Metrics
Ladder.
From operational signals to strategic outcomes — the climb from "did we ship Crawl" to "did insurance notice."
Three tiers, each with its own bar. Lower-tier metrics earn the right to add upper-tier ones. Don't claim Run-tier impact while still missing Crawl-tier evidence.
| Metric | Definition | Target |
|---|---|---|
| Compliance Score | Insurer baseline % across the seven non-negotiables (MFA, EDR, immutable backups, IR plan, training, MDR/SOC, vuln mgmt). | ≥ 70 % |
| Time-to-Assemble | Minutes from page to war-room ready — call tree current, decision-makers reachable, evidence channel open. | ≤ 4 h |
| Evidence Freshness | % of compliance artefacts (logs, attestations, configs) updated within the last 90 days. | ≥ 80 % |
| Cost per Incident | Baseline cost by incident type (phishing, endpoint, identity, exfil) — labour + downtime + 3rd-party. | Baseline |
| Metric | Definition | Target |
|---|---|---|
| MTTD / MTTR | Mean time to detect and to respond, broken out per scenario (phishing, identity compromise, endpoint, SaaS, exfil). | Trending ↓ |
| Drill Success Rate | % of tabletops & live drills that pass the playbook's verification step on the first run. | ≥ 80 % |
| Alert Fatigue Index | Ratio of false-positive to true-positive tickets per analyst per week. Tracks signal quality, not analyst speed. | ≤ 4 : 1 |
| Handoff Latency | Minutes between team transitions (SOC → IR → Legal → Comms). Where Walk-stage programs lose most of their time. | ≤ 15 m |
| Playbook Effectiveness | % of incidents resolved end-to-end by an existing playbook without ad-hoc improvisation. | ≥ 70 % |
| Metric | Definition | Target |
|---|---|---|
| Auto-triage Rate | % of tickets handled by automation through containment without human escalation, gated by Reversibility Score. | ≥ 60 % |
| AR Debt Trend | Architectural-resilience debt — open recommendations from post-mortems still pending implementation, weighted by blast radius. | Trending ↓ |
| Breach Cost Avoided | Quantified prevention value — compares incident cost to industry baseline for the same scenario class. | $$ tracked |
| Premium Delta | Year-over-year change in cyber-insurance premium, normalized for revenue and coverage limits. Track as an external signal, not as a guaranteed program outcome. | Tracked |
| Cross-Team SLA Score | % of incident-response SLAs met across SOC, IR, Legal, Comms, and Engineering. The single number for the steering committee. | ≥ 95 % |
How to use the ladder.
Earn the next tier. A program reporting Run-tier numbers without first hitting Crawl-tier evidence freshness is reporting noise. The ladder is a sequencing tool, not a buffet.
Pick a few, not all. Most teams should track 3–4 metrics per tier. The KPI Starter Pack in Pillar 1 ships with a recommended default set you can fork.
Show the chart, not just the number. Direction beats magnitude. A Compliance Score climbing from 62 → 78 over two quarters is more reportable than 80 with no history.