What Makes for Effective Visualisation in Cyber Situational Awareness for Non-Expert Users?

As cyber threats continue to become more prevalent, there is a need to consider how best we can understand the cyber landscape when acting online, especially so for non-expert users. Satellite navigation systems provide the de facto standard for many modern day navigation tasks in the physical domain, so we consider the question of how one could navigate the online domain using similar concepts. In this paper, we study the design of a cyber sat nav for improving situational awareness of nonexpert users. We focus on three core tasks: understanding where we are in cyber space, understanding how we got there, and understanding future states that we may traverse to. To support understanding, we explore the use of visualisation techniques to portray complex online activities in clear and engaging formats for non-expert users.


I. INTRODUCTION
I N 1960, Licklider described Man-Computer Symbiosis, a symbiotic partnership between the human and the machine that would perform intellectual operations much more effectively than man alone can perform them; he spoke of a future time that nurtured a very close coupling between the human and the machine [16].A few years later, in 1964 McLuhan a Canadian professor introduced the concept of the global village, a world interconnected by an electronic nervous system.McLuhan wrote about electronic media as the extension of man (i.e. the computer being an extension of our brain), about us shaping the computer (i.e.tool) and then the tool shaping us [17].Both men, visionaries of their time described essentially what we are living through today.Indeed, the Internet revolution has made such a transformative shift to our modern lives that we are all still trying to make sense of it.With always-on Internet access, and smart devices integrating with our daily activities, we have more data than ever being communicated by these devices.However, what none of us envisioned is just how huge the impact of technology would have on us as humans and especially our sense of privacy and personal security.In the real world, our human senses have evolved to pick-up on sensory cues (colours, textures, sounds, distances, sizes, smells, shapes, and orientations of objects etc.) in a range of different physical domains: land, sea, air etc.Our senses ensure safe navigation through and often existence within these spaces, to such an extent, we can like something or be afraid/ cautious of it before we know precisely what it is and perhaps even without knowing what it is (i.e.automatic affective processing).However, in our newest domain cyberspace, there is a feeling of placelessness which effects the way some people think, feel and behave as they move through and exist within the space; there is little sense of the cyberspace aesthetic and what affords personal privacy and security.
As the cyber security market thrives on the development of new technological protection mechanisms for a safe and secure cyberspace, we also believe that we need to make people more aware of what exactly is going on when they exist and interact online and in doing so, to work towards giving them more sensible control of their own online privacy and security.The focus of this research is to improve the human factors of online security; to develop applications to support user online security behaviours and to nurture an effective information security culture on the internet.Indeed, the topic of the human dimensions of cyber security is one that is often overlooked, or at least considered at a limited basis, such as password security or how to evade e-mail phishing attempts.Are there other ways to better understand cyber security, and the mass volume of network activity that is constantly being carried out by a whole host of different electronic devices in our environments?How can we visually represent and understand this information, such that all users of cyber space can engage and learn from such details?How do we make it such that all users of cyber space want to engage with such detail and want to take control of their own privacy and security.How do we overcome the stigma of online security being 'boring and something for 'other people to deal with?
In this work, we consider the question of "what makes for effective visualisation in cyber situational awareness for nonexpert users?".Traditional tools for capturing and analysing network activity, such as Wireshark are clearly not designed for general users.Previously, we have developed tools for exploring and investigating network packet captures using interactive visualisation tools [13] [14].However, for selfmonitoring tools to be effective, there is a need for an engaging experience that encourages continually revisiting by the user.Interactive visualisation techniques have been widely used for network security visualisation and situational awareness, e.g., [3] [10] [12] [15] [11].Traditional abstract visualisation techniques include the visual firewall by Lee et al. [12], and the spinning cube of potential doom for 3-dimensional visualisation by Lau [11].Creese et al. use a 3-dimensional abstract visualisation for relating network activity to business processes [3].Li et al. discuss the use of metaphors for depicting effective visualisations [15].Adopting a metaphoric approach, Latvala et al. propose a 'mugglefriendly' network visualisation, using a fishtank metaphor to depict activity within a network.In this paper, we put forward possible design proposals for how 3-dimensional visualisation can be used to develop engaging and effective visualisation for home networking monitoring.We build prototype tools to demonstrate these concepts, and perform a small user study to assess user perception on their effectiveness.As a contribution within this research, we pose the following questions: • How can effective design help in the visualisation of cyber space for non-expert users?