Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Towards a framework for measuring the performance of a security operations center analyst

Agyepong, Enoch, Cherdantseva, Yulia ORCID:, Reinecke, Philipp ORCID: and Burnap, Peter ORCID: 2020. Towards a framework for measuring the performance of a security operations center analyst. Presented at: IEEE International Conference on Cyber Security and Protection of Digital Services (Cyber Security 2020), Dublin, Ireland, 15-17 June 2020.

[thumbnail of Towards a Framework for Measuring SOC Analyst Performance.pdf]
PDF - Accepted Post-Print Version
Download (456kB) | Preview


The past few years have seen several studies reporting on the role of a Security Operations Center (SOC) analyst and metrics for assessing the performance of analysts. However, research suggests that analysts are dissatisfied with existing metrics as they fail to take into consideration several aspects of their tasks. Existing works advocate for research into this area. A major challenge to devising adequate metrics is that the real work of analysts that needs to be taken into consideration to assess their holistic performance has not been fully discussed. Furthermore, at present, there is no agreement on what constitutes core analysts’ functions. Analysts’ overall performance in a SOC could be obtained if there is a common agreement on the core functions upon which their performance can be evaluated. In this paper, we propose a framework depicting the core functions of analysts and KPIs that can be used to measure the performance of analysts. To do this, we conducted a thorough analysis of the functions of a SOC described in multiple sources of literature and engaged with several analysts and SOC managers from different industries using qualitative semi-structured interviews. Our research results identify the following: quality of analysts’ analysis, quality of analysts’ report, time-based measures and the absolute numbers derived from an analyst’s tasks as the key performance indicators (KPIs) for assessing analysts’ performance. We hope that our findings will stimulate more interest among cybersecurity researchers on assessment methods for analysts.

Item Type: Conference or Workshop Item (Paper)
Status: In Press
Schools: Computer Science & Informatics
Date of First Compliant Deposit: 16 July 2020
Date of Acceptance: 16 April 2020
Last Modified: 26 Jun 2023 06:36

Citation Data

Cited 6 times in Scopus. View in Scopus. Powered By Scopus® Data

Actions (repository staff only)

Edit Item Edit Item


Downloads per month over past year

View more statistics