Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and Methods

Abstract

Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect, and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human-AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context, and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation, and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.