Skip to main content

IBM Cambridge Research Center

  Technical Report: Nimble Cybersecurity Incident Management through Visualization and Defensible Recommendations

Nimble Cybersecurity Incident Management through Visualization and Defensible Recommendations

Technical Report #:11-10
Author(s): Jamie Rasmussen, Kate Ehrlich, Steven Ross, Susanna Kirk, Daniel Gruen, John Patterson

Abstract

A Collaborative User Experience Technical Report: more about CUE...

Analysts engaged in real-time monitoring of cybersecurity incidents must quickly and accurately respond to alerts generated by intrusion detection systems. We investigated two
complementary approaches to improving analyst performance on this vigilance task: a graph-based visualization of correlated IDS output and defensible recommendations based on machine
learning from historical analyst behavior. We tested our approach with 18 professional cybersecurity analysts using a prototype environment in which we compared the visualization with a
conventional tabular display, and the defensible recommendations with limited or no recommendations. Quantitative results showed improved analyst accuracy with the visual display and the
defensible recommendations. Additional qualitative data from a “talk aloud” protocol illustrated the role of displays and recommendations in analysts’ decision-making process.
Implications for the design of future online analysis environments are discussed.


Full Report
NIMBLE-VizSec-final.pdf

For more information, or to order a Technical Report, contact us.