Predicting Incident Resolution Time in IT Service Management via Lifecycle Feature Aggregation and Machine Learning

In the era of higher education digitalization, universities increasingly rely on information technology (IT) services to support academic, research, and administrative activities, as highlighted in prior studies on e-learning adoption and digital transformation in higher education [1]. Campus IT infrastructures encompass learning management systems (LMS), student management systems, research repositories, cloud services, and interconnected intranet networks. The reliability and availability of these IT services are fundamental to ensuring the continuity of academic operations, as even minor disruptions can hinder teaching, research, and administrative workflows. In this context, the growing volume and complexity of data generated by these systems introduce significant challenges in maintaining data privacy and security, particularly in large-scale analytics environments, which require robust privacy-preserving mechanisms [2].

As digital dependency intensifies, universities are increasingly exposed to higher risks of service disruptions and cybersecurity threats. Prior studies indicate that higher education institutions are attractive targets for ransomware attacks and data breaches due to the high value of research outputs, intellectual property, and sensitive personal data stored within institutional systems [3]. In parallel, the widespread adoption of cloud computing infrastructures has expanded the cybersecurity threat landscape, requiring systematic risk characterization and mitigation strategies to ensure service reliability and data protection [4]. Recent studies further highlight that cybersecurity incidents in higher education are no longer sporadic but represent persistent and systemic risks, driven by open network architectures, heterogeneous IT environments, and varying levels of security governance maturity [5]. Moreover, empirical evidence shows that the financial and operational impact of data breaches can reach several million dollars per incident, alongside long-term reputational damage and regulatory consequences [6]. Moreover, empirical evidence shows that the financial and operational impact of data breaches can reach several million dollars per incident, alongside long-term reputational damage and regulatory consequences.

Incident Management (IM) refers to the organizational process of identifying, classifying, analyzing, responding to, and recovering from IT disruptions or cybersecurity incidents to maintain service availability and integrity, in alignment with Information Technology Service Management (ITSM) frameworks [7]. However, the time required to resolve incidents often exhibits high variability, influenced by factors such as system complexity, incident category, assigned priority, Service Level Agreements (SLAs), documentation quality, and human-related variables such as team coordination and escalation [8]. This variability challenges an organization’s ability to forecast required resources and to evaluate operational performance, underscoring the need for predictive methods that accurately estimate incident resolution time.

Developing predictive models for incident resolution time offers two significant benefits: (1) improving IT service operational efficiency and (2) strengthening the university’s cyber resilience amid increasingly sophisticated attacks. Prior studies have explored various machine learning approaches to predict incident resolution duration. For instance, Arqawi and Hijazi [9] examined time-to-resolution prediction in digital transformation systems, while another study in the manufacturing sector [10] applied machine learning and process mining to predict remaining time. Similarly, Taşcı et al. [11] focused on estimating component Remaining Useful Lifetime (RUL) in predictive maintenance systems. Subsequent research introduced techniques such as positional trace encoding [12] for next-activity prediction and predictive process monitoring (PPM) for inter-organizational workflows [13]. However, most existing approaches remain limited to time-zero features or sequential modelling techniques such as Process Transformer. Bukhsh et al. [14] captured event sequences but overlook aggregated information across the entire incident lifecycle.

Another key challenge in predictive modelling for IT service incidents is handling outliers in event logs. Extreme values often arise from incidents with unusually long resolution times or atypical escalation patterns, which can distort regression learning and degrade generalization performance. Pribadi et al. [15], proposed a staged approach combining outlier filtering, feature selection, and ensemble learning to reduce noise and improve prediction stability. Inspired by this, the present study emphasizes lifecycle feature aggregation as a means of mitigating outlier influence by summarizing process variations into more representative incident-level attributes.

Most prior researches [15-17] have focused on early-stage (time-zero) features or sequence-based modeling approaches such as attention-based architectures. In contrast, this study explicitly explores the use of aggregated lifecycle features that capture the complete dynamics of an incident, including attributes such as sys_mod_count and reassignment_count. The novelty of this research lies in combining lifecycle aggregation with Light Gradient Boosting Machine (LightGBM)-based feature optimization and evaluating multiple regression algorithms: Linear Regression (LR), Random Forest (RF), and LightGBM Regressor. The proposed approach is implemented within a university Computer Security Incident Response Team (CSIRT) context, where incident management is highly collaborative, dynamic, and aligned with institutional information security policies.

