Search Icon
2026 Program

A Usability Evaluation Method for SOC Tools Using a Simulated Operational Environment

Yukina Okazawa (Toho University), Akira Kanaoka (Toho University), Takumi Yamamoto (Mitsubishi Electric Corporation)

Security Operation Centers (SOCs) rely on security monitoring tools such as SIEM systems and IDSs, yet the usability of these tools remains insufficiently examined despite their essential role in analysts’ daily workflows. Prior research has highlighted operational burdens including overwhelming alert volume, high false positive rates, and analyst fatigue. However, existing efforts have focused mainly on technical alert reduction rather than evaluating how effectively SOC tools support analysts’ decision making in practice. This gap indicates the need for a structured and SOC specific usability evaluation methodology. This paper introduces a methodology for evaluating the usability of SOC tools that combines a heuristic walkthrough with eleven evaluation criteria derived from empirical studies of SOC operations. These criteria capture usability factors that general purpose techniques often overlook, such as context dependent interpretation, escalation reasoning, and reliance on environmental knowledge. To support controlled and reproducible evaluations, we also present a simulated operational environment that produces realistic sequences of alerts, benign events, and false positives based on representative attack scenarios. We apply the method to an open source SIEM, Prelude OSS, and demonstrate how the framework identifies recurring usability challenges such as limited contextual support, inconsistent workflow guidance, and difficulties in handling realistic alert volumes. These challenges align with previously reported issues in SOC practice, indicating that the proposed method can systematically expose usability problems inherent to many SOC tools rather than issues specific to a single system. Together, the methodology and simulated environment provide a foundation for rigorous and repeatable usability evaluations of SOC tools, complementing existing technical approaches to alert reduction and offering concrete directions for improving tool design.

Paper

View More Papers

Understanding the Status and Strategies of the Code Signing...

Hanqing Zhao (Tsinghua University & QI-ANXIN Technology Research Institute), Yiming Zhang (Tsinghua University), Lingyun Ying (QI-ANXIN Technology Research Institute), Mingming Zhang (Zhongguancun Laboratory), Baojun Liu (Tsinghua University), Haixin Duan (Tsinghua University), Zi-Quan You (Tsinghua University), Shuhao Zhang (QI-ANXIN Technology Research Institute)

Read More

MIMIR: Masked Image Modeling for Mutual Information-based Adversarial Robustness

Xiaoyun xu (Radboud University), Shujian Yu (Vrije Universiteit Amsterdam), Zhuoran Liu (Radboud University), Stjepan Picek (Radboud University)

Read More

Faster Than Ever: A New Lightweight Private Set Intersection...

Guowei Ling (Shanghai Jiaotong University), Peng Tang (Shanghai Jiao Tong University), Jinyong Shan (Beijing Smartchip Microelectronics Technology Co., Ltd.), Liyao Xiang (Shanghai Jiao Tong University), Weidong Qiu (School of Cyber Science and Engineering, Shanghai Jiao Tong University, China)

Read More