• Beyond network packet capture tools and simple graph networks, are there other effective forms of visualisation that can convey network activity for users?• To what extent can these forms of visualisation be engaging to promote repeated use, whilst also informative to protect users against potential cyber threats?II.THE CYBERSPACE AESTHETIC "When they power up their computers, launch a program, write e-mails, or browse a website, people often feel -consciously or subconsciously -that they are entering a place that is filled with a wide range of meanings and purposes" [1, p. 3].Expressions like "travelling" or "going someplace" and spatial metaphors -such as "worlds", "domains", "sites", "windows", or "rooms" are common in articulating the online activities and in doing so, strongly imply that sense of place [23].Without a doubt, the evolution of web design -like the architectural style of a building -reflects the changing fashions, beliefs and technologies of the time [9] but the aesthetic of cyberspace as a place has always been very much driven by the technology.As Wu [7] highlights "the Internet was never designed to be like a place.It was designed to be a multiple-use network, capable of supporting any kind of application anyone wanted to run on it.The metaphor and the technology never matched".However, as the internet continues to transform how we live our lives, we feel that it is important more than ever, to ensure that we can make full sense and meaning of our existence and experiences within it.Mitchell [18] notes that because electronically mediated environments will increasingly affect ones well-being in numerous ways (i.e.people will not just look at them, they will be constantly present in them etc.), he feels that deliberate attention should be paid to the creation and design of such environments.As users of the internet, we need to be able to ground ourselves in this space and in doing so build up an appreciation for what is happening as connections and experiences online are being made.In their book, Mapping Cyberspace, Dodge & Kitchin [5] provide an eclectic compendium of cyberspace visualisations; they were focused on developing a comprehension of how it transforms, and creates new spatialities, spatial forms and space-time relations.It was for them very much about visually exploring the impacts of cyberspace on social, cultural, political and economic relations.Particularly for this research, it is about exploring effective ways of representing the cyberspace aesthetic to afford an understanding of its underlying network activity to ensure the personal online safety for the everyday user.In the IEEE Global Initiative for Ethically Aligned Design, it is stated that: "Eudaimonia, as elucidated by Aristotle, is a practice that defines human wellbeing as the highest virtue for a society.Translated roughly as flourishing, the benefits of eudaimonia begin by conscious contemplation, where ethical considerations help us define how we wish to live" [8, p. 2].In terms of cyberspace (and the visualisations of the cyberspace), aesthetics and aesthetic emotions can be powerful design drivers for influencing this understanding; aesthetics can connect dynamic form, social and ethical aspects and essentially can play a role in how we behave [21].According to Leder et al. [6], the aesthetic experience involves both cognitive and affective processes and ranges from perceptual processes to measurable outputs in terms of aesthetic judgements and aesthetic emotions.These aesthetic emotions can encapsulate the knowledge emotions such as interest, confusion, and surprise; hostile emotions such as anger and disgust; and self-conscious emotions such as pride, shame, and embarrassment [22].
It is our opinion that aesthetics is crucial in helping us to develop a deeper and more 'felt' understanding of where we are in cyberspace, how we got there, and the future states that we may traverse to.In fact, the mapping of aesthetic attributes (i.e.colour, texture, tone etc.) to carefully chosen visual features can lead to a significant improvement in the visualisations ability to engage its viewers, to support exploration, to encourage prolonged inspection, and to facilitate discovery of unexpected data characteristics and relationships [24].If we refer back to the ancient Greeks who deeply anchored the aesthetic experience around sensation, we can start to see it more deeply as the ability to receive stimulation from one or more of our five bodily senses.In 1934, Dewey [4, p. 45] described the aesthetic experience as an engaged interaction, the result of the interaction between the living organism and its environment: "every experience is the result of interaction between a live creature and some aspect of the world in which he lives".In Art and Engagement, Berleant [2] talks about three related characteristics of aesthetic engagement: continuity, perceptual integration and participation.For Berleant [2, p. 26]: "artists have been forcing us to realise that entering the world of art requires the active engagement of the total person and not just a subjective cast of mind".And it is not just about art, Porter [20, p. 1] talks about the aesthetics of life, that "aesthetics, in its most recurrent form, spells out the primary conditions of sentience and of meaning making in relation to the world and to life as it is lived".

