
7. Time-to-detect can vary based on whether threats are identified or confirmed threats published.
8. Response metrics must define precisely when a response action officially occurs.
9. Publicly reported SOC metrics are hard to interpret without underlying context and definitions.
10. Dwell time differs from breakout time; the latter may be a more critical security metric.

TAKEAWAYS:

1. Clearly define and standardize measurement terms for SOC metrics.
2. Favor median over mean to avoid misleading results from outliers.
3. Clarify exactly when measurement “clocks” start and end for consistent metric tracking.
4. Consider both dwell time and breakout time when evaluating threat response effectiveness.
5. Always question and contextualize publicly reported SOC metrics to avoid misinterpretation.