Towards a Framework for Measuring the Performance of a Security Operations Center Analyst

Abstract

The past few years have seen several studies reporting on the role of a Security Operations Center (SOC) analyst and metrics for assessing the performance of analysts. However, research suggests that analysts are dissatisfied with existing metrics as they fail to take into consideration several aspects of their tasks. Existing works advocate for research into this area. A major challenge to devising adequate metrics is that the real work of analysts that needs to be taken into consideration to assess their holistic performance has not been fully discussed. Furthermore, at present, there is no agreement on what constitutes core analysts’ functions. Analysts’ overall performance in a SOC could be obtained if there is a common agreement on the core functions upon which their performance can be evaluated. In this paper, we propose a framework depicting the core functions of analysts and KPIs that can be used to measure the performance of analysts. To do this, we conducted a thorough analysis of the functions of a SOC described in multiple sources of literature and engaged with several analysts and SOC managers from different industries using qualitative semi-structured interviews. Our research results identify the following: quality of analysts’ analysis, quality of analysts’ report, time-based measures and the absolute numbers derived from an analyst’s tasks as the key performance indicators (KPIs) for assessing analysts’ performance. We hope that our findings will stimulate more interest among cybersecurity researchers on assessment methods for analysts.