If a picture is worth ten thousand words, it follows that an ugly picture is worth ten thousand ugly words. With information security graphics, clarity, taste, and restraint can help ensure that an analyst's graphically conveyed magnum opus beautifully expresses the story he or she intended.
You can keep your information graphics lean, trim, and elegant by following six basic principles:
- It is about the data, not the design. Resist urges to add shiny backgrounds and decoration, or anything else that detracts from the data.
- Just say no to 3-D. Fake depth distracts the reader. Unless you are a NASA scientist trying to visualize global warming, you do not need it.
- Do not go off to meet the wizard. If using Excel, prepare for radical surgery after clicking Done.
- Erase, erase, erase. Get rid of all grids, tick marks, shadows, and superfluous plot frames. Not all data points require labels. For cross-sectional charts, sorting the data works better than labeling every point.
- Reconsider Technicolor. Mute the colors, or use a monochrome palette.
- Label honestly and without contortions. Pick a meaningful title that summarizes the exhibit, label units of measure clearly, use consistent fonts of the same size, cite the data source, and avoid abbreviations. Chart legends should stay as close to the data as possible; consider eliminating them in favor of on-chart annotations.
Good charts never bury the lead. If the interesting data from the chart are not intuitively obvious, redraw the chart. If the reader cannot figure out a chart without reading the surrounding narrative, it is a bad chart.
The analyst's graphical toolbag includes a wide variety of exhibit formats, each of which has strengths and weaknesses, depending on the nature of the data and the intended message. These formats include:
- Stacked bar charts, which show the contribution of each data series over multiple time periods to an absolute total. Stacked bar charts can also be "normalized" to show each series' relative contribution on a percentage basis.
- Waterfall charts, which show how multiple categories accumulate to form an overall total, generally for a single period. Waterfall charts are not especially dense but can make for effective management presentation formats because of their association with consulting.
- Time series charts, which show how one or more series vary over a given time interval: hours, months, quarters, or years.
- Indexed time series charts, which express each data point as a multiple of its starting value. Typically, the starting points are normalized to a value of 100. Indexed time charts work well for analyzing relative, rather than absolute, performance over time for a group of comparable series.
- Quartile time series charts, which plot quartile values for a data series over time. Typically, quartile charts plot three series: the median values, the values separating the first and second quartiles, and the values separating the third from the fourth.
- Bivariate charts, which show how two variables behave relative to one another. These charts can help analysts understand relationships between pairs of variables, such as potential cause-and-effect relationships. A variation on the bivariate chart, the two-period bivariate chart, resembles a basketball chalkboard diagram and helps viewers understand period-to-period changes in relationships.
- Small multiples, which plot several identical charts on the same canvas, allowing the eye to quickly sweep back and forth across the exhibit, looking for patterns, similarities, and differences. The axis scales remain constant, but the cross sections change from chart to chart. Small multiples are one of the most powerful ways to visualize cross-sectional data.
- Quartile-plot small multiples, which combine the comparative power of small multiples with the insights of quartile analyses. Particularly popular in management consulting circles, this chart format visually isolates factors that separate the best and worst performers.
- Two-by-two matrices, which extend the bivariate plot by grouping results into quadrants. Another favorite of management consultants, the 2×2 matrix enables an analyst to frame the terms of debate by categorizing and naming the results sets: for example, "quick hits," "strategic initiatives," "discretionary fix," and "bear risk."
- Period-share charts, which plot winners and losers over two successive periods in a square plot. Winners who increase share appear above the diagonal; losers fall below it. Period-share charts work best when the number of participants does not exceed fifteen and where plot positions are dispersed.
- Pareto charts, which present as a bar graph a range of sorted values from largest to smallest. On a secondary axis, a line plot shows how the cumulative addition of values converges on 100%. Pareto charts help analysts understand whether a data set follows the 80/20 rule.
- Tables, which show data values in a familiar grid layout. Small splashes of color and careful use of icons, such as those familiar to readers of Consumer Reports, can enhance table readability.
- Treemaps, which show hierarchical relationships in data sets as a series of recursive rectangles. The relative size or percentage of each data point determines the rectangle's size. Importance or criticality determines the rectangle's color saturation; "hot" items appear more saturated.
With all these exhibit formats to choose from, analysts may sometimes find that choosing the right format is not always easy. Analysts should always question the exhibit format when the complexity of the underlying message exceeds the chart's ability to communicate it faithfully. Dig deeper for richer, more relevant data to answer key questions, and use iterative revisions to zero in on the right design for the exhibit.
In the last few chapters, we have discussed what metrics to get ("Diagnosing Problems and Measuring Technical Security," "Measuring Program Effectiveness"), what to do with them once we've got them ("Analysis Techniques"), and how to show them off to their best effect (this chapter). But so far, we have furiously waved our hands over the "getting" part.
I shall wave my hands no longer. Next up is Chapter 7, "Automating Metrics Calculations," which shows you how to obtain and transform raw data from sources such as firewalls, antivirus logs, and third-party reports.