III. USER ENGAGEMENT IN CYBERSPACE
Inspired by the advanced visual and functional achievements of the latest Sat Nav systems, yet disappointed by the lack of similar thinking for the navigation of cyberspace, the authors of this paper have started to explore the creation of an engaging Cyber Nav visualisation to monitor and support peoples network activity.In order to do this, they affirm that it is important to keep a balance between the users exploration of the internet and the visualisations ability to support this exploration and to provide information without breaking a sense of flow through the experience.OToole [19] talks about three main functions, the modal function (to engage our attention and interest), the representational function (to convey information about reality) and the compositional function (to structure these into a coherent textual form).He believes that an artist has at his or her disposal various devices for engaging our attention, drawing us in to the world of the painting and colouring our view of that world [19].In 2016, Legg proposed a system for capturing and visualising network activity, with a view of this informing non-expert users [13], [14].Whilst informative and interactive, these 2D plots of a network environment do not fully satisfy the need to be engaging, appealing, and designed such that users will want to continually monitor activity.One of the core challenges in this work is to study what makes for an effective visualisation, such that it would encourage users to continually engage.
Pursuing a similar three-pronged approach to OToole [19], the first phase in the design process is deciding what data captured using Wireshark is relevant to the end-user and their safety.Wireshark, as mentioned previously, is a network protocol analyser, which lets the end user see what is happening on their network (i.e.what exactly is being sent over their network) as they are browsing and/or interacting online.With that being said, some of the network information extracted from Wireshark is difficult to understand without the possession of specific computer network knowledge.Therefore, as designers we need to consider what data captured (i.e.time of packet, source, destination, protocols used and other information about the packet) is relevant, of importance and is accessible to the everyday end-user and their safety online.
The second phase is then visualising this data in such a way that it will empower the user with the intuition to keep safe (i.e. to sense harm) whilst they are navigating online.This research explores both 2D and 3D planar graphical spaces to provide a degree of structure and understanding to the design of the data captured during an users network activity.Utilising Unity, a cross-platform game engine that is used here as a data visualisation tool, it explores abstract, realistic and metaphoric forms of presentation.As table I highlights, the different forms of the visualisation have very distinct characteristics.The aim of this research is to explore which kind of visualisation may be the most useful in building an understanding of the cyber landscape, which form is most likely to give the non-expert user some insights into their network data and finally which form is most aesthetically woven into a narrative to afford personal safety.
The third phase of the process is in designing for the most basic components of these visualisation (i.e. the aesthetic elements that people are attracted to, sense, notice and think about).The emphasis is on visual engagement, being drawn in and involved in what is happening.For example, as we start to link data (i.e.source ip address etc) to a visual object, we need to take on board the design of not only the objects but also the composition of the objects (i.e.how the different visual units will work together etc.).The visual units all have the potential to carry important clues about what the objects portrayed are doing and what impressions they are creating by doing so (i.e. the size of the objects, the texture of the connections between them, the tone of the light, the colour of the fire etc.).
In addition, the importance of identifying what is normal in the network activity in order to be able to detect what is not normal (i.e. a change) proved crucial to the development of all visualisations.Both an observation based approach (what has happened in the last ten lines of network activity etc.) and a time based approach (i.e.ten packets sent or received per minute) were considered.In terms of the visualisation, once we can confirm a normal benchmark or patterns of normality then we can also then determine when something not normal occurs.This statistical information will enable us to then design for that change.For example, if three times the normal number of packets is sent to an IP address then something is not right.In terms of the end-user, if they see lots of lights, envelopes or cars going to a sphere, laptop or building and then that object goes on fire, then it is felt that they will naturally start to sense or make correlations between lots of activity (lots of packets being received) and something amiss.

