Heuristic Evaluation of Vulnerability Risk Management Leaders' Presentations of Cyber Threat and Cyber Risk

This work is an initial investigation into the way cybersecurity companies convey the concept of cyber-related threat and/or cyber-related risk to their clients. We survey the current cybersecurity business landscape and examine product outputs from a select group of companies identified by the analyst firm Forrester [24] as leading providers of vulnerability risk management services. Of specific interest are those tools/products that reflect a cybersecurity company's efforts to combine data related to vulnerability information, threat intelligence, asset criticality, and/or network exposure in order to distill and quantify the complex ideas of cyber threat and cyber risk into relatively simple outputs like a single value or chart. We conduct a heuristic evaluation [9, 11] of static views of the vendors' offerings and introduce the concept of the mythical average, reasonable IT professional (MARIP) to inspect the product outputs with respect to the key HCI principles of familiarity and consistency as they pertain to use of colors, numbers, and charts.