The ontology for SOC creation assistance and replication

Justin M. Novak; Angel L. Hueca; Samuel J. Perl; Christopher I. Rodman

doi:https://doi.org/10.36965/OJAKM.2025.13(1)13-34

Volume 13, 2025: Issue 1

PDF Download the article (Free)

Author(s):

Justin M. Novak, Software Engineering Institute, Carnegie Mellon University, USA

Angel L. Hueca, Software Engineering Institute, Carnegie Mellon University, USA

Samuel J. Perl, Software Engineering Institute, Carnegie Mellon University, USA

Christopher I. Rodman, Software Engineering Institute, Carnegie Mellon University, USA

Abstract:

A Security Operations Center (SOC) is an indispensable tool for any modern organization or enterprise to secure its digital data and information assets. Developing SOCs and SOC capabilities to meet organizational needs in today’s threat environment is an often laborious, time-consuming, and expensive task that (if not done correctly) may leave organizational goals unfulfilled. In this paper, we introduce the Ontology for SOC Creation Assistance and Replication (OSCAR), which organizations can use to aid in developing SOCs and in planning and evaluating SOC capabilities. We developed OSCAR using a purpose-built dataset created by extracting the knowledge of numerous SOC expert practitioners. OSCAR is organized into a knowledge hierarchy that includes people, process, and technology classes, but also emphasizes planning and functional considerations. OSCAR accomplishes two things. First, it fills a gap in existing cyber ontology literature by including classes for the initial development of SOCs in addition to those for security operations capabilities. Second, its domain-specific knowledge is derived from a unique dataset gathered directly from experts working in the field. Taken together, these unique traits make OSCAR an ideal tool for planning, building, and evaluating SOCs.

Keywords:

SOC, security operations center, cybersecurity, CSIRT, ontology, framework

DOI:

https://doi.org/10.36965/OJAKM.2025.13(1)13-34

Type:

Research paper

Journal:

The Online Journal of Applied Knowledge Management (OJAKM), ISSN: 2325-4688

Publisher:

International Institute for Applied Knowledge Management (IIAKM)

Received:

28 February 2025

Revised:

13 March 2025; 9 May, 2025; 30 May 2025; 13 June 2025; 16 June 2025

Accepted:

16 June 2025

Accepting Editor:

Meir Russ

Pages:

13-34

OJAKM Menu

OJAKM Articles

OJAKM is Indexed in

Volume 13, 2025: Issue 1
		Download the article (Free)
Title:	The ontology for SOC creation assistance and replication
Author(s):	Justin M. Novak, Software Engineering Institute, Carnegie Mellon University, USA Angel L. Hueca, Software Engineering Institute, Carnegie Mellon University, USA Samuel J. Perl, Software Engineering Institute, Carnegie Mellon University, USA Christopher I. Rodman, Software Engineering Institute, Carnegie Mellon University, USA
Abstract:	A Security Operations Center (SOC) is an indispensable tool for any modern organization or enterprise to secure its digital data and information assets. Developing SOCs and SOC capabilities to meet organizational needs in today’s threat environment is an often laborious, time-consuming, and expensive task that (if not done correctly) may leave organizational goals unfulfilled. In this paper, we introduce the Ontology for SOC Creation Assistance and Replication (OSCAR), which organizations can use to aid in developing SOCs and in planning and evaluating SOC capabilities. We developed OSCAR using a purpose-built dataset created by extracting the knowledge of numerous SOC expert practitioners. OSCAR is organized into a knowledge hierarchy that includes people, process, and technology classes, but also emphasizes planning and functional considerations. OSCAR accomplishes two things. First, it fills a gap in existing cyber ontology literature by including classes for the initial development of SOCs in addition to those for security operations capabilities. Second, its domain-specific knowledge is derived from a unique dataset gathered directly from experts working in the field. Taken together, these unique traits make OSCAR an ideal tool for planning, building, and evaluating SOCs.
Keywords:	SOC, security operations center, cybersecurity, CSIRT, ontology, framework
DOI:	https://doi.org/10.36965/OJAKM.2025.13(1)13-34
Type:	Research paper
Journal:	The Online Journal of Applied Knowledge Management (OJAKM), ISSN: 2325-4688
Publisher:	International Institute for Applied Knowledge Management (IIAKM)
Received:	28 February 2025
Revised:	13 March 2025; 9 May, 2025; 30 May 2025; 13 June 2025; 16 June 2025
Accepted:	16 June 2025
Accepting Editor:	Meir Russ
Pages:	13-34