Visualizing Multi-Client Risk
Visualizing Multi-Client Risk
RiskSense specializes in presenting cyber risk for its clients through insightful visualization and analysis techniques. In this blog post, we present our unique multi-fold approach that combines UI with engineering to address the complexity of visualizing cyber risk across multiple organizational business groups using a distributed bubble chart. The bubble chart visualization helps our end users to quickly identify the high-risk groups within their organizations, while retaining the holistic picture of their cyber risk posture.
RiskSense allows its clients to manage cyber risk by prioritizing critical vulnerabilities for remediation. One primary requirement from our clients, especially Managed Service Providers (MSPs) has been to be able to view the overall cyber risk of all their clients in a single view. To address this request, we designed and developed the RiskSense Multi-Client Dashboard, which was later extended to group risk view within the organization as well. The primary motivation behind our Multi-Client Dashboard was that we wanted to present a holistic organizational risk view for our clients. The objective was two-fold.
- Visualize risk across all clients (or business units) including the network and application security posture.
- Enable actionable intelligence through risk visualization.
Similar to the majority of the efforts that address representing multi-dimensional information (like assets, applications, their security posture and associated risk), we started out with a list-view approach (Figure 1) for representing the risk posture by client (served by the MSP). We quickly realized “Less Is More” when it comes to data visualization having multiple parameters. Revealing too much information all at once makes for an overwhelming, less appealing visual and takes longer for users to process it. As shown in figure 1, even though the RiskSense Security Score (RS3), total # of clients, and overall vulnerabilities distribution are clearly highlighted, the rest of data is not in an easily digestible form; in addition, users have to scroll down to see all the 125 clients and related data.
Figure 1: Risk by Client Using List View
Another limitation with the list-view approach is that there is neither visual correlation between the client and its size (determined by the number of assets each client owns) nor its RS3 score. Further, it’s difficult for users to see how each client relates to one another in terms of group size and risk ranking. Since this approach didn’t convey the holistic view we desired, we decided that it’s better to distill all of the relevant client data into concise, digestible and actionable insights, then prioritize and present that data in a way that clients who have multiple business units (or users who have multiple clients) can have a holistic understanding of their organizational risk. So we went back to the drawing board and implemented an iterative UI enhancement approach.
Seeing It on Paper Before Seeing It Digitally on a Computer Screen
We sketched out several concepts to represent clients with different risk posture. For brevity, we are only showing few sketches here. Figure 2 shows risk distribution by groups in a heat map tile. The colors ranging from red to blue represent risk ranking (from high to low) of the 125 sample clients. We derived figure 3 from figure 2 with more data showing, including all 125 groups in a heat map tile, overall RS3 score, overall vulnerabilities distribution, and the top 5 risks. While the heat maps presented in figures 2 and 3 represent the risk distribution across all clients, they fail in visualizing the risk with respect to the client size (no. of hosts and applications hosted by each client).
Figures 2 and 3: Heat Map Tile Sketches
Figures 4 and 5: Bubble Chart Sketches
After we enumerated the limitations with the heat map approach, we focused on visualizing the client size. This led us to the bubble chart approach. Figure 4 shows the bubble chart approach. The bubble size represents the client size in terms of no. of assets hosted by the client. Figure 5 derived from figure 4 shows how the 125 sample clients are clustered based on their RS3 scores. At this point, we were convinced that this visual represented the holistic view we desired to accomplish.
Enhancing Concept Through Existing Open-Source Representations
Based on the bubble chart concept in figure 5, we tried to find any matching visualizations within the D3 library. We adapted an interactive visualization contributed by the New York Times that shows what S&P 500 companies paid in corporate income taxes from 2007 to 2012, according to S&P Capital IQ. In order to accomplish the visualization, our UI engineering team adapted other concepts presented in the D3 gallery examples for a bubble chart and force-directed graphs to create the RS3-by-client. The UI engineering team used springs to pull the bubbles toward the vertical center of the chart, as well as toward their associated RS3 value on the horizontal axis. This, combined with a separating force between bubbles as well as preventing overlap due to collision gave the appearance of a natural grouping of similar scoring bubbles.
The design was further enhanced through multiple iterations by our UI engineers considering implementation and usability constraints. Some of the major iterations were: (a) We revised the design to utilize more vertical space so users with different screen sizes can still see the same content since we believe vertical scrolling is more user-friendly than horizontal scrolling. (b) We addressed concerns such as scalability of vulnerability distribution bar chart and legibility for color blind users (Figure 6).
Figure 6: Vulnerability Distribution with RS3 Dial
Seeing All Through a Bird’s Eye View
The final bubble chart visualization (Figure 7) allows the 125 sample clients and their values to be legibly displayed all at once. Users get a bird’s eye view of how the groups clustered within the five different security score categories from low to high (300 to 850) in red, orange, yellow, green, and blue. Groups with low RS3 (high-risk groups) can be easily identified as well as the groups with large numbers of assets.
Figure 7: Bubble Chart Visualization
Figure 8: Tier-2 Pop-Ups
To get the tier-2 statistics for each group, end users can hover their mouse over each bubble and see details within (figure 8). The tier-2 statistics details are client name, RS3 score, no. of assets and high-risk assets.
Unveiling Actionable Intelligence
To reveal actionable intelligence from the overall bubble chart view, we allow end users to access Top Risks view (figure 9). The Top Risks view is a more granular representation showing top 5 high-risk clients, top 5 vulnerable hosts, top 5 vulnerabilities, top 5 malware, top 5 exploits, and top 5 vulnerable web applications across all clients. Based on the end user’s access level, the user can quickly identify high-risk assets across multiple clients and take appropriate actions.
Figure 9: Top Risks
From figure 9, it can also be noted that the rudimentary list view representation of Top Risks (in figure 1) has been enhanced to the distributed bubble chart. The top 5 risk clients can easily be identified from the Top Risks view where the bubble chart is pre-filtered to display the top 5 risks.
As next steps, we are now working on representing client risk posture by industry domain. Further, we are exploring ways to compare tier-2 statistics (no. of high-risk assets, no. of high-risk web applications etc.) across high-risk clients using this bubble chart visualization, which is one of the limitations now.