{"id":5235,"date":"2026-04-29T06:36:53","date_gmt":"2026-04-29T06:36:53","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/04\/29\/no-metrics-are-better-than-bad-metrics-in-the-soc-says-ncsc\/"},"modified":"2026-04-29T06:36:53","modified_gmt":"2026-04-29T06:36:53","slug":"no-metrics-are-better-than-bad-metrics-in-the-soc-says-ncsc","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/04\/29\/no-metrics-are-better-than-bad-metrics-in-the-soc-says-ncsc\/","title":{"rendered":"No Metrics Are Better Than Bad Metrics in the SOC, Says NCSC"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Many of the most common metrics used to measure the effectiveness of the security operations center (SOC) are at best inaccurate and at worst actively harm SecOps teams, the National Cyber Security Centre (NCSC) has warned.<\/p>\n

The NCSC\u2019s CTO for architecture, Dave Chismon, wrote in a blog post that organizations often gravitate to measurements that can be easily expressed numerically to individuals who aren\u2019t security specialists.<\/p>\n

However, if \u201cnumber of tickets processed\u201d or \u201ctime taken to close a ticket\u201d are used as metrics, staff may perversely be incentivized to rapidly triage and close them as false positives rather than investigate.<\/p>\n

Similarly, \u201cnumber of detection rules\u201d may incentivize analysts to write as many rules as possible, driving up the number of false positives and ineffective rules.<\/p>\n

In the same way, focusing on volume of logs collected over the value of those logs is self-defeating if they don\u2019t improve detection, Chismon said.<\/p>\n

Read more on SecOps: NCSC Shares Alternatives to Using a SOC<\/em><\/p>\n

According to the NCSC, the only SOC metric that matters is: \u201cdoes it detect (and respond to) attacks in a timely manner?\u201d In other words, time to detect\/time to respond (TTD\/TTR).<\/p>\n

Chismon recommended using red\/purple teaming to allow assessment of a SOC\u2019s TTD\/TTR.<\/p>\n

\u201cWhilst TTD\/TTR are the only reportable metrics that demonstrate a SOC is working, a SOC manager is likely to want to track a number of other metrics to help them monitor the week-by-week health of their service,\u201d he continued.<\/p>\n

\u201cThese metrics could include things like numbers of tickets, but crucially, those metrics should not be reported outwards (or arguably inwards, to the SOC analysts) lest they drive the wrong activities.\u201d<\/p>\n

How to Boost Threat Detection<\/strong><\/h2>\n

To reduce TTD\/TTR in the SOC, analysts must understand both the threat landscape and what they\u2019re protecting, be experts in the tools they\u2019re using, have the right data to spot unusual behavior\u00a0and have time to hunt for threats.<\/p>\n

Chismon recommended several approaches to build on:<\/p>\n