From A to Z: Developing a Visual Vocabulary for Information Security Threat Visualisation

  • Eric Li
  • Jeroen BarendseEmail author
  • Frederic Brodbeck
  • Axel Tanner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9987)


Security visualisation is a very difficult problem due to its inherent need to represent complexity and to be flexible for a wide range of applications. As a result, many current approaches are not particularly effective. This paper presents several novel approaches for visualising information security threats which aim to create a flexible and effective basis for creating semantically rich threat visualisation diagrams. By presenting generalised approaches, these ideas can be applied to a wide variety of situations, as demonstrated in two specific visualisations: one for visualising attack trees, the other for visualising attack graphs. It concludes by discussing future work and introducing a novel exploration of attack models.


Visualisation Security Model Attack tree Attack graph 



The research leading to these results has received funding from the European Union’s Seventh Framework Programme (FP7/2007–2013) under grant agreement ICT-318003 (TRESPASS). This publication reflects only the authors’ views, and the European Union is not liable for any use that may be made of the information contained herein.


  1. 1.
    Alberts, C.J., Dorofee, A.: Managing Information Security Risks: The Octave Approach. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)Google Scholar
  2. 2.
    Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology (CRAMM) in health information systems. Medinfo 92, 1589–1593 (1992)Google Scholar
  3. 3.
    Barendse, J., Bleikertz, S., Brodbeck, F., Coles-Kemp, L., Heath, C., Hall, P., Kordy, B., Tanner, A.: \({\rm TRE_{S}PASS}\) Deliverable 4.1.1: initial requirements for visualisation processes and tools . Internal deliverable of the \({\rm TRE_{S}PASS}\) project. (2013)Google Scholar
  4. 4.
    Bassett, G.: Verizon Enterprise Solutions: DBIR Attack Graph Analysis, June 2015.
  5. 5.
    Bertin, J.: Sémiologie Graphique. Gauthier-Villars, Paris (1967)Google Scholar
  6. 6.
    Eppler, M.J., Aeschimann, M.: Envisioning risk: a systematic framework for risk visualization in risk management and communication (2008).
  7. 7.
    Harris, R.L.: Information Graphics: A Comprehensive Illustrated Reference. Oxford University Press Inc., New York (1999)zbMATHGoogle Scholar
  8. 8.
    Husdal, J.: Can it be really that dangerous? Issues in visualization of risk and vulnerability (2001).
  9. 9.
    Kirk, A.: References for visualising uncertainty.
  10. 10.
    Koffka, K.: Principles of Gestalt Psychology. Harcourt, Brace and Company, New York (1935)Google Scholar
  11. 11.
    Koffka, K.: Perception: an introduction to the Gestalt-theorie. Psychol. Bull. 19(10), 531–585 (1922)CrossRefGoogle Scholar
  12. 12.
    Marty, R.: Applied Security Visualization, 1st edn. Addison-Wesley Professional, Boston (2008)Google Scholar
  13. 13.
    Roth, F., Eidgenössische Technische Hochschule (Zürich), Crisis and Risk Network, Schweiz. Bundesamt für Bevölkerungsschutz, Suisse. Office Fédéral de la Protection de la Population: Visualizing risk: the use of graphical elements in risk analysis and communications. 3RG report, Eidgenössische Technische Hochschule Zürich, Center for Security Studies CSS (2012).
  14. 14.
    Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. Softw. Tools 24(12), 21–29 (1999).
  15. 15.
    Verizon Enterprise Solutions: 2016 Data Breach Investigations Report. Technical report, Verizon (2016).
  16. 16.
    Ware, C.: Information Visualization: Perception for Design. Morgan Kaufmann Publishers Inc., San Francisco (2000)Google Scholar
  17. 17.
    Wattenberg, M.: Arc diagrams: visualizing structure in strings. In: IEEE Symposium on Information Visualization, 2002, pp. 110–116. IEEE. (2002)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Eric Li
    • 1
    • 2
  • Jeroen Barendse
    • 1
    Email author
  • Frederic Brodbeck
    • 1
  • Axel Tanner
    • 3
  1. 1.LUSTThe HagueNetherlands
  2. 2.Princeton UniversityPrincetonUSA
  3. 3.IBM Research – ZurichRüschlikonSwitzerland

Personalised recommendations