SOC-CMM forum

Full Version: What is practical difference between KPIs and Quality indicators?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all,

Could somebody provide insights on what is the practical difference between KPIs and Quality indicators? 
With some examples and references to methodological background if possible.

For me these terms are similar from practical perspective. For example, TTR (Time To React) is a KPI (which shows how well I am performing) as well as quality indicator for Security Incident Management service (show how well I am delivering service against agreed parameters (a quality means degree of compliance to the applicable requirements)).
Hi Sigitas,

I suppose these indicator types will sometimes overlap. Some performance indicators will say something about the quality of a service. But not always. Consider the case of an managed security service provider. A performance indicator is created to measure if initial triage of alerts from the SIEM is sufficiently fast. This indicator will provide information on timely response, but says nothing about the quality of the triage. So, an additional quality indicator is introduced that measures the false positive rate after triage (incorrect triage). Together, these indicators provide information on both speed and accuracy of initial response and can be used to measure service quality.

Regards,
Rob.
I had opportunity to dig bit deeper and found some interesting research, which could be lead to some interesting findings. So, sharing: https://www.researchgate.net/publication...s_A_Review
(03-30-2020, 10:21 AM)sigitas.rokas Wrote: [ -> ]Hi all,

Could somebody provide insights on what is the practical difference between KPIs and Quality indicators? 
With some examples and references to methodological background if possible.

For me these terms are similar from practical perspective. For example, TTR (Time To React) is a KPI (which shows how well I am performing) as well as quality indicator for Security Incident Management service (show how well I am delivering service against agreed parameters (a quality means degree of compliance to the applicable requirements)).
Hi Sigitas,
Every element of a SOC is having metrics ... often we use play/run book swimlane diagrams to define KPIs for for instance use case request, response, hunting, analysis, log source acquisition etc. etc. ... as an example the KPIs for Intelligence Driven Response - could be "Ticket analysis time" - "validation time" - if intel response, then what controls apply - will that drive a rule change - so what is the time for that process - if not should that adjust the runbook - if yes, then the time for how long that takes. any update on the use-case side will be timed - and of course the opening to closing the ticket. These are just a few examples in one playbook type. 
Hope that make sense to some extend.
Kr, NEA