Metrics SIG

Metrics SIG

Computer security incident response and incident management has moved towards more mature phases of development. Although there are still new teams forming, many existing teams are focusing on increasing their responsiveness and improving effectiveness.

Like other communities (such as business, finance and government) that look for quantitative and qualitative methods for benchmarking operations and measuring success, there is an emerging need for similar mechanisms in the incident management community.

The scope of this Metrics SIG will be to bring together interested members of the FIRST community to discuss and identify approaches for internally evaluating CSIRT and incident management practices within an organization. The Metrics SIG will work to bring ongoing efforts in developing CSIRT evaluation mechanisms along with defining and measuring CSIRT effectiveness to the attention of the FIRST community, and enabling those that are undertaking the development efforts to receive input from the FIRST community of experts. This will include identifying ongoing efforts and hosting conversations between the developing organization and FIRST Metrics SIG, and coordinating feedback to the developers from the FIRST community. These engagements will include scheduled events and exchanges, or informal email exchanges. There are areas that are beyond the scope of the SIG, namely:

  • The Metrics SIG is not an accrediting or certifying body
  • The Metrics SIG will not evaluate other CSIRTs

Read the full SIG charter at

Request to Join