Abstract
Security visualisation is a very difficult problem due to its inherent need to represent complexity and to be flexible for a wide range of applications. As a result, many current approaches are not particularly effective. This paper presents several novel approaches for visualising information security threats which aim to create a flexible and effective basis for creating semantically rich threat visualisation diagrams. By presenting generalised approaches, these ideas can be applied to a wide variety of situations, as demonstrated in two specific visualisations: one for visualising attack trees, the other for visualising attack graphs. It concludes by discussing future work and introducing a novel exploration of attack models.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A model is defined as “a simplified description, especially a mathematical one, of a system or process, to assist calculations and predictions” (Oxford English Dictionary). When discussing visualisation of said models, it is in regards to making this abstraction visible in some manner.
- 2.
Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security http://www.trespass-project.eu.
- 3.
As defined by Merriam Webster.
- 4.
Here we discuss graphs in the mathematical not the visual, context. So a graph in this context is defined as a network of vertices or nodes connected by (directed or undirected) edges.
- 5.
- 6.
The interactive version of the DBIR Attack Graph can be found at http://lustlab.net/dev/vzw/index.html.
References
Alberts, C.J., Dorofee, A.: Managing Information Security Risks: The Octave Approach. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)
Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology (CRAMM) in health information systems. Medinfo 92, 1589–1593 (1992)
Barendse, J., Bleikertz, S., Brodbeck, F., Coles-Kemp, L., Heath, C., Hall, P., Kordy, B., Tanner, A.: \({\rm TRE_{S}PASS}\) Deliverable 4.1.1: initial requirements for visualisation processes and tools . Internal deliverable of the \({\rm TRE_{S}PASS}\) project. (2013)
Bassett, G.: Verizon Enterprise Solutions: DBIR Attack Graph Analysis, June 2015. http://dbir-attack-graph.infos.ec/
Bertin, J.: Sémiologie Graphique. Gauthier-Villars, Paris (1967)
Eppler, M.J., Aeschimann, M.: Envisioning risk: a systematic framework for risk visualization in risk management and communication (2008). http://www.knowledge-communication.org/pdf/envisioning-risk.pdf
Harris, R.L.: Information Graphics: A Comprehensive Illustrated Reference. Oxford University Press Inc., New York (1999)
Husdal, J.: Can it be really that dangerous? Issues in visualization of risk and vulnerability (2001). http://www.husdal.com/2001/10/31/can-it-really-be-that-dangerous-issues-in-visualization-of-risk-and-vulnerability
Kirk, A.: References for visualising uncertainty. http://www.visualisingdata.com/2015/02/references-visualising-uncertainty/
Koffka, K.: Principles of Gestalt Psychology. Harcourt, Brace and Company, New York (1935)
Koffka, K.: Perception: an introduction to the Gestalt-theorie. Psychol. Bull. 19(10), 531–585 (1922)
Marty, R.: Applied Security Visualization, 1st edn. Addison-Wesley Professional, Boston (2008)
Roth, F., Eidgenössische Technische Hochschule (Zürich), Crisis and Risk Network, Schweiz. Bundesamt für Bevölkerungsschutz, Suisse. Office Fédéral de la Protection de la Population: Visualizing risk: the use of graphical elements in risk analysis and communications. 3RG report, Eidgenössische Technische Hochschule Zürich, Center for Security Studies CSS (2012). http://e-collection.library.ethz.ch/view/eth:6286
Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. Softw. Tools 24(12), 21–29 (1999). https://www.schneier.com/cryptography/archives/1999/12/attack_trees.html
Verizon Enterprise Solutions: 2016 Data Breach Investigations Report. Technical report, Verizon (2016). http://www.verizonenterprise.com/verizon-insights-lab/dbir/
Ware, C.: Information Visualization: Perception for Design. Morgan Kaufmann Publishers Inc., San Francisco (2000)
Wattenberg, M.: Arc diagrams: visualizing structure in strings. In: IEEE Symposium on Information Visualization, 2002, pp. 110–116. IEEE. (2002)
Acknowledgements
The research leading to these results has received funding from the European Union’s Seventh Framework Programme (FP7/2007–2013) under grant agreement ICT-318003 (TRESPASS). This publication reflects only the authors’ views, and the European Union is not liable for any use that may be made of the information contained herein.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Li, E., Barendse, J., Brodbeck, F., Tanner, A. (2016). From A to Z: Developing a Visual Vocabulary for Information Security Threat Visualisation. In: Kordy, B., Ekstedt, M., Kim, D. (eds) Graphical Models for Security. GraMSec 2016. Lecture Notes in Computer Science(), vol 9987. Springer, Cham. https://doi.org/10.1007/978-3-319-46263-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-46263-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46262-2
Online ISBN: 978-3-319-46263-9
eBook Packages: Computer ScienceComputer Science (R0)