IV. DESIGNING FOR ENGAGEMENT IN CYBER SITUATIONAL AWARENESS
The early prototype development was concerned with getting the network data efficiently into the Unity system.It also explored what the Unity system and its functionality enabled us to do with the presentation of the data once it was in.For example, the baked lighting effect was initially explored to represent the space more clearly, light is an aesthetic consideration that can influence the ambience and feel of a visualisation.The lighting of a space can affect us on both a cognitive and affective level (i.e.sinister shadows can give the impression something bad will happen whilst soft lighting can be warmer and more welcoming etc.).It is these considerations that have the power to draw the users sense making (i.e.feelings, thoughts, intuitions, memories etc.) and the meaning or message from the data together.Following this, the next step involved making sense of how the network traffic traversed from source to the destination in all three visualisations.

A. Abstract Visualisation
To initially make sense of the Wireshark network data, abstract shapes such as spheres (i.e.nodes) were found to most fluently represent all source and destination IP addresses, lines (i.e.edges) were used to represent the connections between these.A key issue when visualising any network activity is scaleability.As the number of IP addresses and hence the number of spheres increases, most graphical views can become difficult to read and understand, hence, it is important to design and calculate to ensure that all the spheres and lines are clearly visible.The goal of the abstract visualisation is to explore the 3D space to enable many thousands of IP addresses (if required) to be visualised meaningfully.In order to achieve this, absolute positioning of the IP addresses (represented by simple spheres) has been considered.By mapping the first three octets of the IP address to a XYZ coordinate system, the aim is to specify each sphere (node) uniquely yet clearly in the 3D space.Following this, we needed to make sense of how the network traffic traversed from source to the destination.How do we create the illusion of something being sent from one sphere to another?Initial designs explored a simple light aesthetic being moved across the line to give the illusion of the passage of something from one sphere to another (see figure 1).

B. Realistic Visualisation
The realistic version takes a different approach by localising the visualisation of the network activity in a 2D space and to the objects that the everyday user is familiar with whilst interacting online.
The visualisation draws upon the real life scenario and how the internet is experienced in everyday life, it allows the end user to picture not only what they can readily see (laptops and printers etc) but also the things that are not visible (the packets moving between these devices).In doing so, the aim is to enhance the understanding of what is actually happening.In order to achieve this on a 2D plane, relative positioning of the laptops considering both the network and host portions of the IP address and the distance between them is needed.For example, several devices in one house (sharing the same network) can be positioned together whilst in relation to these devices, other devices on a different network are positioned further away.

C. Metaphoric Visualisation
In terms of fully harnessing the benefits of the visual metaphor, the motivation behind this visualisation lies in the concept of placelessness and the lack of a sense of place in the cyber landscape.The goal is to design and build a place with a strong community feel that users can fully relate to.To achieve this, it is necessary to think carefully about the visual units and the meaning and impact of these for each other as well as the end-user.What would the community look and feel like and mean for the end-user?How do we pitch it a level that they can intuitively sense what is happening?For example, if all the buildings represented specific entities (i.e.shops, banks, library, school etc.) in a community?What building would be most visited?If a car moves from a source building to destination building what could this show or tell the enduser about the network and its activity?Mapping this train of thought across to the online community, what would the most visited building be?Would it be the YouTube building?Or the Google building?What colour or form would the car take?By perceiving the data objects in a carefully arranged and organised picture space, the viewer is able to piece together the whole story.For example, in terms of the metaphoric version, it is important for the composition to consider the positioning of each IP address in order to create a convincing layout in the 2D space.
Inspired by the hierarchical structure of the M25 motorway and the road networks that intersect it (see figure 2), it was decided to again use relative positioning to map the four octets of the ip address (e.g.172.168.55.1 and 172.168.55.2) to the hierarchical system of the road network.In line with some collective thinking, discussions also emerged around the networks behaviour and the scaleabilty of the visualisation.For example, how do we visualise a building with lots of cars in it?An idea was explored to add a new block to the building, every time a set number of cars reached it.In aesthetic detail, mapping a new texture with lighted windows as opposed to black windows to the new block was also considered.Figures 3, 4 and 5 highlight the evolution of the metaphor design.

