{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T00:09:27Z","timestamp":1769299767874,"version":"3.49.0"},"reference-count":31,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2020,1,9]],"date-time":"2020-01-09T00:00:00Z","timestamp":1578528000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000006","name":"Office of Naval Research","doi-asserted-by":"crossref","award":["N00014-15-1-2007"],"award-info":[{"award-number":["N00014-15-1-2007"]}],"id":[{"id":"10.13039\/100000006","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100000183","name":"Army Research Office","doi-asserted-by":"crossref","award":["W911NF-13-1-0421"],"award-info":[{"award-number":["W911NF-13-1-0421"]}],"id":[{"id":"10.13039\/100000183","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["IIP-1266147 and CNS-1822094"],"award-info":[{"award-number":["IIP-1266147 and CNS-1822094"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2020,2,29]]},"abstract":"<jats:p>A typical Cybersecurity Operations Center (CSOC) is a service organization. It hires and trains analysts, whose task is to perform analysis of alerts that were generated while monitoring the client\u2019s networks. Due to ever-increasing financial and infrastructure burden on a CSOC driven by the rapidly growing demand for security services, it would become prohibitively expensive to continually expand the size of a CSOC to meet the demands in the future. An alternative solution is to outsource the alert analysis process to on-demand analysts, to provide scalable CSOC service to its clients with features, such as (1) higher throughput, (2) higher quality, and (3) more economical service than the current in-house service. The current outsourcing model is not cost effective and an exact optimization model is computationally inefficient. This article presents a novel two-step sequential mixed integer programming optimization method that is used in the development of a new decision-support business model for outsourcing the alert analysis process. It is demonstrated that through this model, a CSOC can effectively deliver its alert management services with the above-mentioned features. Results indicate that the model is scalable, computationally viable, real-time implementable, and can deliver CSOC services that meet the service-level agreement (SLA) between the CSOC and its client. In addition, the article provides valuable insights into the cost of operating the new business process outsourcing model for cybersecurity services.<\/jats:p>","DOI":"10.1145\/3372498","type":"journal-article","created":{"date-parts":[[2020,4,4]],"date-time":"2020-04-04T07:11:39Z","timestamp":1585984299000},"page":"1-22","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["An Outsourcing Model for Alert Analysis in a Cybersecurity Operations Center"],"prefix":"10.1145","volume":"14","author":[{"given":"Ankit","family":"Shah","sequence":"first","affiliation":[{"name":"University of South Florida, Tampa, FL, USA"}]},{"given":"Rajesh","family":"Ganesan","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, VA, USA"}]},{"given":"Sushil","family":"Jajodia","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, VA, USA"}]},{"given":"Hasan","family":"Cam","sequence":"additional","affiliation":[{"name":"U.S. Army Research Laboratory, Adelphi, MD, USA"}]}],"member":"320","published-online":{"date-parts":[[2020,1,9]]},"reference":[{"key":"e_1_2_1_1_1","first-page":"87","article-title":"SOCaaS: Security operations center as a service for cloud computing environments","volume":"3","author":"Alruwaili Fahad F.","year":"2014","unstructured":"Fahad F. Alruwaili and T. A. Gulliver . 2014 . SOCaaS: Security operations center as a service for cloud computing environments . Int. J. Cloud Comput. Serv. Sci. 3 , 2 (2014), 87 -- 96 . Fahad F. Alruwaili and T. A. Gulliver. 2014. SOCaaS: Security operations center as a service for cloud computing environments. Int. J. Cloud Comput. Serv. Sci. 3, 2 (2014), 87--96.","journal-title":"Int. J. Cloud Comput. Serv. Sci."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10951-017-0554-9"},{"key":"e_1_2_1_3_1","volume-title":"Advances in Information Security","volume":"6","author":"Barbar\u00e1 Daniel","year":"2002","unstructured":"Daniel Barbar\u00e1 and Sushil Jajodia ( Eds .). 2002 . Application of Data Mining in Computer Security . Advances in Information Security , Vol. 6 . Springer. Daniel Barbar\u00e1 and Sushil Jajodia (Eds.). 2002. Application of Data Mining in Computer Security. Advances in Information Security, Vol. 6. Springer."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1108\/JQME-08-2015-0038"},{"key":"e_1_2_1_5_1","volume-title":"The Tao of Network Security Monitoring: Beyond Intrusion Detection","author":"Bejtlich Richard","unstructured":"Richard Bejtlich . 2005. The Tao of Network Security Monitoring: Beyond Intrusion Detection . Pearson Education Inc . Richard Bejtlich. 2005. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/Trustcom.2015.403"},{"key":"e_1_2_1_7_1","volume-title":"Applied Integer Programming","author":"Chen Der-San","unstructured":"Der-San Chen , Robert Batson , and Yu Dang . 2010. Applied Integer Programming . Wiley , New York, NY . Der-San Chen, Robert Batson, and Yu Dang. 2010. Applied Integer Programming. Wiley, New York, NY."},{"key":"e_1_2_1_8_1","volume-title":"DON Cyber Crime Handbook. Dept. of Navy","author":"CIO.","unstructured":"CIO. 2008. DON Cyber Crime Handbook. Dept. of Navy , Washington, DC . CIO. 2008. DON Cyber Crime Handbook. Dept. of Navy, Washington, DC."