Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Measuring the performance of a Security Operations Centre (SOC) analyst: An industry-validated approach based on weighted SOC functions

Agyepong, Enoch 2023. Measuring the performance of a Security Operations Centre (SOC) analyst: An industry-validated approach based on weighted SOC functions. PhD Thesis, Cardiff University.
Item availability restricted.

[thumbnail of PhD Thesis]
Preview
PDF (PhD Thesis) - Accepted Post-Print Version
Available under License Creative Commons Attribution No Derivatives.

Download (39MB) | Preview
[thumbnail of Cardiff University Electronic Publication Form] PDF (Cardiff University Electronic Publication Form) - Supplemental Material
Restricted to Repository staff only

Download (583kB)

Abstract

Analysts who work in Security Operations Centres (SOCs) play a vital role in helping organisations protect their computer network systems against cyber attacks. It is the responsibility of an analyst to monitor, detect, investigate, and respond to cyber security incidents. It is essential, therefore, for analysts to maintain a high level of human performance because poor performance could negatively impact on the overall efficiency of a SOC. To manage analysts effectively and efficiently, SOC managers use performance metrics to measure analysts’ performance. However, the existing literature indicates that current metrics are inadequate because they overlook the key facets of analysts’ work. The literature also reveals a lack of a systematic approach for measuring analysts’ performance. Despite these problems, there has been very little effort by cyber security researchers to improve performance measurement methods for analysts. This study proposes a widely applicable method (referred to as the Security Operations Centre Analyst Assessment Method (SOC-AAM)) for measuring the performance of an analyst using the Design Science Research Process (DSRP). The novelty of the proposed method is that it captures the most common and significant analysts’ functions and has the potential to be adopted by SOCs worldwide. The proposed method simplifies the process of measuring analyst performance by consolidating existing assessment methods and providing a new formal method. Additionally, it provides a novel guideline for assessing the quality of incident analysis and the quality of incident report. The results of an empirical testing and evaluation of the SOC-AAM shows that the SOC-AAM offers a useful, easy-to-use and comprehensive approach to measuring an analyst’s performance. The SOC-AAM will facilitate SOC managers in overcoming the limitations of current performance metrics by offering a systematic method for measuring an analyst’s performance. It would also help analysts to demonstrate their performance across a variety of functions.

Item Type: Thesis (PhD)
Date Type: Completion
Status: Unpublished
Schools: Computer Science & Informatics
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Q Science > QA Mathematics > QA76 Computer software
Funders: Airbus Operations Limited
Date of First Compliant Deposit: 7 November 2023
Date of Acceptance: 31 October 2023
Last Modified: 07 Nov 2023 16:48
URI: https://orca.cardiff.ac.uk/id/eprint/163699

Actions (repository staff only)

Edit Item Edit Item

Downloads

Downloads per month over past year

View more statistics