Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework
Abstract
In this paper, we propose a comprehensive and scalable framework for incident assignment and prioritization in Security Operations Centers (SOCs). The proposed model aims to optimize SOC workflows by addressing key operational challenges such as analyst fatigue, alert overload, and inconsistent incident handling. Our framework evaluates each incident using a multi-factor scoring model that incorporates incident severity, service-level agreement (SLA) urgency, incident type, asset criticality, threat intelligence indicators, frequency of repetition, and a correlation score derived from historical incident data. We formalize this evaluation through a set of mathematical functions that compute a dynamic incident score and derive incident complexity. In parallel, analyst profiles are quantified using Analyst Load Factor (ALF) and Experience Match Factor (EMF), two novel metrics that account for both workload distribution and expertise alignment. The incident–analyst matching process is expressed as a constrained optimization problem, where the final assignment score is computed by balancing incident priority with analyst suitability. This formulation enables automated, real-time assignment of incidents to the most appropriate analysts, while ensuring both operational fairness and triage precision. The model is validated using algorithmic pseudocode, scoring tables, and a simplified case study, which illustrates the real-world applicability and decision logic of the framework in large-scale SOC environments. To validate the framework under real-world conditions, an empirical case study was conducted using 10 attack scenarios from the CICIDS2017 benchmark dataset. Overall, our contributions lie in the formalization of a dual-factor analyst scoring scheme and the integration of contextual incident features into an adaptive, rule-based assignment framework. To further strengthen operational value, future work will explore adaptive weighting mechanisms and integration with real-time SIEM pipelines. Additionally, feedback loops and supervised learning models will be incorporated to continuously refine analyst-incident matching and prioritization.
Keywords
Incident management Analyst assignment SOC optimization Incident prioritization Correlation score SLA urgency
References
- Al-Dhaqm A, Siddique K, Abd Razak S, Ikuesan RA, Kebande VR. 2020. Towards the development of an integrated incident response model for database forensic investigation field. IEEE Access, 8: 145018-145032.
- Alrimawi F, Pasquale L, Nuseibeh B. 2019. On the automated management of security incidents in smart spaces. IEEE Access, 7: 111513-111527.
- AXELOS. 2019. ITIL Foundation: ITIL 4 Edition. The Stationery Office (TSO), London, UK, 1st ed., pp. 1-255.
- Binbeshr F, Imam M, Hamdan M, Ghaleb M, Rahim MA, Hammoudeh M. 2025. The rise of cognitive SOCs: A systematic literature review on AI approaches. IEEE Open J Comput Soc, 6: 360-379.
- Chhetri MB, Tariq S, Singh R, Jalalvand F, Paris C, Nepal S. 2024. Towards human-AI teaming to mitigate alert fatigue in security operations centres. ACM Comput Surv, 24(3): 1-22.
- Gachnang P, Ehrenthal J, Telesko R, Hanne T. 2023. Determination of weights for multiobjective combinatorial optimization in incident management with an evolutionary algorithm. IEEE Access, 11: 138502-138514.
- García LA, Tomás VR. 2020. A framework for enhancing the operational phase of traffic management plans. IEEE Access, 8: 204483-204493.
- Handri EY, Sensuse DI, Tarigan A. 2025. Developing an agile cybersecurity framework with organizational culture approach using Q methodology. IEEE Access, 13: 108835-108850.
- He Y, Luo C, Evans M, Zamani E, Maglaras LA, Yevseyeva I, Janicke H. 2019. Real-time information security incident management: A case study using the IS-CHEC technique. IEEE Access, 7: 142147-142175.
- Hou W, Meng L, Ke X, Zhong L. 2022. Dynamic load balancing algorithm based on optimal matching of weighted bipartite graph. IEEE Access, 10: 127225-127236.
- Jadon S, Kannan PK, Gupta K, Kalaria U, Honnavalli PB, Varsha KR. 2024. A comprehensive study of load balancing approaches in real-time multi-core systems for mixed real-time tasks. IEEE Access, 12: 53373-53395.
- Jalalvand F, Chhetri MB, Nepal S, Paris C. 2024. Alert prioritisation in security operations centres: A systematic survey on criteria and methods. ACM Comput Surv, 57(2): 1-36.
- Liao S, Wu C, Yang Q, Wang B, Jiang M. 2011. A resource-efficient load balancing algorithm for network virtualization. Chin J Electron, 20(4): 765-770.
- Mooi RD, Botha RA. 2016. A management model for building a computer security incident response capability. SAIEE Afr Res J, 107(2): 78-91.
- Vielberth M, Böhm F, Pernul G, Fichtinger I. 2020. Security operations center: A systematic study and open challenges. IEEE Access, 8: 227756-227779.
- Villalón-Huerta A, Ripoll-Ripoll I, Marco-Gisbert H. 2022. SOC critical path: A defensive kill chain model. IEEE Access, 10: 13570-13581.
Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework
Abstract
In this paper, we propose a comprehensive and scalable framework for incident assignment and prioritization in Security Operations Centers (SOCs). The proposed model aims to optimize SOC workflows by addressing key operational challenges such as analyst fatigue, alert overload, and inconsistent incident handling. Our framework evaluates each incident using a multi-factor scoring model that incorporates incident severity, service-level agreement (SLA) urgency, incident type, asset criticality, threat intelligence indicators, frequency of repetition, and a correlation score derived from historical incident data. We formalize this evaluation through a set of mathematical functions that compute a dynamic incident score and derive incident complexity. In parallel, analyst profiles are quantified using Analyst Load Factor (ALF) and Experience Match Factor (EMF), two novel metrics that account for both workload distribution and expertise alignment. The incident–analyst matching process is expressed as a constrained optimization problem, where the final assignment score is computed by balancing incident priority with analyst suitability. This formulation enables automated, real-time assignment of incidents to the most appropriate analysts, while ensuring both operational fairness and triage precision. The model is validated using algorithmic pseudocode, scoring tables, and a simplified case study, which illustrates the real-world applicability and decision logic of the framework in large-scale SOC environments. To validate the framework under real-world conditions, an empirical case study was conducted using 10 attack scenarios from the CICIDS2017 benchmark dataset. Overall, our contributions lie in the formalization of a dual-factor analyst scoring scheme and the integration of contextual incident features into an adaptive, rule-based assignment framework. To further strengthen operational value, future work will explore adaptive weighting mechanisms and integration with real-time SIEM pipelines. Additionally, feedback loops and supervised learning models will be incorporated to continuously refine analyst-incident matching and prioritization.
Keywords
Incident management Analyst assignment SOC optimization Incident prioritization Correlation score SLA urgency
References
- Al-Dhaqm A, Siddique K, Abd Razak S, Ikuesan RA, Kebande VR. 2020. Towards the development of an integrated incident response model for database forensic investigation field. IEEE Access, 8: 145018-145032.
- Alrimawi F, Pasquale L, Nuseibeh B. 2019. On the automated management of security incidents in smart spaces. IEEE Access, 7: 111513-111527.
- AXELOS. 2019. ITIL Foundation: ITIL 4 Edition. The Stationery Office (TSO), London, UK, 1st ed., pp. 1-255.
- Binbeshr F, Imam M, Hamdan M, Ghaleb M, Rahim MA, Hammoudeh M. 2025. The rise of cognitive SOCs: A systematic literature review on AI approaches. IEEE Open J Comput Soc, 6: 360-379.
- Chhetri MB, Tariq S, Singh R, Jalalvand F, Paris C, Nepal S. 2024. Towards human-AI teaming to mitigate alert fatigue in security operations centres. ACM Comput Surv, 24(3): 1-22.
- Gachnang P, Ehrenthal J, Telesko R, Hanne T. 2023. Determination of weights for multiobjective combinatorial optimization in incident management with an evolutionary algorithm. IEEE Access, 11: 138502-138514.
- García LA, Tomás VR. 2020. A framework for enhancing the operational phase of traffic management plans. IEEE Access, 8: 204483-204493.
- Handri EY, Sensuse DI, Tarigan A. 2025. Developing an agile cybersecurity framework with organizational culture approach using Q methodology. IEEE Access, 13: 108835-108850.
- He Y, Luo C, Evans M, Zamani E, Maglaras LA, Yevseyeva I, Janicke H. 2019. Real-time information security incident management: A case study using the IS-CHEC technique. IEEE Access, 7: 142147-142175.
- Hou W, Meng L, Ke X, Zhong L. 2022. Dynamic load balancing algorithm based on optimal matching of weighted bipartite graph. IEEE Access, 10: 127225-127236.
- Jadon S, Kannan PK, Gupta K, Kalaria U, Honnavalli PB, Varsha KR. 2024. A comprehensive study of load balancing approaches in real-time multi-core systems for mixed real-time tasks. IEEE Access, 12: 53373-53395.
- Jalalvand F, Chhetri MB, Nepal S, Paris C. 2024. Alert prioritisation in security operations centres: A systematic survey on criteria and methods. ACM Comput Surv, 57(2): 1-36.
- Liao S, Wu C, Yang Q, Wang B, Jiang M. 2011. A resource-efficient load balancing algorithm for network virtualization. Chin J Electron, 20(4): 765-770.
- Mooi RD, Botha RA. 2016. A management model for building a computer security incident response capability. SAIEE Afr Res J, 107(2): 78-91.
- Vielberth M, Böhm F, Pernul G, Fichtinger I. 2020. Security operations center: A systematic study and open challenges. IEEE Access, 8: 227756-227779.
- Villalón-Huerta A, Ripoll-Ripoll I, Marco-Gisbert H. 2022. SOC critical path: A defensive kill chain model. IEEE Access, 10: 13570-13581.
Details
| Primary Language | English |
|---|---|
| Subjects | Information Security Management, Information Systems Organisation and Management |
| Journal Section | Research Article |
| Authors | |
| Submission Date | May 6, 2025 |
| Acceptance Date | June 16, 2025 |
| Early Pub Date | July 9, 2025 |
| Publication Date | July 15, 2025 |
| Published in Issue | Year 2025 Volume: 8 Issue: 4 |