Skip to main content
SpringerLink
Log in

Heuristic Evaluation of Vulnerability Risk Management Leaders’ Presentations of Cyber Threat and Cyber Risk

  • Conference paper
  • First Online:
HCI for Cybersecurity, Privacy and Trust (HCII 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12788))

Included in the following conference series:

  • 1775 Accesses

Abstract

This work is an initial investigation into the way cybersecurity companies convey the concept of cyber-related threat and/or cyber-related risk to their clients. We survey the current cybersecurity business landscape and examine product outputs from a select group of companies identified by the analyst firm Forrester [24] as leading providers of vulnerability risk management services. Of specific interest are those tools/products that reflect a cybersecurity company’s efforts to combine data related to vulnerability information, threat intelligence, asset criticality, and/or network exposure in order to distill and quantify the complex ideas of cyber threat and cyber risk into relatively simple outputs like a single value or chart. We conduct a heuristic evaluation [9, 11] of static views of the vendors’ offerings and introduce the concept of the mythical average, reasonable IT professional (MARIP) to inspect the product outputs with respect to the key HCI principles of familiarity and consistency as they pertain to use of colors, numbers, and charts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Allodi, L., Massacci, F., Comparing vulnerability severity and exploits using case-control studies. In: ACM Transactions on Information and System Security (2014). https://dl.acm.org/doi/pdf/10.1145/2630069. Accessed 2 Feb 2021

  2. Common Vulnerability Scoring System SIG. https://www.first.org/cvss/. Accessed 2 Feb 2021

  3. Expanse White Paper. Security Ratings Are a Dangerous Fantasy (2020). https://go.expanse.co/rs/221-SBF-942/images/WP_Expanse_Security_Ratings_101_EN.pdf. Accessed 2 Feb 2021

  4. Hinze-Hoare, V.: Review and Analysis of Human Computer Interaction (HCI) Principles (2007). arXiv preprint. https://arxiv.org/ftp/arxiv/papers/0707/0707.3638.pdf. Accessed 2 Feb 2021

  5. Holmes, O.W.: The Common Law. Little, Brown, and Company, Boston, MA (1909). https://www.google.com/books/edition/The_Common_Law/xXouAAAAIAAJ?hl=en&gbpv=1&bsq=reasonable. Accessed 2 Feb 2021

  6. Jacobs, J., Romanosky, S., Adjerid, I., Baker, W.: Improving vulnerability remediation through better exploit prediction. J. Cybersecurity 6, 1 (2020) https://academic.oup.com/cybersecurity/article/6/1/tyaa015/5905457. Accessed 2 Feb 2021

  7. Kenna Security. Getting Started w/ Kenna.VM. https://www.youtube.com/watch?v=CvnEp7MJZSk. Accessed 2 Feb 2021

  8. Mann, D.E., Christey, S.M.: Towards a common enumeration of vulnerabilities. In: 2nd Workshop of Research with Security Vulnerability Databases (1999). https://cve.mitre.org/docs/docs-2000/cerias.html. Accessed 2 Feb 2021

  9. Molich, R., Nielsen, J.: Improving a human-computer dialogue. Commun. ACM 33(3), 338–348 (1990). https://dl.acm.org/doi/pdf/10.1145/77481.77486. Accessed 2 Feb 2021

  10. Nayak, K., Marino, D., Efstathopoulos, P., Dumitras, T.: Some vulnerabilities are different than others. In: International Workshop on Recent Advances in Intrusion Detection, pp. 426–446 (2014). https://ssltest.cs.umd.edu/~kartik/papers/1_vuln.pdf. Accessed 2 Feb 2021

  11. Nielsen, J., Molich, R.: Heuristic evaluation of user interfaces. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 249–256 (1990). https://dl.acm.org/doi/pdf/10.1145/97243.97281. Accessed 2 Feb 2021

  12. Nielsen, J.: How to conduct a heuristic evaluation. Nielsen Norman Group 1, pp. 1–8 (1995). https://www.ingenieriasimple.com/usabilidad/HeuristicEvaluation.pdf. Accessed 2 Feb 2021

  13. NIST National Vulnerability Database, Vulnerabilities. https://nvd.nist.gov/vuln. Accessed 2 Feb 2021

  14. NIST Special Publication 800–126, Revision 3. The Technical Specification for the Security Content Automation Protocol (SCAP) (2018). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-126r3.pdf. Accessed 2 Feb 2021

  15. NIST Special Publication 800–30, Revision 1. Guide for Conducting Risk Assessments (2012). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf. Accessed 2 Feb 2021

  16. NopSec Datasheet, New Unified VRM. https://www.nopsec.com/wp-content/uploads/UnifiedVRM-datasheet.pdf. Accessed 2 Feb 2021

  17. NopSec Image C. https://www.nopsec.com/wp-content/uploads/Home-page.png. Accessed 2 Feb 2021

  18. NopSec Image D. https://www.nopsec.com/tag/unified-vrm/page/2/. Accessed 2 Feb 2021

  19. Outpost24 Risk Overview Snapshot. https://outpost24.com/sites/default/files/glazed_builder_images/Outpost24%20full%20stack_3.png. Accessed 2 Feb 2021

  20. Rapid7 InsightVM Dashboard image. https://www.rapid7.com/globalassets/_images/product/insightvm/insightvm-key-features-dashboard.jpg. Accessed 2 Feb 2021

  21. Rapid7 Solution Brief, Quantifying Risk with InsightVM. (2020). https://www.rapid7.com/globalassets/_pdfs/product-and-service-briefs/rapid7-solution-brief-quantifying-risk-insightvm.pdf. Accessed 2 Feb 2021

  22. Sabottke, C., Suciu, O., Dumitras, T.: Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In: 24th (USENIX) Security Symposium, pp. 1041–1056 (2015). https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-sabottke.pdf. Accessed 2 Feb 2021

  23. Siirtola, H.: The cost of pie charts. In: 23rd International Conference Information Visualisation (IV), pp. 151–156 (2019). https://core.ac.uk/download/pdf/250169498.pdf. Accessed 2 Feb 2021

  24. Zelonis, J., Lyness, T., The Forrester WaveTM: Vulnerability Risk Management, Q4 2019 (2019). https://www.rapid7.com/info/vrm-wave/. Accessed 2 Feb 2021

Download references

Author information

Authors and Affiliations

  1. University of North Carolina Wilmington, Wilmington, NC, 28403, USA

    Chris Nichols, Geoff Stoker & Ulku Clark

Authors
  1. Chris Nichols
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Geoff Stoker
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ulku Clark
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Geoff Stoker .

Editor information

Editors and Affiliations

  1. San Jose State University, San Jose, CA, USA

    Abbas Moallem

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Nichols, C., Stoker, G., Clark, U. (2021). Heuristic Evaluation of Vulnerability Risk Management Leaders’ Presentations of Cyber Threat and Cyber Risk. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2021. Lecture Notes in Computer Science(), vol 12788. Springer, Cham. https://doi.org/10.1007/978-3-030-77392-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-77392-2_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-77391-5

  • Online ISBN: 978-3-030-77392-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation