The goal of WhyViz is to conduct study of the eﬀectiveness of visualizations on cyber operator performance during the early stages of incident handling, which require operators to review an endless alert queue of cyber event data to identify, record, and report suspicious behavior or cyber events of interest. Most cyber security visualizations are currently used for historical analyses, however, as part of the WhyViz project, Secure Decisions will develop visualizations to support real-time, in situ processing that is actually being performed by cyber operators to facilitate event detection and preliminary event analysis.
In Phase I of this Small Business Innovation Research (SBIR), we applied knowledge elicitation (KE) methods to deﬁne speciﬁc examples of cognitive work that occur in the early stages of incident handling that have the potential for being enhanced (faster, more accurate, more complete) through the use of visualizations by the cyber operator. This cognitive work took the form of the operator seeking to answer speciﬁc analytic questions using the available data, in a severely time-constrained work environment. A KE with domain practitioners revealed that cyber operators regularly ask fundamental analytical questions that cut across speciﬁc tasks and roles. Our research identiﬁed the type of information operators need to answer these questions, the visualization concepts that represent that information in a visual form that can be rapidly comprehended and acted on, and methods to transform raw cyber sensor data into a form that can be used to populate the visualizations. In Phase II of the project (in progress) we will conduct an experiment to objectively evaluate the eﬀects of these visualization on operator performance.