Secure Decisions has conducted research focused on understanding how and why real users make decisions, and has built tools to help them do that.

Cognitive Task Analysis

Read Journal of Cognitive Engineering and Decision Making Special Issue Focus: Cybersecurity Decision Making
Read The Real Work of Computer Network Defense Analysts
Read Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts

VIAssist

Network Defense Visualization

VIAssist is a visual analysis platform to help network security analysts protect their networks. It was designed after a comprehensive cognitive task analysis of network defenders. It provides visual tools for the evaluation of network flow and security data. VIAssist presents multiple, coordinated views – highlighted or filtered data in one view is reflected in all other views – to provide different visual perspectives of the data. These views transform network data into a collection of interactive visualizations that make it easier to analyze data, to see patterns and trends, and to identify risks and actionable information.

See more about VIAssist
Read Visual Analytics for Network Flow Analysis
VIAssist Fact sheet
Read Visual Discovery in Computer Network Defense
Read VIAssist: Visual Analytics for Cyber Defense
Read Balancing Interactive Data Management of Massive Data with Situational Awareness through Smart Aggregation

Goal Directed Task Analysis

NetDemon

The purpose of the NetDemon project was to identify the information real decision makers actually need, and how they use it. The goal was to identify that information in order to evaluate the environment in which these decision makers operate to determine how well the current technology meets their needs. Future designs can then be created that take those needs into account from the beginning, rather than add in critical features and integration later. To accomplish this, the NetDemon project documented specific information that was required for the operators to do their jobs, and how they used that information to address particular issues or inform decisions.

The first part of the NetDemon project was to determine the current decision model used by the client, and determine if the existing data sources and capabilities were adequate. In the second part of the project, we developed an idealized, future decision model that helped the client reach Information Dominance goals, and described the data necessary to support it. Once the model was defined, we identified technology insertion opportunities that provided new data sources and technologies to support the decision process, and to automate part of it.

Read Visual Analysis of Goal-Directed Network Defense Decisions

Decision Driven Visualization

WhyViz – Transforming Cyber Data into Human-Centered Visualizations

The goal of WhyViz was to conduct a study of the effectiveness of visualizations on cyber operator performance during the early stages of incident handling, which require defense analysts to review an endless alert queue of cyber event data to identify, record, and report suspicious behavior or cyber events of interest. Most cyber security visualizations are currently used for historical analyses, however, as part of the WhyViz project, Secure Decisions developed visualizations to support the real-time, in situ processing as it is actually being performed by cyber operators to facilitate event detection and preliminary event analysis.

In Phase I of this Small Business Innovation Research (SBIR), we applied knowledge elicitation (KE) methods to define specific examples of cognitive work that occur in the early stages of incident handling that have the potential for being enhanced (faster, more accurate, more complete) through the use of visualizations by the cyber operator. This cognitive work took the form of the operator seeking to answer specific analytic questions using the available data, in a severely time-constrained work environment. A KE with domain practitioners revealed that cyber operators regularly ask fundamental analytical questions that cut across specific tasks and roles. Our research identified the type of information operators need to answer these questions, the visualization concepts that represent that information in a visual form that can be rapidly comprehended and acted on, and methods to transform raw cyber sensor data into a form that can be used to populate the visualizations. In Phase II of the project (in progress) we will conduct an experiment to objectively evaluate the effects of these visualizations on operator performance.

In Phase II of the project, we conducted an experiment to objectively evaluate the effects of these visualizations on cyber defense analyst performance.

Contract No: FA8650-16-C-6711
DISTRIBUTION STATEMENT A.  Approved for public release:  distribution is unlimited.  88ABW Cleared 02/08/2017; 88ABW-2017-0518.

Read Phase II Summary
Read Secure Decisions to Evaluate Effectiveness of Visualizations for Cyber Defense
Read Cyber Operator Perspectives on Security Visualization
Read Mixed method approach to identify analytic questions to be visualized for military cyber incident handlers