Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

A systematic method for measuring the performance of a cyber security operations centre analyst

Agyepong, Enoch, Cherdantseva, Yulia ORCID: https://orcid.org/0000-0002-3527-1121, Reinecke, Philipp ORCID: https://orcid.org/0000-0002-2411-0891 and Burnap, Pete ORCID: https://orcid.org/0000-0003-0396-633X 2023. A systematic method for measuring the performance of a cyber security operations centre analyst. Computers and Security 124 , 102959. 10.1016/j.cose.2022.102959

[thumbnail of 1-s2.0-S0167404822003510-main.pdf]
Preview
PDF - Published Version
Available under License Creative Commons Attribution.

Download (2MB) | Preview

Abstract

Analysts who work in a Security Operations Centre (SOC) play an essential role in supporting businesses to protect their computer networks against cyber attacks. To manage analysts efficiently and effectively, SOC managers and stakeholders use Key Performance Indicators (KPIs) to evaluate their performance. However, existing literature suggests a lack of a systematic approach for assessing analysts’ performance. Even though cyber security researchers advocate for research into this area, little effort has been made by researchers to address this gap. Drawing on the results of a Delphi panel with industry experts and the principles of the Analytic Hierarchy Process (AHP), this paper interrogates the problem and proposes a systematic weighted approach for measuring the performance of an analyst in a SOC. The proposed method, referred to as a SOC Analyst Assessment Method (SOC-AAM), was evaluated in two SOCs as a part of an experimental case study. The results of the empirical evaluation show that the SOC-AAM enables SOC managers and stakeholders to quantify and assess analysts’ performance in a systematic manner. The SOC-AAM also provides a novel guideline for assessing the quality of incident analysis and the quality of incident reports. This study will be of interest to practitioners and cyber security researchers seeking to understand the operations of a SOC analyst.

Item Type: Article
Date Type: Publication
Status: Published
Schools: Computer Science & Informatics
Publisher: Elsevier
ISSN: 0167-4048
Date of First Compliant Deposit: 24 October 2022
Date of Acceptance: 14 October 2022
Last Modified: 03 May 2023 06:58
URI: https://orca.cardiff.ac.uk/id/eprint/153625

Actions (repository staff only)

Edit Item Edit Item

Downloads

Downloads per month over past year

View more statistics