Which of the following is NOT a KPI used to measure security effectiveness?

Measuring security effectiveness relies on KPIs that reflect actual results of the security program, not just how the system detects threats. Incident response time is a direct gauge of how quickly the team can act when an incident occurs, so faster responses show stronger effectiveness. False alarm rate matters because a high rate of false positives wastes time and resources and can undermine trust in alerts, reducing overall efficiency. Detection rate, while it sounds like a meaningful metric, doesn’t by itself prove effectiveness of the security program; a system could have a high detection rate but still be slow to respond or poorly contained, meaning the outcome isn’t improved security. So the metric that doesn’t fit as a KPI for security effectiveness is detection rate.