V. EXPERIMENTATION
We conducted a small user study with fifteen participants at Cardiff Metropolitan University during the UK spring semester of 2019.The study aimed to better understand participants thoughts on online communications (i.e.whether they are currently monitoring their online activities, or whether they would do so in the future) as well as to probe their impressions and understanding of different network visualisations.All participants (one female and fourteen males) were in the 17-55 age category, with a general interest in computing but not necessarily expert in the field of computer networking.The study was conducted using the Qualtrics online survey  software and was approved by the Ethics Board at Cardiff Metropolitan University.
The initial questions asked of participants included: Do you currently monitor or track the online activities of your personal devices?If yes, how do you do this?If no, why not?For various reasons (mainly lack of knowledge, lack of understanding, laziness, lack of resources etc.), nine participants clearly stated that they do not.In contrast, the majority of participants then went on to say that they felt that it is beneficial for users to know, monitor and track the online activities of their personal electronic devices (see figure 6 ).Moreover, when asked to rate (1% = not very important and 100% = extremely important) how important it is to protect their online personal privacy, eleven out of the fifteen participants clearly indicated that it was extremely important (100%).It is also evident from the data that the majority of participants felt that it is important to keep their online activity safe and secure, with eight participants indicating that it was extremely important (100 % rating).In terms of the importance of knowing how devices communicate online, one participant said it was extremely important whilst four rated it over 80% important, the remaining nine were mostly 50% and over (two participants rated it under 40% important).When asked to gauge how important it is to have control over how their devices communicate online, three participants recorded that it was extremely important (100% ) whilst six participants rated it between 80% and 90% .
Interestingly, few had heard of the term Cyber Situational Awareness, however, when asked to describe it, they provided the following detail: • "Being aware of what you do online" • "The awareness of online safety" • "A persons awareness to their cyber security" • "Being aware of security risks online" • "Your awareness of what data an app/website has access to about you" • "Being sensitive to your surroundings whilst using the internet, and understanding how features and functions work."Generally, it can be concluded that the majority of participants value their online network activity and its security (eleven participants gave the highest rating of five stars (100%) whilst the remaining participants chose a score of four (80%).In addition, when asked how much they value the ability to control and monitor their online privacy and security, five participants gave a score of five (100%) whilst five others gave a slightly lower rating of four (80%).It seems probable from the data analysed that users report this due to the lack of knowledge and tools being available to experiment with and see what studying their personal activity would look like.
After the first set of questions, participants were then presented with three visualisations: abstract, realistic and metaphor (see table I and asked to complete another set of questions.In relation to the abstract visualisation, when asked how interesting or engaging do you believe this visualisation to be?Many participants clearly did not find the abstract version engaging.Some of their comments included the following: • "Not very" • "It doesnt look to engaging in my own personal beliefs" • "its okay but the information doesnt seem clear enough" • "It is overwhelming at first, but with the required knowledge it is understandable" • "I dont find it interesting or engaging as I dont understand what I am looking at.All I can understand from this is that there are connecting points which I believe to be either devices on a network or something close but from that I dont know what it represent and it doesnt peak my interest."• "Its rather plain and un-engaging when it displays just the IP information, converting that information into something an average user can understand would be helpful to a user.For instance rather than the IP address say 'You connected to X server' maybe."• "Not particularly engaging, the nodes appear very abstract and therefore not too engaging" • "Quite interesting" In most cases, the participants felt that the realistic version was a more engaging visualisation than the abstract version: • "A little better" • "Interesting, because it shows laptops" • "It seems a bit better" • "Engaging" • "Having computers instead of points is better, less confusing." • "I find it more interesting as i can relate it to the real world and understand it" • "This is better than the last.It shows a small network of PCs and their IP addresses."• "I dont understand without explanation" However, the majority of participants did find the metaphor version, most engaging: • "Better" • "More interesting than the last" • "Its more interesting than the last two" • "It is interesting and engages my interest but it doesnt make things clear apart from that the network is much larger in this image."• "Interesting more complex" • "Interesting and engaging larger view." • "Very interesting." • "This is quite engaging, as it shows data transfer is a real world abstraction" Moreover, when asked how informative or useful do you believe this visualisation to be? Participants again found the metaphor version to be the most informative: • "Quite.It shows the different networks with a helpful analogy" • "Very useful as its closer to what people are used to" • "Its a simpler way of explaining how data moves between devices."• "It is useful in combination with the other images as it help with scaling the idea of a network."• "Better idea of where information is going" When questioned on how would they describe the visualisation to a non-expert user?The metaphor version, again, seems to clearly allow participants more tangibility in building their understanding.
• "Cars are data, the building are devices" • "The cars are data, the buildings are devices/inner networks."• "This is a wider network of buildings connecting to a wider network" • "A visualization of connections on a city wide scale?" • "A series of packets represented as cars travelling between nodes on a network" Whilst the abstract and realistic versions were more difficult to decipher.Many participants described these experiences as complex with little information and explanation.In conclusion, when asked to rank the three visualisations in order of preference (i.e.1= most preferred and 3= least preferred).The data shows that thirteen participants preferred the metaphor version.Moreover, figure 7 highlights that participants clearly feel that the metaphor visualisation can show useful information about their network activity.Importantly, when asked to rank the visualisations in order of what they feel would be the most effective in helping the average public (i.e.your parents etc.) to monitor and track their own online network activity, ten participants noted the metaphor version could successfully achieve this.

