Cyber security visualization effectiveness

Abstract

Security visualization utilises predefined data attributes and translates them into visual nodes to form images for the purpose of communicating critical security information to targeted audiences. It is commonly used for two reasons: exploring and reporting purposes thus, sharing insights on suspected security events. However, the challenge of selecting the best visualization out of two or more visualization samples, regardless of existing limitations such as screen dimensions and visual complexities, required users to utilise certain measurement criteria. These criteria urge security visualization researchers, developers and users (viewers) to ask themselves the following two questions: What makes a security visualization effective? How do we measure visualization effectiveness in the context of investigating, analysing, understanding and reporting cyber security incidents?

This thesis explores a range of effectiveness measurement techniques for web and mobile platforms. We investigated existing effectiveness methods for the design, implementation and user observation phases in security visualizations. Consequently, we identified effectiveness criteria and metrics in applications include visual clarity, visibility, distortion rates and user cognitive response (viewing) times. With the goal of aiding decision making in cyber security operations, we provided a distinctive security visualization paradigm of a full-scale effectiveness measurement (SvEm framework) approach for both theoretical and user-centric visualization techniques. Our framework facilitates effectiveness through our SvEm algorithm thus, providing various interactive three-dimensional (3D) visualization applications to enhance both single and multi-user collaboration.

The SvEm framework involves several key components: (1) web/mobile display dimensions and resolution, (2) security incident entities, (3) user cognitive activators and alerts, (4) working memory load, (5) threat scoring system and (6) the colour usage management. To evaluate effectiveness in our framework, we developed several use cases: (1) VisualProgger - a real-time security visualization analytic application (web and mobile platforms), (2) a security visualization with augmented reality and (3) a security visualization for intelligence tracking and monitoring. In addition, we developed and documented a new security visualization guideline (a SCeeVis pre-standard) as part of the SvEm framework to aid with the design, implementation and observation environments.

This pre-standard further allowed us to develop our SCeeVis colour chaining standard and a new cognition and working memory (SvEm-CWML) instruction set to enhance the user’s cognition and perception process for security visualizations. As a result, our visualization application outputs effectiveness measurement by capturing and increasing the user's attention span through the process of reducing cognitive load, while increasing the viewer’s memory efficiency. Thus, users have a high potential to gain security insights from a given visualization. Our evaluation shows that, viewers perform better with the existence of prior knowledge of security events and if they operate in a comfortable visual environment. It has also indicated that circular visualization designs attracted and maintained the viewer’s attention. Finally, these discoveries have revealed new research directions for future work relating to effectiveness measurement in security visualization.