In summary, this study contributes to the predictive process analytics literature in three significant ways. First, it introduces a lifecycle-level aggregation mechanism for ITSM event logs, transforming multi-event records into representative incident-level features that preserve temporal and categorical patterns. Second, it integrates feature importance analysis using LightGBM to identify the most influential lifecycle attributes driving incident resolution time. Third, it provides empirical evaluation across multiple regression models in both raw and aggregated settings, demonstrating that feature aggregation significantly enhances model accuracy and interpretability. Collectively, these contributions advance the practical implementation of predictive modeling for ITSM in university scale CSIRT environments.

This study is structured as follows: Section 2 presents related works, Section 3 describes the research methodology, Section 4 discusses the experimental results and analysis, and Section 5 concludes the main findings and future research directions.

3.2 Lifecyle feature aggregation

Each incident was represented by aggregated values derived from all recorded activities throughout its lifecycle. The aggregation process aimed to transform raw ITSM event logs originally stored as multiple event-level records per incident into a structured incident-level dataset suitable for regression-based prediction of resolution time. Key aggregated features generated through this process include sys_mod_count, reassignment_count, opened_hour, subcategory, and location.

Prior to aggregation, each incident was recorded as a sequence of event entries in the service management system. For example, an incident identified as INC0000045 could consist of multiple rows reflecting various activities performed during its lifecycle, such as status transitions, updates, reassignments, and escalations. Each event entry contained essential attributes, including opened_at and resolved_at, which served as the basis for temporal analysis and computation of resolution duration. This raw event representation served as input to the lifecycle aggregation process, which consolidated repetitive information while preserving semantically meaningful process characteristics. Figure 2 illustrates the overall aggregation workflow applied to ITSM incident logs.

Figure 2. Example of aggregation process

The lifecycle feature-aggregation process consisted of five stages that transformed raw event logs into incident-level representations suitable for predictive modelling. The detailed steps are as follows:

1. Initial Level (G₀ – Raw Event Log)

The initial dataset (G₀) contained multiple rows per incident, capturing all recorded activities, including status changes, reassignments, updates, and escalations. Each record contained attributes such as opened_at, resolved_at, incident_state, priority, and assignment_group

2. Preliminary Grouping (S_bin)

In the first aggregation stage, an initial binning function (S_bin) grouped all event records by incident identifier. This operation consolidated all events associated with the same incident (e.g., INC0000045) into a grouped dataset (G₁,₁, G₁,₂, …, G₁,ₙ), thereby preserving the complete lifecycle boundary of each incident.

3. Group-Based Aggregation (S_groupBy)

Following preliminary grouping, a semantic group-based aggregation function (S_groupBy) was applied to derive incident-level attributes using predefined aggregation rules:

• First operator for initial attributes such as opened_at, incident_state, active, location, and priority.
• Last operator for terminal attributes such as resolved_at and close_code, which represent the final outcome of incident handling.
• Max operator for dynamic process attributes such as sys_mod_count, reassignment_count, and reopen_count, reflecting the intensity and complexity of activities throughout the incident lifecycle.

4. Quantitative Sub-Aggregation (S_qBin)

Each grouped result from the previous stage was subsequently processed using a quantitative binning function (S_qBin) to generate numerical summaries. This stage produced quantitative attributes, including incident duration (resolved_at − opened_at), the number of state changes, and the number of reassignments. These features served as key predictor variables in the regression models.

5. Final Dataset Construction (S(G₀))

In the final stage, all aggregated outputs derived from first, last, max, and quantitative operators were merged into a single-row representation per incident. The resulting dataset (S(G₀)) constituted an incident-level analytical table in which the unit of analysis was fully aligned with the prediction target, namely, incident resolution time.

The lifecycle aggregation process produced 17 incident-level attributes, summarized in Table 2, that represent a combination of process-related, temporal, and organizational context factors. From the original 36 attributes contained in the ServiceNow event logs, the aggregation rules (first, last, and max) effectively reduced data redundancy while preserving semantically relevant information. The retained attributes include process intensity indicators (sys_mod_count, reassignment_count, reopen_count), temporal features (opened_hour, opened_day_of_week), and contextual variables (assignment_group, category, subcategory, and location).

Overall, this aggregation strategy not only simplified the data structure but also preserved critical lifecycle characteristics of incident-resolution behaviour. Moreover, by aligning the analytical granularity with the prediction objective, the resulting dataset improved consistency and robustness for subsequent predictive model training.

Table 2. Aggregation result attributes

3.3 Feature selection and feature importance

The feature selection and importance analysis stage aimed to identify the most influential attributes affecting incident resolution time while reducing model complexity without compromising accuracy. The analysis was performed using the LightGBM algorithm, which calculates the relative contribution of each feature to model performance by measuring the reduction in the loss function when an attribute is used as a split during tree construction. The accumulated reduction in error across all boosting iterations yields an importance score that reflects each feature's influence on the prediction outcome.

