Araştırma Makalesi
BibTex RIS Kaynak Göster

Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework

Yıl 2025, Cilt: 8 Sayı: 4, 1160 - 1180, 15.07.2025

Eyup Can Kilincdemir , Baris Celiktas

https://doi.org/10.34248/bsengineering.1693042

Öz

In this paper, we propose a comprehensive and scalable framework for incident assignment and prioritization in Security Operations Centers (SOCs). The proposed model aims to optimize SOC workflows by addressing key operational challenges such as analyst fatigue, alert overload, and inconsistent incident handling. Our framework evaluates each incident using a multi-factor scoring model that incorporates incident severity, service-level agreement (SLA) urgency, incident type, asset criticality, threat intelligence indicators, frequency of repetition, and a correlation score derived from historical incident data. We formalize this evaluation through a set of mathematical functions that compute a dynamic incident score and derive incident complexity. In parallel, analyst profiles are quantified using Analyst Load Factor (ALF) and Experience Match Factor (EMF), two novel metrics that account for both workload distribution and expertise alignment. The incident–analyst matching process is expressed as a constrained optimization problem, where the final assignment score is computed by balancing incident priority with analyst suitability. This formulation enables automated, real-time assignment of incidents to the most appropriate analysts, while ensuring both operational fairness and triage precision. The model is validated using algorithmic pseudocode, scoring tables, and a simplified case study, which illustrates the real-world applicability and decision logic of the framework in large-scale SOC environments. To validate the framework under real-world conditions, an empirical case study was conducted using 10 attack scenarios from the CICIDS2017 benchmark dataset. Overall, our contributions lie in the formalization of a dual-factor analyst scoring scheme and the integration of contextual incident features into an adaptive, rule-based assignment framework. To further strengthen operational value, future work will explore adaptive weighting mechanisms and integration with real-time SIEM pipelines. Additionally, feedback loops and supervised learning models will be incorporated to continuously refine analyst-incident matching and prioritization.

Anahtar Kelimeler

Incident management Analyst assignment SOC optimization Incident prioritization Correlation score SLA urgency

Kaynakça

  • Al-Dhaqm A, Siddique K, Abd Razak S, Ikuesan RA, Kebande VR. 2020. Towards the development of an integrated incident response model for database forensic investigation field. IEEE Access, 8: 145018-145032.
  • Alrimawi F, Pasquale L, Nuseibeh B. 2019. On the automated management of security incidents in smart spaces. IEEE Access, 7: 111513-111527.
  • AXELOS. 2019. ITIL Foundation: ITIL 4 Edition. The Stationery Office (TSO), London, UK, 1st ed., pp. 1-255.
  • Binbeshr F, Imam M, Hamdan M, Ghaleb M, Rahim MA, Hammoudeh M. 2025. The rise of cognitive SOCs: A systematic literature review on AI approaches. IEEE Open J Comput Soc, 6: 360-379.
  • Chhetri MB, Tariq S, Singh R, Jalalvand F, Paris C, Nepal S. 2024. Towards human-AI teaming to mitigate alert fatigue in security operations centres. ACM Comput Surv, 24(3): 1-22.
  • Gachnang P, Ehrenthal J, Telesko R, Hanne T. 2023. Determination of weights for multiobjective combinatorial optimization in incident management with an evolutionary algorithm. IEEE Access, 11: 138502-138514.
  • García LA, Tomás VR. 2020. A framework for enhancing the operational phase of traffic management plans. IEEE Access, 8: 204483-204493.
  • Handri EY, Sensuse DI, Tarigan A. 2025. Developing an agile cybersecurity framework with organizational culture approach using Q methodology. IEEE Access, 13: 108835-108850.
  • He Y, Luo C, Evans M, Zamani E, Maglaras LA, Yevseyeva I, Janicke H. 2019. Real-time information security incident management: A case study using the IS-CHEC technique. IEEE Access, 7: 142147-142175.
  • Hou W, Meng L, Ke X, Zhong L. 2022. Dynamic load balancing algorithm based on optimal matching of weighted bipartite graph. IEEE Access, 10: 127225-127236.
  • Jadon S, Kannan PK, Gupta K, Kalaria U, Honnavalli PB, Varsha KR. 2024. A comprehensive study of load balancing approaches in real-time multi-core systems for mixed real-time tasks. IEEE Access, 12: 53373-53395.
  • Jalalvand F, Chhetri MB, Nepal S, Paris C. 2024. Alert prioritisation in security operations centres: A systematic survey on criteria and methods. ACM Comput Surv, 57(2): 1-36.
  • Liao S, Wu C, Yang Q, Wang B, Jiang M. 2011. A resource-efficient load balancing algorithm for network virtualization. Chin J Electron, 20(4): 765-770.
  • Mooi RD, Botha RA. 2016. A management model for building a computer security incident response capability. SAIEE Afr Res J, 107(2): 78-91.
  • Vielberth M, Böhm F, Pernul G, Fichtinger I. 2020. Security operations center: A systematic study and open challenges. IEEE Access, 8: 227756-227779.
  • Villalón-Huerta A, Ripoll-Ripoll I, Marco-Gisbert H. 2022. SOC critical path: A defensive kill chain model. IEEE Access, 10: 13570-13581.

Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework

Yıl 2025, Cilt: 8 Sayı: 4, 1160 - 1180, 15.07.2025

Eyup Can Kilincdemir , Baris Celiktas

https://doi.org/10.34248/bsengineering.1693042

Öz

In this paper, we propose a comprehensive and scalable framework for incident assignment and prioritization in Security Operations Centers (SOCs). The proposed model aims to optimize SOC workflows by addressing key operational challenges such as analyst fatigue, alert overload, and inconsistent incident handling. Our framework evaluates each incident using a multi-factor scoring model that incorporates incident severity, service-level agreement (SLA) urgency, incident type, asset criticality, threat intelligence indicators, frequency of repetition, and a correlation score derived from historical incident data. We formalize this evaluation through a set of mathematical functions that compute a dynamic incident score and derive incident complexity. In parallel, analyst profiles are quantified using Analyst Load Factor (ALF) and Experience Match Factor (EMF), two novel metrics that account for both workload distribution and expertise alignment. The incident–analyst matching process is expressed as a constrained optimization problem, where the final assignment score is computed by balancing incident priority with analyst suitability. This formulation enables automated, real-time assignment of incidents to the most appropriate analysts, while ensuring both operational fairness and triage precision. The model is validated using algorithmic pseudocode, scoring tables, and a simplified case study, which illustrates the real-world applicability and decision logic of the framework in large-scale SOC environments. To validate the framework under real-world conditions, an empirical case study was conducted using 10 attack scenarios from the CICIDS2017 benchmark dataset. Overall, our contributions lie in the formalization of a dual-factor analyst scoring scheme and the integration of contextual incident features into an adaptive, rule-based assignment framework. To further strengthen operational value, future work will explore adaptive weighting mechanisms and integration with real-time SIEM pipelines. Additionally, feedback loops and supervised learning models will be incorporated to continuously refine analyst-incident matching and prioritization.

Anahtar Kelimeler

Incident management Analyst assignment SOC optimization Incident prioritization Correlation score SLA urgency

