How to Use the Information-Seeking Mantra in Cyber Intelligence Dashboards
September 10, 2014 • Twain Taylor
This is the second post in our blog series, “Visualizing Cyber Intelligence.”
In the previous post, we got a glimpse of two important contributions of Edward Tufte to the field of data visualization: chartjunk and sparkline charts. Today, we’ll be looking at another data visualization guru whose work can have a profound impact on your cyber intelligence project. We’ll be discussing Ben Shneiderman’s information-seeking mantra.
The Problem of Information Overload
Today’s cyber security professional is dealing with volumes of data unlike ever before. Just about every analyst deals with information overload on a daily basis. Data visualization has always been used to make sense of huge quantities of data, and draw patterns that don’t stand out when viewing the raw data set. However, many dashboards still use text-based interfaces that overwhelm its viewers, and prevent him or her from taking action. In today’s big data world, it’s imperative to employ proper data visualization techniques. It’s a crime not to.
To get started, let’s look at an example of a dashboard that suffers from information overload.
This dashboard, which is actually a table in disguise, overloads its viewer with too much information right up front. It screams, “I don’t care what you want, this is what you’ll get!” It gets straight to the minute details without informing the viewer of the broader trends in the data. It doesn’t make a point. It doesn’t allow the viewer to get an overview first, and then decide which area of the dashboard they’d like to further investigate. And this is with just 10 rows of data. If this data were to run into the thousands, or hundreds of thousands, which is common in cyber intelligence scenarios, this kind of dashboard would be a nightmare to use. Yet, how often do cyber intelligence analysts make do with tables, and poorly designed dashboards, that hide the story behind the data?
The Information-Seeking Mantra
In dealing with the problem of information overload, Ben Shneiderman’s work has been a landmark in the recent evolution of data visualization. Through his research, Shneiderman noticed the most powerful visualizations share a common trait, or mantra: overview first, zoom and filter, then details-on-demand. This is Shneiderman’s “information-seeking mantra.”
Let’s discuss the mantra in detail, and see how to apply it when creating a dashboard.
The most important part of a dashboard is the “overview” section. It’s the first thing a viewer sees in the dashboard, and guides the him or her to other parts of the product for further exploration.
When designing a dashboard, maximum time should be spent on perfecting, and fine-tuning the overview section. The overview should summarize the overarching story from the entire data set without getting into the minor details. It shouldn’t overload the user with too much data, which is where interactive charts, gauges, and maps serve to reduce data clutter, and bring out the story more powerfully.
At the same time it shouldn’t leave out important parts of the story by using just a single pie chart, and hiding all the data a layer deeper. Often, great dashboards use a combination of chart types like the line chart, bar chart, maps, and gauges to give the viewer variety, and clarity when studying the data. The overview section should be carefully planned to highlight the important parts of the story, and give lesser weight to the not-so-critical parts. To do this, you may want to organize the entire section into many sub-sections that are clearly labeled. Of course, the important sections would be placed more prominently than the others.
Dashboard creation is a process of constant refining and experimenting. And in that sense, the overview section would benefit most from constant testing and refining to arrive at the perfect dashboard design.
Zoom and Filter
Once all the data is presented to the user in the overview section, the viewer will want to focus on particular areas of interest. This involves zooming and filtering the data using the dashboard’s interactive features: zooming, scrolling, panning, drill-down, legend, range selector, etc. For example, zooming may be drilling down from global to country-specific data while filtering may be excluding information in a specific time range.
From a design perspective, you should aim to provide the user with plenty of control for zooming and filtering data from the overview. This will yield maximum insights and action from the information at hand. When viewing a dashboard, don’t settle for complex ways to get to the exact data you need. If your dashboard doesn’t support advanced zooming and filtering features, you may want to send in a feature request to whoever created it. After all, zooming and filtering is where the fun starts for a cyber intelligence analyst.
You’ve identified areas of interest from the overview section, and have dug deeper into the data using zooming and filtering, but you still may not have found what you started looking for. The devil’s in the details!
A dashboard that excels at giving an overview, and allows extensive zooming and filtering, should go all the way and give the viewer access to the minute details. This would bring them as close as possible to the raw data, and equip them to find what they started looking for. This third layer of data would be less visual, and more text-heavy with a focus on accurate information rather than trends. This way the analyst gets what he or she needs, in a way that drives action.
By using the three steps of the information-seeking mantra, you can avoid information overload, analyze data more easily, and find solutions faster. Let’s look at three examples that follow the information-seeking mantra, and make analysis a lot more interesting.
1. New Relic
New Relic has an outstanding network monitoring dashboard. The overview section uses a combination of different chart types – bar, line, and map – to give the viewer maximum information at a glance. It uses a date range selector, drill-down, and interactive legend to allow the viewer to zoom and filter data. One layer deeper, the analyst has the ability to find answers to their questions.
The second visualization is from MailChimp’s Wavelength product which allows newsletter creators to identify common interests among their newsletter subscribers. It starts with a beautiful, and yet, informative overview, giving the viewer a bird’s eye view of all the connections among their subscribers. The viewer can then zoom into a section that’s densely connected. And finally, they can click on individual points to get the details-on-demand.
3. Recorded Future
Our third example is from Recorded Future, a web intelligence platform that continually scans hundreds of thousands of public web sources. Their system organizes that data for analysis and returns actionable intelligence using six visualization tools. For this article, we’ll focus on a Timeline visualization that’s comparing cyber-related instances for five major corporations. The overview section shows data across a 12-month period in the form of events (colored dots) and references (gray line chart). Once you’ve zoomed and filtered the data, clicking on each dot opens a box with the details-on-demand for each web mention (reference). This dashboard makes it easy to analyze the data at an overview, or granular level, and is an excellent example of how to use the information-seeking mantra.
If you’d like to read Shneiderman’s entire paper on the information-seeking mantra, it’s called “The Eyes Have It: A Task by Data Type Taxonomy for Information Visualizations.”
Don’t be put off by the long title, it’s actually quite a light read for a research paper.
If you haven’t already, please read the previous post on Edward Tufte’s concept of chartjunk, and sparkline charts. And if you like what you’re learning here, stay tuned for my next post on the various chart types used in cyber intelligence.