Abstract
This work is an initial investigation into the way cybersecurity companies convey the concept of cyber-related threat and/or cyber-related risk to their clients. We survey the current cybersecurity business landscape and examine product outputs from a select group of companies identified by the analyst firm Forrester [24] as leading providers of vulnerability risk management services. Of specific interest are those tools/products that reflect a cybersecurity company’s efforts to combine data related to vulnerability information, threat intelligence, asset criticality, and/or network exposure in order to distill and quantify the complex ideas of cyber threat and cyber risk into relatively simple outputs like a single value or chart. We conduct a heuristic evaluation [9, 11] of static views of the vendors’ offerings and introduce the concept of the mythical average, reasonable IT professional (MARIP) to inspect the product outputs with respect to the key HCI principles of familiarity and consistency as they pertain to use of colors, numbers, and charts.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Allodi, L., Massacci, F., Comparing vulnerability severity and exploits using case-control studies. In: ACM Transactions on Information and System Security (2014). https://dl.acm.org/doi/pdf/10.1145/2630069. Accessed 2 Feb 2021
Common Vulnerability Scoring System SIG. https://www.first.org/cvss/. Accessed 2 Feb 2021
Expanse White Paper. Security Ratings Are a Dangerous Fantasy (2020). https://go.expanse.co/rs/221-SBF-942/images/WP_Expanse_Security_Ratings_101_EN.pdf. Accessed 2 Feb 2021
Hinze-Hoare, V.: Review and Analysis of Human Computer Interaction (HCI) Principles (2007). arXiv preprint. https://arxiv.org/ftp/arxiv/papers/0707/0707.3638.pdf. Accessed 2 Feb 2021
Holmes, O.W.: The Common Law. Little, Brown, and Company, Boston, MA (1909). https://www.google.com/books/edition/The_Common_Law/xXouAAAAIAAJ?hl=en&gbpv=1&bsq=reasonable. Accessed 2 Feb 2021
Jacobs, J., Romanosky, S., Adjerid, I., Baker, W.: Improving vulnerability remediation through better exploit prediction. J. Cybersecurity 6, 1 (2020) https://academic.oup.com/cybersecurity/article/6/1/tyaa015/5905457. Accessed 2 Feb 2021
Kenna Security. Getting Started w/ Kenna.VM. https://www.youtube.com/watch?v=CvnEp7MJZSk. Accessed 2 Feb 2021
Mann, D.E., Christey, S.M.: Towards a common enumeration of vulnerabilities. In: 2nd Workshop of Research with Security Vulnerability Databases (1999). https://cve.mitre.org/docs/docs-2000/cerias.html. Accessed 2 Feb 2021
Molich, R., Nielsen, J.: Improving a human-computer dialogue. Commun. ACM 33(3), 338–348 (1990). https://dl.acm.org/doi/pdf/10.1145/77481.77486. Accessed 2 Feb 2021
Nayak, K., Marino, D., Efstathopoulos, P., Dumitras, T.: Some vulnerabilities are different than others. In: International Workshop on Recent Advances in Intrusion Detection, pp. 426–446 (2014). https://ssltest.cs.umd.edu/~kartik/papers/1_vuln.pdf. Accessed 2 Feb 2021
Nielsen, J., Molich, R.: Heuristic evaluation of user interfaces. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 249–256 (1990). https://dl.acm.org/doi/pdf/10.1145/97243.97281. Accessed 2 Feb 2021
Nielsen, J.: How to conduct a heuristic evaluation. Nielsen Norman Group 1, pp. 1–8 (1995). https://www.ingenieriasimple.com/usabilidad/HeuristicEvaluation.pdf. Accessed 2 Feb 2021
NIST National Vulnerability Database, Vulnerabilities. https://nvd.nist.gov/vuln. Accessed 2 Feb 2021
NIST Special Publication 800–126, Revision 3. The Technical Specification for the Security Content Automation Protocol (SCAP) (2018). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-126r3.pdf. Accessed 2 Feb 2021
NIST Special Publication 800–30, Revision 1. Guide for Conducting Risk Assessments (2012). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf. Accessed 2 Feb 2021
NopSec Datasheet, New Unified VRM. https://www.nopsec.com/wp-content/uploads/UnifiedVRM-datasheet.pdf. Accessed 2 Feb 2021
NopSec Image C. https://www.nopsec.com/wp-content/uploads/Home-page.png. Accessed 2 Feb 2021
NopSec Image D. https://www.nopsec.com/tag/unified-vrm/page/2/. Accessed 2 Feb 2021
Outpost24 Risk Overview Snapshot. https://outpost24.com/sites/default/files/glazed_builder_images/Outpost24%20full%20stack_3.png. Accessed 2 Feb 2021
Rapid7 InsightVM Dashboard image. https://www.rapid7.com/globalassets/_images/product/insightvm/insightvm-key-features-dashboard.jpg. Accessed 2 Feb 2021
Rapid7 Solution Brief, Quantifying Risk with InsightVM. (2020). https://www.rapid7.com/globalassets/_pdfs/product-and-service-briefs/rapid7-solution-brief-quantifying-risk-insightvm.pdf. Accessed 2 Feb 2021
Sabottke, C., Suciu, O., Dumitras, T.: Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In: 24th (USENIX) Security Symposium, pp. 1041–1056 (2015). https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-sabottke.pdf. Accessed 2 Feb 2021
Siirtola, H.: The cost of pie charts. In: 23rd International Conference Information Visualisation (IV), pp. 151–156 (2019). https://core.ac.uk/download/pdf/250169498.pdf. Accessed 2 Feb 2021
Zelonis, J., Lyness, T., The Forrester WaveTM: Vulnerability Risk Management, Q4 2019 (2019). https://www.rapid7.com/info/vrm-wave/. Accessed 2 Feb 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Nichols, C., Stoker, G., Clark, U. (2021). Heuristic Evaluation of Vulnerability Risk Management Leaders’ Presentations of Cyber Threat and Cyber Risk. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2021. Lecture Notes in Computer Science(), vol 12788. Springer, Cham. https://doi.org/10.1007/978-3-030-77392-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-77392-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77391-5
Online ISBN: 978-3-030-77392-2
eBook Packages: Computer ScienceComputer Science (R0)