This blog was written by Barbara Kay.
The first of a two-part series
For some reason, elephants figure frequently in our conversations – “seeing different parts of the elephant”, “memory like an elephant,” and now, “eating an elephant.” This phrase, definitely meant as an analogy, expresses the lengthy, enormous, and daunting task that our development team faced in reimagining the user experience in our McAfee Enterprise Security Manager (ESM) SIEM solution. To succeed, they needed a vision, strategy, and plan.
First, a vision. In the last few years, driven by increasingly complex incidents, the security operations mantra has shifted to real-time analysis coupled with individual and team efficiency. Countless research studies document the shortage of skilled security analysts and researchers. Time clearly needed to be a part of the vision.
But for the user experience team, productivity isn’t just about elapsed time. It also includes the cognitive workload that can subtly wear down and exhaust the analyst. You probably experience cognitive overload today. You walk from the kitchen into the bedroom and stand there wondering why you came in. This is true when we move between physical rooms, and it’s true when we move between virtual rooms, such as in a video game or user interface. In this context switch, it turns out we are 2-3 times more likely to forget! And it gets worse. This memory lapse is aggravated if you are sleep deprived or over-stressed, like new parents, air traffic controllers, and security analysts.
Once we hit our cognitive threshold, we have only emotion to fall back on. So the typical analyst has faulty memory plus frustration. This combination makes for poor security decisions. It is why we design for “high context” UIs. We are striving for one room with all the relevant data so the analyst can focus on making good decisions.
From a design perspective, here are some specific cognitive workload tests:
- The “data fragmentation” load: How much data does the user have to keep in his memory as he changes screens, modes, and tasks, or retain over a series of tasks?
- The “navigation” burden: How many times does the user traverse up and down task flows and screens in pursuit of a task?
- The “mind-numbing” factor: How many times does that task need to be repeated per hour/day/week?
- The “clutter” factor: How much data is displayed all at once? How hard is it to identify and navigate relationships?
Instead of simply looking at faster functioning of the same processes, we wanted to reduce the cognitive burden of the user – to keep them as effective as possible for as many hours of their day as possible. This “save time, save mental energy” approach formed the core of our vision. Our logic was this: Anything we could do to improve their productivity and enhance concentration would pay off in speed of results, capacity of analysts, and quality of life for them and their management team.
Next, a strategy. As the epicenter of security operations, a SIEM is a complex animal, and the UI and user design can mask or multiply this complexity. The graphic gives you an idea of the scope of this effort, the first and second level nodes in the ESM 9.X user interface. Every node has multiple screens under it.
Lots to do, clearly, but where could we best affect time spent? After dozens of site visits and in-depth, interactive usage interviews, we discovered more than half of the users were security operations, and another 29% were Infrastructure Operations. Given these day-to-day jobs, the majority of user time is spent in analysis and research.