Security Operations Efficiency dashboard

  • Release version: Yokohama
  • Updated March 12, 2026
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Operations Efficiency dashboard

    The Security Operations Efficiency dashboard is designed for Security Operations Center (SOC) managers to monitor overall efficiency metrics and assess individual SOC team member performance. Utilizing Performance Analytics, managers gain insights into both general and specific SOC performance over time, enabling data-driven improvements in security operations efficiency.

    Show full answer Show less

    Analyst Efficiency tab

    This tab provides key indicators related to analyst productivity and incident handling, including:

    • Average security incidents worked per analyst: Measures the average number of open incidents each analyst manages within a timeframe.
    • Closed security incidents per analyst: Tracks the total incidents closed by each analyst, categorized as needed.
    • Average security incident resolution: Calculates the average days taken by analysts to close incidents.
    • Average security incident age: Shows how long incidents remain open on average per analyst.
    • Security incident backlog analysis: Displays total open incidents, with breakdown options by analyst, group, priority, and month-to-month comparisons.
    • Closed security incident analysis: Provides counts of closed incidents with breakdowns similar to backlog analysis.
    • Security incident age and resolution time: Allows detailed drill-down by assignment group, priority, or individual analyst to evaluate incident aging and resolution durations.

    Drill-down capabilities enable SOC managers to explore detailed data behind each indicator for targeted performance review.

    Detection and Response Effectiveness tab

    This tab focuses on the quality and effectiveness of incident detection and analyst response by presenting metrics such as:

    • True positive incidents: Percentage of correctly identified security incidents.
    • False positive critical incidents: Percentage of false positives among critical risk incidents, helping to identify inefficiencies.
    • Mean false positive risk score: Average risk score of false positives, indicating analyst time spent on non-threats.
    • False positive security incident duration: Average days spent investigating false positives.
    • Security incident source effectiveness: Percentage of true positives by incident source, such as email or network activity, to assess source reliability.
    • Security incident source volume analysis: Counts of closed incidents per source type, with month-over-month comparisons.
    • Security incident backlog and closed incident analysis: Provides volume and age/resolution time details for open and closed incidents respectively.

    Incident Risk Score Analysis tab

    This tab helps managers understand risk exposure and workload distribution by risk level with indicators like:

    • Total risk exposure analysis: Number of open incidents per risk category (low, moderate, critical), including comparisons across time periods.
    • Normalized security analyst work by risk score: Summarizes total risk score of true positive incidents closed by each analyst, adjusted for false positives.
    • Security analyst work by mean risk score: Shows the average risk score per analyst over the selected period, factoring in false positives.

    Security Incident Stage Analysis tab

    Provides a snapshot of open incidents on a specific day, categorized by stage such as analysis, containment, eradication, and recovery. It includes metrics like average incident age, affected Configuration Items (CIs), and response tasks, with options to drill down for detailed views and breakdowns.

    Practical Benefits for ServiceNow Customers

    • Enables SOC managers to track and improve analyst productivity and incident resolution efficiency.
    • Helps identify and reduce false positive incidents, saving analyst time and focusing efforts on true threats.
    • Provides detailed risk exposure insights to prioritize security efforts effectively.
    • Facilitates continuous performance monitoring and benchmarking through customizable breakdowns and period comparisons.
    • Supports informed decision-making to optimize SOC operations and resource allocation.

    Security operations center (SOC) managers can view overall efficiency metrics and measure the individual performance of the SOC team members in the organization.

    The SOC manager can use the Performance Analytics dashboard to improve efficiency and develop a picture of how SOC is performing in both general and specific areas over time.

    Analyst Efficiency tab

    Performance Analytics SOC Efficiency dashboard: Analyst Efficiency tab

    Select any of the indicators to drill down for further details. For example, select the indicator in the Average security incidents worked per analyst section.
    Table 1. Analyst Efficiency tab
    Indicator Description
    Average security incidents worked per analyst Average number of open security incidents per analyst for the specified period. The formula used is [[Number of open security incidents / By month AVG +]]/[[Number of Security Agents]]
    Closed security incidents per analyst The total number of incidents closed by each analyst in the selected category in the specified period. The formula used is [Number of closed security incidents > Security Incident Category = <category_name> / By month SUM +]]/[[Number of Security Agents / By month AVG +]]
    Average security incident resolution The average time taken by each analyst to close security incidents in the specified period. The formula used to show the result in days is ([[Summed duration of closed security incidents > Security Incident Category = <category_name> / By month AVG +]] / [[Number of closed security incidents > Security Incident Category = <category_name> / By month AVG +]]) / 24
    Average security incident age The average number of days for which security incidents remain open for each analyst. The formula used to show the result in days is ([[Summed age of open security incidents > Security Incident Category = <category_name> / By month AVG +]]/ [[Number of open security incidents > Security Incident Category = <category_name> / By month AVG +]]) / 24
    Security incident backlog analysis The total number of open security incidents in the specified period. Select an option from the Breakdown list to view the backlog for each analyst, security group, priority, and so on. You can also compare the number of open security incidents between two selected months.
    Closed security incident analysis The total number of security incidents that are closed in the specified period. Select an option from the Breakdown list to view the count for each analyst, security group, priority, and so on. You can also compare the number of security incidents that were closed between two selected months.
    Security incident age The average number of days for security incidents remain open in the specified period. Select an option from the Breakdown list to view the security incident age for each analyst, security group, priority, and so on. The formula used to show the result in days is ([[Summed age of open security incidents > Security Incident Category = <category_name> > Security Assignment Group = <group_name> / By month AVG +]]/ [[Number of open security incidents > Security Incident Category = <category_name> > Security Assignment Group = <group_name> / By month AVG +]]) / 24
    Security incident resolution time The average number of days taken to resolve security incidents during the specified period. Select an option from the Breakdown list to view the security incident resolution time for each analyst, security group, priority, and so on. The formula used to show the result in days is ([[Summed duration of closed security incidents > Security Incident Category = Malicious code activity > Security Assigned To = John Ashby / By month AVG +]] / [[Number of closed security incidents > Security Incident Category = Malicious code activity > Security Assigned To = John Ashby / By month AVG +]]) / 24

