Functional model of cybersecurity situation center




Diamond Model, Q Model, Cyber Kill-Chain, Adaptive Cybersecurity Model, Cybersecurity Situation Center, Compromise Indicators, cyber incident, functional model, IDEF.


In general, the issue of building cybersecurity centers mainly stands for building a SOC which main function is monitoring and analyzing cybercrime questions and responding to cyber incidents online. The approach, mentioned above, implies insufficient attention to the stages of intrusions` prevention and the elimination of cyber attacks` outcomes. Conducted investigations represent the possibility of SOCs` functions expanding , but they are not formalized and described in terms of functions, which rely on such Cybersecurity Situation Center (hereinafter referred to as the CSSC). The aim of this work is to analyze the existing cybersecurity models and build a functional model of modern cyberprotection center. The article reviews cyberattacks` analyzing models from the position of a researcher (Diamond Model and Q Model), the implementation of cyberattacks from the position of an attacker (Model Cyber Kill-Chain) and models with a wider range of analytical approaches (Adaptive Safety Model) to achieve this goal. The functions of cyberprotection before, during and after cyberattacks have been determined taking into consideration data needs for cyberattack analysis, understanding of cyberattacks` realization stages and the Adaptive Security System`s architecture. The results of the selected models` analysis allow to suggest a new organizational model of a modern cyberprotection center as well as define it`s components and formulate main functions. The implementation of the CSSC is proposed to be realized through the construction of Cybercrime Intelligence Unit, Monitoring and Incident Security Control Unit and Cyber Incident Response Team. The mentioned model represents logical links between structures and information streams which circulate between them. The presented functional model of A-0 and A0 levels is based on the IDEF notations` requirements. The main cyberprotection center`s function, input and output data  as well as the resources used in the process of center functioning , main restrictions under which the modern center operates are determined. The presented notations display the visualisations which demonstrate the results of the cyberprotection center`s functional analysis. They also give an opportunity to determine requirements for the center`s components, form the organizational structure of each unit and establish each employee`s functional responsibilities in subsequent decomposition.

Author Biographies

Artem Zhylin, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,

сandidate of technical sciences, associate professor of state information resources security academic department

Mykola Khudyncev, State Centre of Cyberdefence, Kyiv,

candidate of physical and mathematical sciences, associate professor, first deputy head

Maksym Litvinov, Cybersecurity Situation Center, Kyiv,

candidate of juridical sciences, head


Annual report on information security. Cisco 2018. [Online]. Available:

C. Zimmerman. Ten Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation, 2014.

J. Muniz, G. McIntyre, and N. AlFardan. Security Operations Center. Cisco Press, 2016.

M. Sanders, “How to Get the Most Value out of Your MSSP and Security Operations” [Online]. Available:

Модель адаптивної кібербезпеки для захисту промислових об’єктів [Електронний ресурс]. Доступно:

S. Caltagirone, A. Pendergast, and C. Betz, “Diamond Model of Intrusion Analysis”, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, Technical Report ADA586960, 05 July 2013.

T. Rid, and B. Buchanan, “Attributing Cyber Attacks”, The Journal of Strategic Studies, vol. 38, no. 1-2, pp. 4-37, 2015.

doi: 10.1080/01402390.2014.977382.

E. M. Hutchins, M. J. Clopperty, and R. M. Amin, Ph.D. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, 2010.

I. Tarnowski, “How to use cyber kill chain model to build cybersecurity?”, European Journal of Higher Education IT [Online]. Available: TNC17-IreneuszTarnowski-cybersecurity.pdf.

N. MacDonald, and P. Firstbrook, Designing an Adaptive Security Architecture for Protection From Advanced Attacks. Gartner, 2014.

National Institute of Standards and Technology. (Okt. 31, 2016). NIST SP 800-150. Guide to Cyber Threat Information Sharing, 2014. doi: 10.6028/NIST.SP.800-150.

H. Bronk, M. Thorbruegge, and M. Hakkaja. CSIRT Setting up Guide, 2006.

Nippon CSIRT Association. CSIRT Starter Kit, 2016.

C. Feldmann. The Practical Guide to Business Process Reengineering Using IDEF0. Dorset House Publishing, New York, 1998.



How to Cite

Zhylin, A., Khudyncev, M., & Litvinov, M. (2018). Functional model of cybersecurity situation center. Information Technology and Security, 6(2), 51–67.