SOC-CMM: Designing and Evaluating a Tool for Measurement of Capability Maturity in Security Operations Centers

Sammanfattning: This thesis addresses the research gap that exists in the area of capability maturity measurement for Security Operations Centers (SOCs). This gap is due to the fact that there is very little formal research done in this area. To address this gap in a scientific manner, a multitude of research methods is used. Primarily, a design research approach is adopted that combines guiding principles for the design of maturity models with basic design science theory and a step by step approach for executing a design science research project. This design research approach is extended with interviewing techniques, asurvey and multiple rounds of evaluation. The result of any design process is an artefact. In this case, the artefact is a self-assessment tool that can be used to establish the capability maturity level of the SOC. This tool was named the SOC-CMM (Security Operations Center Capability Maturity Model). In this tool, maturity is measured across 5 domains: business, people, process, technology and services. Capability is measured across 2 domains: technology and services. The tool provides visual output of results using web diagrams and bar charts. Additionally, an alignment with the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) was also implemented by mapping services and technologies to NIST CSF phases. The tool was tested in several rounds of evaluation. The first round of evaluation was aimed at determining whether or not the setup of the tool would be viable to resolve the research problem. The second round of evaluation was a so-called laboratory experiment performed with several participants in the research. The goal of this second round was to determine whether or not the acreated artefact sufficiently addressed the research question. In this experiment it was determined that the artefact was indeed appropriate and mostly accurate, but that some optimisations were required. These optimisations were implemented and subsequently tested in a third evaluation round. The artefact was then finalised. Lastly, the SOC-CMM self-assessment tool was compared to the initial requirements and research guidelines set in this research. It was found that the SOC-CMM tool meets the quality requirements set in this research and also meets the requirements regarding design research. Thus, it can be stated that a solution was created that accurately addresses the research gap identified in this thesis. The SOC-CMM tool is available from http://www.soc-cmm.com/