VI. CONCLUSIONS
In this paper, we have discussed the issue of how to improve security awareness for online communications, through the use of visualisation techniques.We argue the need to re-think how we act online, and how we treat this online environment in relation to our own physical surroundings.We present three forms of visualisation to convey cyberspace (and enhance the understanding of where we are, how we got there, and future states that we may traverse to) for non-expert users: abstract, realistic, and metaphoric.We conduct a small user study to gauge opinions of how users engage and assess their online communications.Generally, users do not concern themselves with the detail of how communications are made, however they would perhaps consider this more if better tools were available to support this activity.Users seem generally interested in the proposal of visualisation techniques for observing activity, akin to the notion of health tracking apps and screen time apps that have recently come to be.Users stated that they preferred the metaphoric concept due to having a greater engaging feeling, and one that they would want to revisit -a crucial factor in terms of continual self-monitoring of activity.Our future work will explore the practicalities of how such visualisation and monitoring tools can be better integrated with the process of acting within cyberspace.This will need to consider both retrospective and real-time observation of activity, whilst also enabling users to carry out their intended activities.Understanding how, when and why our devices communicate is crucial so that we can become better aware, better informed, and better protected, as technology becomes further ingrained as part of modern day society.

Fig. 1 .
Fig. 1.Early prototype designs for abstract version in Unity.

Fig. 2 .
Fig. 2. Relative Positioning of houses, buildings, IP addresses based on road network.

Fig. 6 .
Fig.6.Top word frequencies to highlight if participants thought it would be beneficial for users to know/ monitor/ track the online activities of their personal electronic devices?

Fig. 7 .
Fig. 7. Answers to Question: I feel that this type of visualisation can extend my understanding of my network activity.