TY - CONF T1 - Toward a visualization-supported workflow for cyber alert management using threat models and human-centered design T2 - 2017 IEEE Symposium on Visualization for Cyber Security (VizSec) Y1 - 2017 A1 - L. Franklin A1 - M. Pirrung A1 - L. Blaha A1 - Michelle Dowling A1 - M. Feng KW - analytic process KW - Analytical models KW - automated decision support KW - complex processes KW - Computer security KW - cyber alert management KW - cyber analysts KW - cyber network analysts KW - data analysis KW - data stream monitoring KW - data visualisation KW - Data visualization KW - decision support systems KW - Electronic mail KW - H.1.2 [Information Systems]: User/Machine Systems — Human Factors KW - H.5.2 [Information Interfaces and presentation]: User Interfaces — User Centered Design KW - human-centered design KW - Interviews KW - learning (artificial intelligence) KW - machine learning algorithms KW - noisy data sets KW - potential threats KW - prototype visual analytic-supported alert management workflow KW - rich data sets KW - security of data KW - specific data mapping KW - support tools KW - threat model KW - Tools KW - visual analytic environments KW - visual analytic tools KW - visualization designs KW - visualization-supported workflow AB - Cyber network analysts follow complex processes in their investigations of potential threats to their network. Much research is dedicated to providing automated decision support in the effort to make their tasks more efficient, accurate, and timely. Support tools come in a variety of implementations from machine learning algorithms that monitor streams of data to visual analytic environments for exploring rich and noisy data sets. Cyber analysts, however, need tools which help them merge the data they already have and help them establish appropriate baselines against which to compare anomalies. Furthermore, existing threat models that cyber analysts regularly use to structure their investigation are not often leveraged in support tools. We report on our work with cyber analysts to understand the analytic process and how one such model, the MITRE ATT&CK Matrix [42], is used to structure their analytic thinking. We present our efforts to map specific data needed by analysts into this threat model to inform our visualization designs. We leverage this expert knowledge elicitation to identify a capability gaps that might be filled with visual analytic tools. We propose a prototype visual analytic-supported alert management workflow to aid cyber analysts working with threat models. JF - 2017 IEEE Symposium on Visualization for Cyber Security (VizSec) CY - Phoenix, AZ ER -