Kaynakça

  • Al-Dhaqm A, Siddique K, Abd Razak S, Ikuesan RA, Kebande VR. 2020. Towards the development of an integrated incident response model for database forensic investigation field. IEEE Access, 8: 145018-145032.
  • Alrimawi F, Pasquale L, Nuseibeh B. 2019. On the automated management of security incidents in smart spaces. IEEE Access, 7: 111513-111527.
  • AXELOS. 2019. ITIL Foundation: ITIL 4 Edition. The Stationery Office (TSO), London, UK, 1st ed., pp. 1-255.
  • Binbeshr F, Imam M, Hamdan M, Ghaleb M, Rahim MA, Hammoudeh M. 2025. The rise of cognitive SOCs: A systematic literature review on AI approaches. IEEE Open J Comput Soc, 6: 360-379.
  • Chhetri MB, Tariq S, Singh R, Jalalvand F, Paris C, Nepal S. 2024. Towards human-AI teaming to mitigate alert fatigue in security operations centres. ACM Comput Surv, 24(3): 1-22.
  • Gachnang P, Ehrenthal J, Telesko R, Hanne T. 2023. Determination of weights for multiobjective combinatorial optimization in incident management with an evolutionary algorithm. IEEE Access, 11: 138502-138514.
  • García LA, Tomás VR. 2020. A framework for enhancing the operational phase of traffic management plans. IEEE Access, 8: 204483-204493.
  • Handri EY, Sensuse DI, Tarigan A. 2025. Developing an agile cybersecurity framework with organizational culture approach using Q methodology. IEEE Access, 13: 108835-108850.
  • He Y, Luo C, Evans M, Zamani E, Maglaras LA, Yevseyeva I, Janicke H. 2019. Real-time information security incident management: A case study using the IS-CHEC technique. IEEE Access, 7: 142147-142175.
  • Hou W, Meng L, Ke X, Zhong L. 2022. Dynamic load balancing algorithm based on optimal matching of weighted bipartite graph. IEEE Access, 10: 127225-127236.
  • Jadon S, Kannan PK, Gupta K, Kalaria U, Honnavalli PB, Varsha KR. 2024. A comprehensive study of load balancing approaches in real-time multi-core systems for mixed real-time tasks. IEEE Access, 12: 53373-53395.
  • Jalalvand F, Chhetri MB, Nepal S, Paris C. 2024. Alert prioritisation in security operations centres: A systematic survey on criteria and methods. ACM Comput Surv, 57(2): 1-36.
  • Liao S, Wu C, Yang Q, Wang B, Jiang M. 2011. A resource-efficient load balancing algorithm for network virtualization. Chin J Electron, 20(4): 765-770.
  • Mooi RD, Botha RA. 2016. A management model for building a computer security incident response capability. SAIEE Afr Res J, 107(2): 78-91.
  • Vielberth M, Böhm F, Pernul G, Fichtinger I. 2020. Security operations center: A systematic study and open challenges. IEEE Access, 8: 227756-227779.
  • Villalón-Huerta A, Ripoll-Ripoll I, Marco-Gisbert H. 2022. SOC critical path: A defensive kill chain model. IEEE Access, 10: 13570-13581.
Toplam 16 adet kaynakça vardır.

Ayrıntılar

Birincil Dil İngilizce
Konular Bilgi Güvenliği Yönetimi, Bilgi Sistemleri Organizasyonu ve Yönetimi
Bölüm Research Articles
Yazarlar

Eyup Can Kilincdemir 0009-0005-1151-7480

Baris Celiktas 0000-0003-2865-6370

Erken Görünüm Tarihi 9 Temmuz 2025
Yayımlanma Tarihi 15 Temmuz 2025
Gönderilme Tarihi 6 Mayıs 2025
Kabul Tarihi 16 Haziran 2025
Yayımlandığı Sayı Yıl 2025 Cilt: 8 Sayı: 4

Kaynak Göster

APA Kilincdemir, E. C., & Celiktas, B. (2025). Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework. Black Sea Journal of Engineering and Science, 8(4), 1160-1180. https://doi.org/10.34248/bsengineering.1693042
AMA Kilincdemir EC, Celiktas B. Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework. BSJ Eng. Sci. Temmuz 2025;8(4):1160-1180. doi:10.34248/bsengineering.1693042
Chicago Kilincdemir, Eyup Can, ve Baris Celiktas. “Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework”. Black Sea Journal of Engineering and Science 8, sy. 4 (Temmuz 2025): 1160-80. https://doi.org/10.34248/bsengineering.1693042.
EndNote Kilincdemir EC, Celiktas B (01 Temmuz 2025) Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework. Black Sea Journal of Engineering and Science 8 4 1160–1180.
IEEE E. C. Kilincdemir ve B. Celiktas, “Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework”, BSJ Eng. Sci., c. 8, sy. 4, ss. 1160–1180, 2025, doi: 10.34248/bsengineering.1693042.
ISNAD Kilincdemir, Eyup Can - Celiktas, Baris. “Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework”. Black Sea Journal of Engineering and Science 8/4 (Temmuz 2025), 1160-1180. https://doi.org/10.34248/bsengineering.1693042.
JAMA Kilincdemir EC, Celiktas B. Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework. BSJ Eng. Sci. 2025;8:1160–1180.
MLA Kilincdemir, Eyup Can ve Baris Celiktas. “Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework”. Black Sea Journal of Engineering and Science, c. 8, sy. 4, 2025, ss. 1160-8, doi:10.34248/bsengineering.1693042.
Vancouver Kilincdemir EC, Celiktas B. Analyst-Aware Incident Assignment in Security Operations Centers: A Multi-Factor Prioritization and Optimization Framework. BSJ Eng. Sci. 2025;8(4):1160-8.
 Kapak Resmi İndir

                                                24890