Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework

Öz

In this paper, we propose a comprehensive and scalable framework for incident assignment and prioritization in Security Operations Centers (SOCs). The proposed model aims to optimize SOC workflows by addressing key operational challenges such as analyst fatigue, alert overload, and inconsistent incident handling. Our framework evaluates each incident using a multi-factor scoring model that incorporates incident severity, service-level agreement (SLA) urgency, incident type, asset criticality, threat intelligence indicators, frequency of repetition, and a correlation score derived from historical incident data. We formalize this evaluation through a set of mathematical functions that compute a dynamic incident score and derive incident complexity. In parallel, analyst profiles are quantified using Analyst Load Factor (ALF) and Experience Match Factor (EMF), two novel metrics that account for both workload distribution and expertise alignment. The incident–analyst matching process is expressed as a constrained optimization problem, where the final assignment score is computed by balancing incident priority with analyst suitability. This formulation enables automated, real-time assignment of incidents to the most appropriate analysts, while ensuring both operational fairness and triage precision. The model is validated using algorithmic pseudocode, scoring tables, and a simplified case study, which illustrates the real-world applicability and decision logic of the framework in large-scale SOC environments. To validate the framework under real-world conditions, an empirical case study was conducted using 10 attack scenarios from the CICIDS2017 benchmark dataset. Overall, our contributions lie in the formalization of a dual-factor analyst scoring scheme and the integration of contextual incident features into an adaptive, rule-based assignment framework. To further strengthen operational value, future work will explore adaptive weighting mechanisms and integration with real-time SIEM pipelines. Additionally, feedback loops and supervised learning models will be incorporated to continuously refine analyst-incident matching and prioritization.

Anahtar Kelimeler

• Incident management
• Analyst assignment
• SOC optimization
• Incident prioritization
• Correlation score
• SLA urgency

Kaynakça

1. Al-Dhaqm A, Siddique K, Abd Razak S, Ikuesan RA, Kebande VR. 2020. Towards the development of an integrated incident response model for database forensic investigation field. IEEE Access, 8: 145018-145032.
2. Alrimawi F, Pasquale L, Nuseibeh B. 2019. On the automated management of security incidents in smart spaces. IEEE Access, 7: 111513-111527.
3. AXELOS. 2019. ITIL Foundation: ITIL 4 Edition. The Stationery Office (TSO), London, UK, 1st ed., pp. 1-255.
4. Binbeshr F, Imam M, Hamdan M, Ghaleb M, Rahim MA, Hammoudeh M. 2025. The rise of cognitive SOCs: A systematic literature review on AI approaches. IEEE Open J Comput Soc, 6: 360-379.
5. Chhetri MB, Tariq S, Singh R, Jalalvand F, Paris C, Nepal S. 2024. Towards human-AI teaming to mitigate alert fatigue in security operations centres. ACM Comput Surv, 24(3): 1-22.
6. Gachnang P, Ehrenthal J, Telesko R, Hanne T. 2023. Determination of weights for multiobjective combinatorial optimization in incident management with an evolutionary algorithm. IEEE Access, 11: 138502-138514.
7. García LA, Tomás VR. 2020. A framework for enhancing the operational phase of traffic management plans. IEEE Access, 8: 204483-204493.
8. Handri EY, Sensuse DI, Tarigan A. 2025. Developing an agile cybersecurity framework with organizational culture approach using Q methodology. IEEE Access, 13: 108835-108850.

9. He Y, Luo C, Evans M, Zamani E, Maglaras LA, Yevseyeva I, Janicke H. 2019. Real-time information security incident management: A case study using the IS-CHEC technique. IEEE Access, 7: 142147-142175.
10. Hou W, Meng L, Ke X, Zhong L. 2022. Dynamic load balancing algorithm based on optimal matching of weighted bipartite graph. IEEE Access, 10: 127225-127236.
11. Jadon S, Kannan PK, Gupta K, Kalaria U, Honnavalli PB, Varsha KR. 2024. A comprehensive study of load balancing approaches in real-time multi-core systems for mixed real-time tasks. IEEE Access, 12: 53373-53395.
12. Jalalvand F, Chhetri MB, Nepal S, Paris C. 2024. Alert prioritisation in security operations centres: A systematic survey on criteria and methods. ACM Comput Surv, 57(2): 1-36.
13. Liao S, Wu C, Yang Q, Wang B, Jiang M. 2011. A resource-efficient load balancing algorithm for network virtualization. Chin J Electron, 20(4): 765-770.
14. Mooi RD, Botha RA. 2016. A management model for building a computer security incident response capability. SAIEE Afr Res J, 107(2): 78-91.
15. Vielberth M, Böhm F, Pernul G, Fichtinger I. 2020. Security operations center: A systematic study and open challenges. IEEE Access, 8: 227756-227779.
16. Villalón-Huerta A, Ripoll-Ripoll I, Marco-Gisbert H. 2022. SOC critical path: A defensive kill chain model. IEEE Access, 10: 13570-13581.