},{"key":"e_1_2_1_9_1","volume-title":"Implementing Intrusion Detection Systems","author":"Crothers Tim","unstructured":"Tim Crothers . 2002. Implementing Intrusion Detection Systems . Wiley Publishing Inc . Tim Crothers. 2002. Implementing Intrusion Detection Systems. Wiley Publishing Inc."},{"key":"e_1_2_1_10_1","volume-title":"In Proceedings of the Workshop on Visualization for Computer Security (VizSEC\u201907)","author":"D\u2019Amico Anita","year":"2008","unstructured":"Anita D\u2019Amico and Kirsten Whitley . 2008 . In Proceedings of the Workshop on Visualization for Computer Security (VizSEC\u201907) . Springer, Berlin. Anita D\u2019Amico and Kirsten Whitley. 2008. In Proceedings of the Workshop on Visualization for Computer Security (VizSEC\u201907). Springer, Berlin."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2914795"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2882969"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1002\/wcm.2395"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1111\/poms.12332"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.tre.2008.02.006"},{"key":"e_1_2_1_16_1","unstructured":"Che-Wei Liu Peng Huang and Henry Lucas. 2017. IT centralization security outsourcing and cybersecurity breaches: Evidence from the U.S. higher education. Retrieved from https:\/\/aisel.aisnet.org\/icis2017\/Security\/Presentations\/1.  Che-Wei Liu Peng Huang and Henry Lucas. 2017. IT centralization security outsourcing and cybersecurity breaches: Evidence from the U.S. higher education. Retrieved from https:\/\/aisel.aisnet.org\/icis2017\/Security\/Presentations\/1."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.aeue.2019.01.017"},{"key":"e_1_2_1_18_1","volume-title":"Planning and Scheduling in Manufacturing and Services","author":"Pinedo Michael","unstructured":"Michael Pinedo . 2009. Planning and Scheduling in Manufacturing and Services . Springer , New York, NY . Michael Pinedo. 2009. Planning and Scheduling in Manufacturing and Services. Springer, New York, NY."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2018.2813392"},{"key":"e_1_2_1_20_1","volume-title":"Abbas Ghaemi Bafghi, and Mohsen Kahani","author":"Rasoulifard Amin","year":"2008","unstructured":"Amin Rasoulifard , Abbas Ghaemi Bafghi, and Mohsen Kahani . 2008 . Incremental hybrid intrusion detection using ensemble of weak classifiers. In Advances in Computer Science and Engineering. Springer , 577--584. Amin Rasoulifard, Abbas Ghaemi Bafghi, and Mohsen Kahani. 2008. Incremental hybrid intrusion detection using ensemble of weak classifiers. In Advances in Computer Science and Engineering. Springer, 577--584."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/TWC.2003.808967"},{"key":"e_1_2_1_22_1","first-page":"800","article-title":"Guide to Intrusion Detection and Prevention Systems (IDPS)","author":"Scarfone Karen","year":"2007","unstructured":"Karen Scarfone and Peter Mell . 2007 . Guide to Intrusion Detection and Prevention Systems (IDPS) . Special Publication 800 - 894 . NIST. Karen Scarfone and Peter Mell. 2007. Guide to Intrusion Detection and Prevention Systems (IDPS). Special Publication 800-94. NIST.","journal-title":"Special Publication"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3173457"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1019134607998"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS\u201915)","author":"Sundaramurthy Sathya Chandran","unstructured":"Sathya Chandran Sundaramurthy , Alexandru G. Bardas , Jacob Case , Xinming Ou , Michael Wesch , John McHugh , and S. Raj Rajagopalan . 2015. A human capital model for mitigating security analyst burnout . In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS\u201915) . USENIX Association, 347--359. Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Jacob Case, Xinming Ou, Michael Wesch, John McHugh, and S. Raj Rajagopalan. 2015. A human capital model for mitigating security analyst burnout. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS\u201915). USENIX Association, 347--359."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1019142809816"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/49.552074"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0305-0548(01)00057-0"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.tre.2015.06.005"},{"key":"e_1_2_1_31_1","volume-title":"The Strategies of a World-class Cybersecurity Operations Center","author":"Zimmerman Carson","unstructured":"Carson Zimmerman . 2014. The Strategies of a World-class Cybersecurity Operations Center . The MITRE Corporation , Mc Lean, VA . Carson Zimmerman. 2014. The Strategies of a World-class Cybersecurity Operations Center. The MITRE Corporation, McLean, VA."}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372498","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372498","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372498","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:22Z","timestamp":1750197742000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372498"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,9]]},"references-count":31,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,2,29]]}},"alternative-id":["10.1145\/3372498"],"URL":"https:\/\/doi.org\/10.1145\/3372498","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"value":"1559-1131","type":"print"},{"value":"1559-114X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,1,9]]},"assertion":[{"value":"2018-10-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-01-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}