Name three KPIs used to measure security effectiveness.

In security performance, you want metrics that show how well the security team detects and handles threats. The best choice lists incident response time, detection rate, and false alarm rate. Incident response time indicates how quickly the team acts after an incident is identified, which is crucial for limiting damage. Detection rate shows how effectively security controls catch real threats, reflecting coverage and accuracy. False alarm rate tracks how often alerts are not actually threats, helping to avoid wasted effort and alert fatigue. Together, these three provide a clear view of security effectiveness. The other groups measure aspects outside security performance—business outcomes like customer satisfaction and market share, service desk metrics like average call duration and queue length, or HR metrics like turnover and training hours—so they don’t directly indicate how well security controls detect or respond to threats.