Crush Your Data with ViC 2 ES Then CHISSL Away

Insider Threat Detection is one of the greatest challenges for organizational cybersecurity [2]. In this paper, we designed and evaluated visually compressed cyber event sequence (ViC 2 ES) to assist analysts with building mental models about user activity for Insider Threat Detection. Our visualizations, which show user activity on a daily level, are purpose-built to be embedded in our in-house active learning tool called "CHISSL." [3], [4] We explored different visual compression techniques with binning or run length encoding, resulting in four unique designs built upon the same icon array presentation. We evaluated these four designs for both low-level and high-level tasks in two experiments: in Experiment I, participants performed perceptual tasks such as selecting the most and least similar activities for each of the designs; in Experiment II, participants used one of the designs in CHISSL for eleven reasoning tasks. The results suggest that participants preferred the high level of aggregation, but made the fewest errors with the low level of aggregation; they were able to interact with CHISSL and accomplish the tasks using both designs. We believe our aggregated designs are effective regarding both task performance and screen space; the high and low levels of aggregation designs are valid for user activity modeling.