the cups blog


VizSec 2011: Cyber-security analytics

Ankit Singh, Alex Endert, Lauren Bradel, Christopher Andrews, Chris North and Robert Kincaid, “Using Large Displays for Live Visual History of Cyber-security Analytic Process”

Authors worked with eight professional cyber analysts a couple times a week for about three months. Also observed the analysists analyzing a known data set.

Watched analysts use:

  • Multiple data sources
  • Multiple tools/windows
  • Extensive Excel usage

Noticed heavy use of versioning in the analysis. The analysts had difficulty re-creating their steps based on all the versions of documents they were creating.

Authors considered four improvements based on their observations.

  • Make use of the resolution and size of the monitors – Give the users more resolution
  • De-aggregation of data
  • Case Management – They did lots of task switching which cost time and memory load.
  • Process History – the ability to visualize and go back to prior states.

Created an add-on to Excel. The add-on provides a “Fork” option where the user can split off a new version associated with a new subtask. They can also make comments.

Propagating vs. Forking

If a user makes a change to a historical version should that change propagate to latter versions or should it branch? If propagation is used how do we indicate to users what will change?