From the total of 36 initial attributes in the incident log, nine key features with the highest importance scores (score > 200) were identified, as shown in Table 2: sys_mod_count (563), assignment_group (390), opened_hour (318), subcategory (301), location (278), category (262), reassignment_count (247), u_symptom (214), and opened_day_of_week (209). The highest-ranked feature, sys_mod_count, served as a primary indicator of process complexity, representing the frequency of updates throughout the incident lifecycle. The feature assignment_group reflected variations in efficiency across support teams, while opened_hour and opened_day_of_week captured temporal effects related to SLA compliance.

Attributes such as subcategory, category, and location strengthened the organizational and service-type context, influencing resolution time, whereas reassignment_count and u_symptom represented coordination dynamics and the initial characteristics of service disruptions. Overall, these features illustrate three significant incident dimensions: handling, operational process, organizational context, and temporal factors that form a robust foundation for developing regression models with high interpretability and stable predictive performance.

Figure 3 illustrates the ranked contributions of each feature to predicting incident resolution time, with sys_mod_count as the most influential attribute, followed by assignment_group and opened_hour.

Figure 3. Feature importance (LightGBM regressor)

3.4 Predictive model training

The predictive model training stage aimed to develop models capable of estimating incident resolution time using the selected and aggregated features from previous stages. Three primary algorithms were employed: LR, Random Forest Regression (RFR), and LightGBM. These algorithms were selected as they represent three widely adopted paradigms in incident log–based prediction research [15, 24] A baseline linear approach, an ensemble bagging method, and an ensemble boosting technique, respectively.

1. Linear Regression

The LR model was employed as the baseline comparator, assuming a linear relationship between the input variables and the incident resolution time. The general form of the LR model is as follows (1).

$\hat{\mathrm{y}}=\beta_0+\sum_{i=1}^n \beta_i x_i+\epsilon$                      (1)

where:

• $\hat{y}$ - predicted incident resolution time
• $\beta_0$ - model intercept (constant term)
• $\beta_i$ - coefficient associated with feature $x_i$, indicating its influence on $\hat{y}$
• $x_i$ - independent (predictor) variable
• $\varepsilon$ - random error term representing residual variations not captured by the model

This method was employed as a baseline due to its interpretability and efficiency when handling datasets with linear correlations among variables [25, 26].

2. Random Forest Regression

The RFR model operates by constructing multiple decision trees on randomly selected subsets of the training data and feature space. The final prediction is obtained by averaging the outputs of all individual trees, a process known as ensemble averaging. This approach effectively reduces variance and mitigates overfitting while maintaining strong generalization performance. The general form of the RF prediction can be expressed as (2):

$\hat{\mathrm{y}}=\frac{1}{T} \sum_{i=1}^n f_i(x)$                  (2)

where:

• ŷ - the result is the average prediction of all trees
• f_t (x) - prediction from the t-three
• T - number of decision trees in the forest

Each decision tree is trained using bootstrap sampling and a randomly selected subset of features to minimize overfitting and improve generalization. Averaging across trees produces more stable predictions in the presence of noise [22-29].

3. Light Gradient Boosting Machine

The LightGBM implements the Gradient Boosting Decision Tree (GBDT) approach, which iteratively minimizes the loss function by adding new decision trees that learn from the residuals of previous models. The general form of the GBDT model is as follows (3):

$L=\sum_{i=1}^n l\left(y_i, \hat{\mathrm{y}}_i\right)+\sum_{k=1}^K \Omega\left(f_k\right)$                (3)

• l(y_i,ŷ_i) - loss function (e.g., squared error)
• f_k - t-tree function,
• Ω(f_k) - model complexity regularization (leaf number and depth)

The loss function is expanded using a second-order Taylor approximation, as in Eq. (4):

$L^{(t)} \approx \sum_{i=1}^n\left[g_i f_t\left(x_i\right)+\frac{1}{2} h_i f_t^2\left(x_i\right)\right]+\Omega\left(f_t\right)$                 (4)

with:

• $g_i=\frac{\partial l\left(y_i, \hat{\text{y}}_i^{(t-1)}\right)}{\partial \hat{\text{y}}_i^{(t-1)}}$

• $h_i=\frac{\partial^2 l\left(y_i, \hat{\text{y}}_i^{(t-1)}\right)}{\partial\left(\hat{\text{y}}_i^{(t-1)}\right)^2}$

LightGBM employs a leaf-wise tree growth approach constrained by a maximum depth, allowing the model to prioritize nodes with the highest loss reduction. This strategy enhances both computational efficiency and predictive accuracy on large and complex datasets [27].

