skip to main content
10.1145/3230833.3232855acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

A Process Framework for Stakeholder-specific Visualization of Security Metrics

Published: 27 August 2018 Publication History

Abstract

Awareness and knowledge management are key components to achieve a high level of information security in organizations. However, practical evidence suggests that there are significant discrepancies between the typical elements of security awareness campaigns, the decisions made and goals set by top-level management, and routine operations carried out by systems administration personnel. This paper presents Vis4Sec, a process framework for the generation and distribution of stakeholder-specific visualizations of security metrics, which assists in closing the gap between theoretical and practical information security by respecting the different points of view of the involved security report audiences. An implementation for patch management on Linux servers, deployed at a large data center, is used as a running example.

References

[1]
Eric Arnold Anderson. 2002. Researching system administration. PhD thesis. University of California at Berkeley.
[2]
M. Angelini, N. Prigent, and G. Santucci. 2015. Percival: proactive and reactive attack and response assessment for cyber incidents using visual analytics. In IEEE Symposium on Visualization for Cyber Security (VizSec). 1--8.
[3]
Balaji Balakrishnan. 2015. Security Data Visualization. Technical Report. SANS Institute. https://www.sans.org/reading-room/whitepapers/metrics/security-data-visualization-36387
[4]
Remo Aslak Burkhard. 2005. Knowledge visualization. The use of complementary visual representations for the transfer of knowledge. Ph.D. Dissertation. ETH Ziirich.
[5]
Center for Internet Security. 2016. The CIS Critical Security Controls for Effective Cyber Defense Version 6.1. (August 2016). https://downloads.cisecurity.org/
[6]
Fabian Fischer and Daniel A. Keim. 2014. NStreamAware: Real-Time Visual Analytics for Data Streams to Enhance Situational Awareness. In Proceedings of the Eleventh Workshop on Visualization for Cyber Security.
[7]
L. Franklin, M. Pirrung, L. Blaha, M. Dowling, and M. Feng. 2017. Toward a visualization-supported workflow for cyber alert management using threat models and human-centered design. In 2017 IEEE Symposium on Visualization for Cyber Security (VizSec). 1--8.
[8]
Benjamin Jotham Fry. 2004. Computational Information Design. Ph.D. Dissertation. Massachusetts Institute of Technology.
[9]
Eben M. Haber and Eser Kandogan. 2007. Security Administrators: A Breed Apart. on-line: http://cups.cs.cmu.edu/soups/2007/usm.html#program. In Workshop on Usable IT Security Management (USM '07).
[10]
Christopher Humphries, Nicolas Prigent, Christophe Bidan, and Frédéric Majorczyk. 2013. ELVIS: Extensible Log Visualization. In Proceedings of the Tenth Workshop on Visualization for Cyber Security (VizSec '13). ACM, New York, NY, USA, 9--16.
[11]
Jay Jacobs and Bob Rudis. 2014. Data-Driven Security: Analysis, Visualization and Dashboards (1st ed.). Wiley Publishing.
[12]
Wayne Jansen. 2009. NISTIR 7564. Directions in Security Metrics. Technical Report. NIST National Institute of Standards and Technology, Gaithersburg, MD, United States.
[13]
Qi Liao, Aaron Striegel, and Nitesh Chawla. 2010. Visualizing Graph Dynamics and Similarity for Enterprise Network Security and Management. In Proceedings of the Seventh International Symposium on Visualization for Cyber Security (VizSec '10). ACM, New York, NY, USA, 34--45.
[14]
Jeevitha Mahendiran, Kirstie Hawkey, and Nur Zincir Heywood. 2012. Understanding the Use of Models and Visualization Tools in System Administration Work. Dalhousie University DCSI Proceedings (2012).
[15]
Florian Mansmann, Timo Göbel, and William Cheswick. 2012. Visual Analysis of Complex Firewall Configurations. In Proceedings of the Ninth International Symposium on Visualization for Cyber Security (VizSec '12). ACM, New York, NY, USA, 1--8.
[16]
Raffael Marty. 2008. Applied Security Visualization. Addison-Wesley Professional.
[17]
Jonathan McPherson, Kwan-Liu Ma, Paul Krystosk, Tony Bartoletti, and Marvin Christensen. 2004. PortVis: a tool for port-based detection of security events. In VizSEC, Carla E. Brodley, Philip Chan, Richard Lippmann, and William Yurcik (Eds.). ACM, 73--81.
[18]
T. Schaaf and M. Brenner. 2008. On tool support for Service Level Management: From requirements to system specifications. In 2008 3rd IEEE/IFIP International Workshop on Business-driven IT Management. 71--80.
[19]
Michael Sedlmair, Petra Isenberg, Dominikus Baur, and Andreas Butz. 2011. Information visualization evaluation in large companies: Challenges, experiences and recommendations. Information Visualization 10, 3 (2011), 248--266.
[20]
Ben Shneiderman. 1996. The Eyes Have It: A Task by Data Type Taxonomy for Information Visualizations. In Proceedings of the 1996 IEEE Symposium on Visual Languages (VL '96). IEEE Computer Society, Washington, DC, USA, 336--343.
[21]
Murughiah Souppaya and Karen Scarfone. 2013. SP 800-40r3. Guide to Enterprise Patch Management Technologies. Technical Report SP 800-40r3. NIST National Institute of Standards and Technology U.S. Department of Commerce.
[22]
Ramona Su Thompson, Esa M. Rantanen, William Yurcik, and Brian P. Bailey. 2007. Command Line or Pretty Lines? Comparing Textual and Visual Interfaces for Intrusion Detection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '07). ACM, New York, NY, USA.
[23]
Edward Tufte. 1990. Envisioning Information. Graphics Press, Cheshire, CT, USA.
[24]
Cheryl Vroom and Rossouw von Solms. 2002. A Practical Approach to Information Security Awareness in the Organization. (2002).
[25]
Rodrigo Werlinger, Kirstie Hawkey, and Konstantin Beznosov. 2008. Human, Organizational and Technological Challenges of Implementing IT Security in Organizations. In HAISA, Nathan L. Clarke and Steven Furnell (Eds.). University of Plymouth, 35--47.
[26]
Max Wertheimer. 1923. Untersuchungen zur Lehre von der Gestalt II. Psychologische Forschung 4 (1923), 301--350.

