Challenges and performance metrics for security operations center analysts: a systematic review

被引:30
作者
Agyepong, Enoch [1 ]
Cherdantseva, Yulia [1 ]
Reinecke, Philipp [1 ]
Burnap, Pete [1 ]
机构
[1] School of Computer Science and Informatics, Cardiff University, Cardiff
来源
Agyepong, Enoch (agyeponge@cardiff.ac.uk) | 1600年 / Taylor and Francis Ltd.卷 / 04期
关键词
cyber security; performance metrics; security analysts; Security operations center; systematic literature review;
D O I
10.1080/23742917.2019.1698178
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
The increasing use of Security Operations Centers (SOCs) by organisations as a part of their cyber security strategy has led to several studies aiming to understand and improve SOC operations. However, to the best of our knowledge, there is no systematic literature review on the challenges faced by SOC analysts or on metrics for measuring analysts performance. To this end, we conducted a Systematic Literature Review (SLR) in accordance with the guidelines for undertaking SLR and analyzed papers published on SOCs between 2008 and 2018. We provide a comprehensive overview of the challenges faced by SOC analysts and of the metrics suggested in the literature for measuring analysts performance. In addition, we present a mapping between the challenges and existing performance metrics showing how the effectiveness of an analyst in addressing a particular challenge could be measured. We also discuss the drawbacks of the existing metrics and suggest directions for improvement. Our findings will enable SOC analysts and managers, as well as the academic community to gain a better understanding of the challenges impeding the performance of SOC analysts, and how analysts performance could be measured and improved. © 2019 Informa UK Limited, trading as Taylor & Francis Group.
引用
收藏
页码:125 / 152
页数:27
相关论文
共 59 条
[1]  
Schinagl S., Schoon K., Paans R., A framework for designing a security operations centre (SOC), 48th Hawaii International Conference on System Sciences, (2015)
[2]  
Jacobs P., Arnab A., Irwin B., Classification of security operation centers, Information Security for South Africa, (2013)
[3]  
Zhong C., Automate cybersecurity data triage by leveraging human analysts’ cognitive process, Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security. New York, USA, (2016)
[4]  
Lif P., Sommestad T., Human factors related to the performance of intrusion detection operators, (2015)
[5]  
Sundaramurthy S.C., A tale of three security operation centers, Proceedings of the 2014 ACM Workshop on Security Information Workers - SIW ’14, (2014)
[6]  
Onwubiko C., Cyber security operations centre: security monitoring for protecting business and supporting cyber defense strategy, International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), (2015)
[7]  
A human capital model for mitigating security analyst burnout, Symposium on Usable Privacy and Security, (2015)
[8]  
Zhong C., Lin T., A cyber security data triage operation retrieval system, Comput Secur, 76, pp. 12-31, (2018)
[9]  
Kaplan R.S., Measuring performance : expert solutions to everyday challenges, (2009)
[10]  
Mcclain J., Silva A., Emmanuel G., Human performance factors in cyber security forensic analysis, Procedia Manuf, 3, pp. 5301-5307, (2015)
123456