    Detection and Response Effectiveness tab

    Table 2. Detection and Response Effectiveness tab
    Indicator Description
    True positive incidents Percentage of true positive security incidents in the selected category for the specified period. The formula used is (1-([[Number of false positive security incidents > Security Incident Category = Malicious code activity / By month SUM +]] / [[Number of closed security incidents > Security Incident Category = Malicious code activity / By month SUM +]])) * 100
    False positive critical incidents Percentage of false positive critical security incidents in the selected category for the specified period. The formula used is ([[Number of false positive security incidents > Security Incident Risk Score = Critical Risk > Security Incident Category = Malicious code activity / By month SUM +]] / [[Number of closed security incidents > Security Incident Category = Malicious code activity / By month SUM +]]) * 100
    Note:
    Any security incident where the Closed code = Invalid vulnerability or False positive is treated as a false positive incident
    Mean false positive risk score Average monthly risk score of closed security incidents that were identified as false positive incidents. A lower risk score indicates that the security analysts spent lesser time analyzing false positive incidents. The formula used is ([[Number of false positive security incidents > Security Incident Risk Score = Critical Risk > Security Incident Category = Malicious code activity / By month SUM +]] / [[Number of closed security incidents > Security Incident Category = Malicious code activity / By month SUM +]]) * 100
    False positive security incident duration Average number of days that the security analysts spent in investigating false positive incidents. The formula used is ([[Summed duration of false positive security incidents]] / [[Number of false positive security incidents]]) / 24
    Security incident source effectiveness Percentage of true positive security incidents identified by a specific source for the specified period. The source can be email, network activity,customer support, and so on. This data helps measure the effectiveness of the security incident source. The formula used is (1-([[Number of false positive security incidents > Security Incident Category = Malicious code activity > Security Incident Source = IDS/IPS / By month SUM +]] / [[Number of closed security incidents > Security Incident Category = Malicious code activity > Security Incident Source = IDS/IPS / By month SUM +]])) * 100
    Security incident source volume analysis Number of closed security incidents for current month for each Security incident source. You can also compare the number of security incidents for each source type between two selected months.
    Security incident backlog analysis The total number of open security incidents in the specified period and the average number of days for which the incidents remain open. You can also compare the number of open security incidents between two selected months. The formula used to calculate the average backlog period is ([[Summed age of open security incidents > Security Incident Category = Malicious code activity]]/ [[Number of open security incidents > Security Incident Category = Malicious code activity]]) / 24
    Closed security incident analysis The total number of closed security incidents in the specified period and the average resolution time for these incidents. The formula used to calculate the average resolution time is ([[Summed duration of closed security incidents > Security Incident Category = Malicious code activity]] / [[Number of closed security incidents > Security Incident Category = Malicious code activity]]) / 24

    Incident Risk Score Analysis tab

    Table 3. Incident Risk Score Analysis tab
    Indicator Description
    Total risk exposure analysis Total number of open incidents in each risk category (low, moderate, and critical) in the specified period. You can also compare the number of incidents in the different risk categories between two months.
    Normalized security analyst work by risk score The total risk score for each security analyst for the specified period. This is calculated based on the number of true positive security incidents that the security analyst closed. The formula used is [[Summed Risk Score of Closed Security Incidents > Security Incident Category = Malicious code activity > Security Assigned To = SI Admin / By month SUM +]] - [[Summed Risk Score of False Positive Security Incidents > Security Incident Category = Malicious code activity > Security Assigned To = SI Admin / By month SUM +]]
    Security analyst work by mean risk score The average risk score for each security analyst for the specified period. The formula used is [[Summed Risk Score of Closed Security Incidents > Security Incident Category = Malicious code activity > Security Assigned To = SI Admin / By month AVG +]] - [[Summed Risk Score of False Positive Security Incidents > Security Incident Category = Malicious code activity > Security Assigned To = SI Admin / By month AVG +]]

    Security Incident Stage Analysis tab

    You can see the number of open incidents on a specific day and the status (analysis, draft, contain, eradicate, recover, or review) of these incidents. On each stage, you can view average age, affected CIs, response tasks, and so on. Select a link to view additional details or the breakdown of these incidents.