Cited By

View all
  • (2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
  • (2023)A Review of Visualization Methods for Cyber-Physical Security: Smart Grid Case StudyIEEE Access10.1109/ACCESS.2023.328630411(59788-59803)Online publication date: 2023
  • (2021)A grounded theory of the role of coordination in software security patch managementProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468595(793-805)Online publication date: 20-Aug-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security
August 2018
603 pages
ISBN:9781450364485
DOI:10.1145/3230833
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

  • Universität Hamburg: Universität Hamburg

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2018

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Information Security
  2. Visualization of Security-Related Data

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES 2018

Acceptance Rates

ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;
Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)25
  • Downloads (Last 6 weeks)4
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
  • (2023)A Review of Visualization Methods for Cyber-Physical Security: Smart Grid Case StudyIEEE Access10.1109/ACCESS.2023.328630411(59788-59803)Online publication date: 2023
  • (2021)A grounded theory of the role of coordination in software security patch managementProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468595(793-805)Online publication date: 20-Aug-2021
  • (2021)Towards Improving Identity and Access Management with the IdMSecMan Process FrameworkProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470055(1-10)Online publication date: 17-Aug-2021
  • (2020)Enhancing Enterprise IT Security with a Visualization-Based Process FrameworkSecurity in Computing and Communications10.1007/978-981-15-4825-3_18(225-236)Online publication date: 26-Apr-2020

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media