3.5 Model evaluation

The predictive models' performance was evaluated using two primary metrics: the Coefficient of Determination (R-squared, R²) and the Mean Absolute Error (MAE). These metrics have been widely applied in multivariate regression and process prediction studies, such as those conducted by Zheng et al. [26], Wang et al. [22], and Caixeta et al. [23]. R² measures the proportion of variance in the dependent variable that is explained by the model, thereby reflecting its generalization capability, while MAE quantifies the average magnitude of prediction errors. Together, these metrics provide a balanced assessment of model performance, balancing accuracy and stability when predicting incident resolution time.

1. Coefficient of Determination (R-squared)

The Coefficient of Determination (R²), as shown in Eq. (5), measures how well the model explains the variance of the actual values relative to their mean. A value of R² close to 1 indicates high predictive accuracy, whereas a value approaching 0 reflects weak model performance (5):

$R^2=1-\frac{\sum_{i-1}^n\left(y_i-\hat{\mathrm{y}}_i\right)^2}{\sum_{i-1}^n\left(y_i-\bar{y}\right)^2}$                        (5)

where:

• $y_i$ - the actual observed value
• $\widehat{y}_i$ - the predicted value
• $\bar{y}$ - the mean of all observed values
• n - the total number of observations

This approach corresponds to the assessment technique employed by Caixeta et al. [23], in their deep neural network model for nuclear system temperature estimation, and in the work of Wang et al. [22], in rail wear forecasting via Support Vector Regression.

2. Mean Absolute Error

The MAE metric, as delineated in Eq. (6), quantifies the average absolute disparity between actual values and model projections. A lower MAE score indicates a lower prediction error rate and greater model stability.

$M A E=\frac{1}{n} \sum_{i=1}^n\left|y_i-\hat{\mathrm{y}}_i\right|$                (6)

The notations used here are consistent with those in Eq. (5). MAE was chosen because it provides a direct interpretation of the average deviation in incident resolution time (in hours), as also applied by Zheng et al. [26] in regression-based outcome-quality prediction, as described by Amaral et al. [16] in evaluating process duration prediction models based on the Annotated Transition System (ATS) framework.

3. Feature Importance Analysis

In addition to the two primary evaluation metrics, a feature importance analysis was conducted using the LightGBM algorithm to assess the contribution of each attribute to the prediction results. The importance value of each feature was calculated as the cumulative reduction in the loss function when the feature was used to split a node in the decision tree. A higher reduction in error corresponds to a higher importance score, indicating a greater influence of that feature on the model’s output. This approach is consistent with the methods used by Kong et al. [21] and Lai et al. [27] in their studies on robust regression based on sparse learning and multi-view regression, respectively. Both works emphasize the interpretability of machine learning models by evaluating feature weighting, a crucial aspect for predictive modelling in incident management systems.

This study proposed and evaluated an incident-resolution-time prediction model based on Aggregated Lifecycle Features derived from university ITSM event logs. By integrating data preprocessing, lifecycle-aware feature aggregation, and adaptive feature selection using LightGBM, ensemble-based regression models particularly the Random Forest Regressor demonstrated substantially superior predictive performance compared to non-aggregated baselines. This result confirms that aligning the unit of analysis to the incident level is critical for improving predictive accuracy in ITSM environments characterized by multi-event, irregular process logs.

The main contribution of this work is to demonstrate that transforming event-level logs into incident-level representations effectively reduces noise and strengthens the linkage between process dynamics and resolution outcomes, thereby addressing a key limitation of time-zero and purely event-based prediction approaches. Furthermore, identifying dominant attributes such as sys_mod_count, reassignment_count, and priority provides interpretable and actionable insights into escalation intensity, coordination complexity, and operational workload, thereby reinforcing the practical relevance of the proposed feature aggregation strategy.

From an operational perspective, the proposed model is suitable for integration into university CSIRT decision-support systems to support SLA estimation, workload balancing, and medium-term resource capacity planning. However, the achieved prediction accuracy remains insufficient for strict hourly SLA enforcement, suggesting that the model is better suited for tactical and strategic decision support rather than real-time operational alerting.

Despite these contributions, the current models exhibit reduced robustness in capturing extreme long-tail resolution cases and highly dynamic incident evolution, highlighting an important limitation. Therefore, future research should explore temporal deep-learning architectures and graph-based models, such as attention-enhanced temporal networks or hybrid survival analysis approaches, to better handle irregular escalation patterns and prolonged incidents. Integrating predictive outputs into an interactive incident analytics dashboard is also identified as a critical next step toward operational deployment in university and enterprise IT service environments.