The Role of Security Operations Centers in Detecting, Preventing, and Analyzing Cyber Incidents in the Slovenian and European Context
Cyber security
This thesis examines the role of Security Operations Centers (SOC) in detecting, preventing, and analyzing cyber incidents in Slovenia and Europe. It asks which organizational, process, and technical characteristics distinguish a mature SOC from a reactive security monitoring function, and how these differences affect organizational resilience.
The methodology combines a review of relevant standards and guidelines, a comparative analysis of European practices, and the synthesis of findings into a model SOC operating protocol.
Findings indicate that a typical SOC structure is organized around Levels 1–3 and an SOC manager: Level 1 provides 24/7 monitoring, triage, and event validation; Level 2 conducts in-depth technical investigations and coordinates with infrastructure owners; Level 3 performs threat hunting, digital forensics, and detection engineering; the manager oversees prioritization, workforce capacity, metrics, and communication.
Compared with the most mature European environments, Slovenian organizations most commonly lag in staffing depth, specialization, orchestration and automation, round-the-clock coverage, and consistent performance measurement.
Nonetheless, there is a clear trend toward standardization, professionalization, and alignment with best practices. Effective real-time response requires high-quality visibility (telemetry from SIEM/XDR/EDR/UEBA, log data, and cyber threat intelligence), predefined procedures with clear roles and escalation criteria, orchestration of routine steps, and systematic post-incident learning.
At the regulatory level, the NIS 2 Directive and national implementations position the SOC as an operational pillar of compliance, including timely reporting, risk management, and continuity obligations. Supplier-risk management and pre-agreed information sharing with national CSIRTs are especially important.
The practical contribution of the thesis is a model SOC operating protocol that standardizes shift organization, operational procedures, communication paths, record-keeping, and linkage to standards and regulations.
Limitations arise from the confidentiality of internal SOC data and the heterogeneity of environments; future research should quantify automation impacts and compare operating models (in-house, MSSP/MDR, hybrid).
