Security Metrics: Replacing Fear, Uncertainty, and Doubt

In this chapter excerpt from "Security Metrics: Replacing Fear, Uncertainty and Doubt," author Andrew Jaquith reveals ways to present security data in a clean and elegant manner.

The following is an excerpt from the book Security Metrics: Replacing Fear, Uncertainty, and Doubt. In this section of Chapter 6: Visualization (.pdf), author Andrew Jaquith explains how security professionals can present their hard-won data in a clean and elegant manner.

Andrew Jaquith reads from Security Metrics

Listen to author Andrew Jaquith, as he reads from Chapter 8: Designing Security Scorecards.
I have never understood the fascination with three-dimensional pie and bar charts. I am continually astounded at how otherwise respectable security software companies insist on shipping reporting modules that sport ridiculous, gratuitous 3-D graphics. Unless your professional duties include preparing exhibits for the Department of Energy's nuclear weapons simulation program, few conceivable data sets genuinely merit a 3-D exhibit. Simple, clean, "flat" charts make the same points a faux 3-D chart does, but with less ink. Certainly, ordinary bar charts and pie charts do not require them; the artificial depth only distracts the viewer from the data.

Recent versions of Microsoft's ubiquitous Excel spreadsheet software allow users to add photographs and flashy wallpapers to the backgrounds of charts or to the colored portions of area charts. Avoid these unless the exhibit serves some theatrical purpose. For example, a flashy photo background might feel right at home as part of a sales-oriented slide deck containing scads of music and the obligatory slide transitions. Nobody will take the exhibit seriously anyway, so the extra flash will not matter. But for situations in which the presenter intends to inform, persuade, or present results of analyses, charts should use white or translucent backgrounds and should omit 3-D.

Thanks to the profusion of "wizards," "assistants," talking paper clips, and other assorted digital menservants, modern desktop applications have made it easier than ever to create incredibly busy and tasteless graphics. It is helpful that Excel's wizards speed users through the process of selecting data series, titling charts, and labeling axes. However, the results disgorged at the end are, at best, overeager. Even the humblest line chart is festooned with a Technicolor palette, distracting axis tick marks, unnecessary grid lines, and a drab gray background. All these aspects distract the reader from the data.

An additional downside is that Excel's default layout wizards produce a particular, immediately recognizable style, one that screams "amateur"! (For me, spotting Excel punters is an admittedly snobbish, and slightly guilty, pleasure.) Use digital menservants carefully, and only as a starting point for exhibits. Generally speaking, graphics created for all but the most casual personal uses require cleanup.

Most charts produced by desktop software default settings contain a profusion of superfluous ticks, grid lines, plot frames, and chart frames. There is a good reason why most mainstream business publications use them sparingly: they look clumsy, and they distract attention from the data. You can eliminate all these ornaments without losing any meaning. In fact, your chart will look cleaner as a result.

Security Metrics: Replacing Fear, Uncertainty, and Doubt

Author: Andrew Jaquith

336 pages; $49.99

Addison Wesley official book page
The general rule: if you do not need it, erase it. Start getting into the habit of eliminating the tick marks immediately after creating a chart. Generally this involves formatting the axes with "No major tick marks" and "No minor tick marks." Likewise, eliminate the plot frame and chart frame by formatting each with "No border." These are not needed; the axis lines provide all the framing the chart needs. For bar charts, eliminate the enclosing borders for the bars; the bars themselves provide all the information needed. Grid lines are trickier. Although I usually erase them, they do have appropriate uses.

For sparse exhibits in which subtle comparisons are neither possible nor desirable, omitting the grid eliminates visual noise without sacrificing readability. For dense exhibits containing large data series, however,muted grid lines help readers compare individual data points.When using grid lines, always draw them in a light color (20 to 25% gray) or in black as sparse dots. They should not intrude on the data and should sit in the background.

In fact, other than those required to plot the data, good charts contain no lines other than the x- and y-axes, and (perhaps) some muted grid lines. Even the axis lines can be muted further: try choosing a thin line (1-point) and softer color (50% gray). The cumulative effect of these erasures results in a crisp chart with few distracting lines. Although my recommendations may seem Spartan—severe, even—the results are worth it.

Make no mistake—when used judiciously and appropriately, color can add tremendous depth and richness to charts and graphs. The eye's ability to make sense of, and discern between, wide ranges of colors is one of the great wonders of the human physiognomy. It is what enables us to discern objects in our peripheral vision or spot a blazer-wearing deer hunter from a long distance.

For more information

Mike Rothman offers examples of effective security risk metrics.

Learn how a new CSO can get an organization to take ownership of a security program?
Read all of Chapter 6: Visualization (.pdf)

Check out more excerpts on our Information Security Bookshelf.
Tufte has previously noted that small, saturated spots of color are often the best way to draw attention to key points or to outliers in data sets. By that rationale, it stands to reason that many large swatches of saturated color are almost certainly overwhelming to the human eye.

In that light, the default Technicolor palette for Excel charts is less than ideal; the colors are far too saturated for most uses. The default palette includes Lemon Pledge Yellow, Kermit the Frog Green, Ticket-Me-First Red, and Cobalt Blue. For charts with multiple data series, that is quite an eyesore.

To prevent your exhibits from looking like an irradiated piece of luggage as it goes through an airport metal detector, consider these two suggestions:

  • Mute the color palette. Reds, blues, greens—beautiful colors, all. But they need not saturate the screen. Consider replacing red with burgundy, blue with navy, and "Kermit" green with hunter or forest green. Readers will thank you for it; their eyes will relax rather than twitch. That said, if you need to emphasize a particular data point or series, use a small, focused swatch of saturated color.

  • Use a monochromatic palette. An alternative to a less saturated palette is one that uses only black, white, and shades of gray.Monochromatic palettes work well when the target output device cannot be guaranteed, and when the number of data series is about five or less. A reasonable monochromatic palette includes white (with a black border), 20/25% gray, 50% gray, 75% gray, and black. Use pure colors; avoid fill patterns because they tend to "vibrate." On a related note, because photocopies of good exhibits (like the ones you will produce after reading this book!) tend to proliferate mysteriously into unforeseen hands, get into the habit of printing all exhibits in black and white first, before finalizing designs. By "proofing" exhibits this way, you can catch potential reproduction problems before they become an issue.

    While I'm on the subject of color, be careful with yellow. There is nothing intrinsically wrong with yellow, but it tends to wash out in printed work and presentations. Use it as a "highlighter pen" accent color, but not as a data series color unless the background is very dark.

    Learn more ways to enhance your presentations. Download the rest of Chapter 6: Visualization (.pdf).

    Reproduced from the book Security Metrics: Replacing Fear, Uncertainty, and Doubt Copyrightã [2007], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240.Written permission from Pearson Education, Inc. is required for all other users.

  • This was last published in July 2007

    Dig Deeper on Risk assessments, metrics and frameworks

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.