Agyepong, Enoch
2023.
Measuring the performance of a Security Operations Centre (SOC) analyst: An industry-validated approach based on weighted SOC functions.
PhD Thesis,
Cardiff University.
Item availability restricted. |
Preview |
PDF (PhD Thesis)
- Accepted Post-Print Version
Available under License Creative Commons Attribution No Derivatives. Download (39MB) | Preview |
PDF (Cardiff University Electronic Publication Form)
- Supplemental Material
Restricted to Repository staff only Download (583kB) |
Abstract
Analysts who work in Security Operations Centres (SOCs) play a vital role in helping organisations protect their computer network systems against cyber attacks. It is the responsibility of an analyst to monitor, detect, investigate, and respond to cyber security incidents. It is essential, therefore, for analysts to maintain a high level of human performance because poor performance could negatively impact on the overall efficiency of a SOC. To manage analysts effectively and efficiently, SOC managers use performance metrics to measure analysts’ performance. However, the existing literature indicates that current metrics are inadequate because they overlook the key facets of analysts’ work. The literature also reveals a lack of a systematic approach for measuring analysts’ performance. Despite these problems, there has been very little effort by cyber security researchers to improve performance measurement methods for analysts. This study proposes a widely applicable method (referred to as the Security Operations Centre Analyst Assessment Method (SOC-AAM)) for measuring the performance of an analyst using the Design Science Research Process (DSRP). The novelty of the proposed method is that it captures the most common and significant analysts’ functions and has the potential to be adopted by SOCs worldwide. The proposed method simplifies the process of measuring analyst performance by consolidating existing assessment methods and providing a new formal method. Additionally, it provides a novel guideline for assessing the quality of incident analysis and the quality of incident report. The results of an empirical testing and evaluation of the SOC-AAM shows that the SOC-AAM offers a useful, easy-to-use and comprehensive approach to measuring an analyst’s performance. The SOC-AAM will facilitate SOC managers in overcoming the limitations of current performance metrics by offering a systematic method for measuring an analyst’s performance. It would also help analysts to demonstrate their performance across a variety of functions.
Item Type: | Thesis (PhD) |
---|---|
Date Type: | Completion |
Status: | Unpublished |
Schools: | Computer Science & Informatics |
Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science Q Science > QA Mathematics > QA76 Computer software |
Funders: | Airbus Operations Limited |
Date of First Compliant Deposit: | 7 November 2023 |
Date of Acceptance: | 31 October 2023 |
Last Modified: | 07 Nov 2023 16:48 |
URI: | https://orca.cardiff.ac.uk/id/eprint/163699 |
Actions (repository staff only)
Edit Item |