A systematic method for measuring the performance of a cyber security operations centre analyst

Abstract

Analysts who work in a Security Operations Centre (SOC) play an essential role in supporting businesses to protect their computer networks against cyber attacks. To manage analysts efficiently and effectively, SOC managers and stakeholders use Key Performance Indicators (KPIs) to evaluate their performance. However, existing literature suggests a lack of a systematic approach for assessing analysts’ performance. Even though cyber security researchers advocate for research into this area, little effort has been made by researchers to address this gap. Drawing on the results of a Delphi panel with industry experts and the principles of the Analytic Hierarchy Process (AHP), this paper interrogates the problem and proposes a systematic weighted approach for measuring the performance of an analyst in a SOC. The proposed method, referred to as a SOC Analyst Assessment Method (SOC-AAM), was evaluated in two SOCs as a part of an experimental case study. The results of the empirical evaluation show that the SOC-AAM enables SOC managers and stakeholders to quantify and assess analysts’ performance in a systematic manner. The SOC-AAM also provides a novel guideline for assessing the quality of incident analysis and the quality of incident reports. This study will be of interest to practitioners and cyber security researchers seeking to understand the operations of a SOC analyst.