Security Metrics, chapter 6: 'Visualization'

Chapter Excerpt:

Label Honestly and Without Contortions

A few guidelines are in order. First, pick a meaningful title that summarizes the exhibit's main point. A plain title like "Application Security Defects" is fine.Moreforceful titles can help too; for example, "Decreased Risk from Applications" succinctly provides the main takeaway message. For charts that display data over a range of time, subtitles help establish the data source and context. For example, a good subtitle might be "Defects reported per application, 2001–2004."

Second, label units of measure clearly. Although this sounds simple enough, you might be surprised to see how many people forget to label either the independent or dependent axes, as if the thing being measured were somehow self-evident. Nothing is worse than a beautifully formatted line chart that insightfully points out that over time, a company observed a clear and definitive increase in the number of . . . uh, something.

Axis labels should succinctly describe the unit of measure and scope of each data point and should typically include one of these magic words: "of," "per," "by," or "from." For example:

• Number of defects per application
• Percentage of passwords
• External attacks, by source
• Median number of days per patch

Exception: axes containing units expressed in years do not require labels, since the unit of measure is self-evident.

Third, do not tilt text toward the vertical if you're running out of axis room, or, in fact, for any other reason.With apologies to my East Asian and Middle Eastern readers, Western-language text was meant to be read left to right. Slanting x-axis labels or turning them 90 degrees forces viewers to crane their necks. You don't want to be responsible for unwanted chiropractor bills, do you? Of course not. In all seriousness, though, tilted text tends to indicate deeper problems with the exhibit format itself, generally in the orientation. In such cases, try switching the x- and y-axes.

Spreadsheet software (Excel is a notorious offender) often rotates text by default because it believes it is being helpful. Do not let it. Instead, always position chart axis labels with 0° rotation—that is, exactly horizontal.

Fourth, for multiseries charts, consider eliminating series legends if you can get away with it. Place the series labels directly on or near the data series themselves—that is, at the point of use. This practice works especially well with line charts.

Fifth, do not abbreviate. Although it may seem more efficient to label axes with "nmbr.," "app.," and "bus," doing so forces readers to unconsciously pause while reading the chart, an unnecessary distraction from the data. Also, abbreviations look sloppy. Of course, any rule has exceptions. For example, most people understand that % stands for "percentage" and that IT denotes "information technology." In most cases, though, try expanding all abbreviations. If narrow space on the y-axis forces an abbreviation, try giving the axis more breathing room by widening the left margin.

Sixth, use simple and consistent fonts. Charts are not the place to trot out that new typeface downloaded from the Internet. Use classic sans-serif typefaces like Helvetica, Franklin Gothic, or plain old Arial. In addition, keeping text the same size throughout the chart helps readers focus on the data, rather than the labels. Therefore, as a general rule, all labels other than the title (axes, data, subtitles) should be the same size and font. For printed documents, I recommend 9-point Helvetica plain or 9-point Arial plain. For space-constrained exhibits, the "narrow" versions of these fonts work pretty well, too. Opinions differ on correct formatting of titles; I prefer to make them the same size and font as the other labels, but in boldface.

Finally, cite any data sources used to make exhibits. To make a citation, place a small, short caption at the bottom of the exhibit. A simple "Source: Security Metrics Study (1999–2004), Andrew Jaquith Institute" in 6-point type (or something similar) works nicely. In addition to making the exhibit look more official, the caption provides valuable information to readers about sources and methods.

Example

What is wrong with this picture? All sorts of things:

• Gratuitous 3-D effect
• Abbreviated category names
• Unnecessary legend
• Grid lines add no value
• Distracting shadows and background
• No data labels

Let's clean this up. Figure 6-2 shows a redrawn version of the exhibit. I made quite a few changes:

• Specified a sensible chart title indicating what the exhibit signifies—"Results of Password Audit by Department"—and a relevant time interval—"March 2005."
• Added a y-axis label, "Number of Weak Passwords."
• Eliminated the horizontal grid lines.
• Removed the series legend.
• Added data labels above each bar.
• Removed the tick marks from both the x- and y-axes.
• Removed the series border around each bar and changed the color from lilac to navy blue.
• Harmonized all labels to use the same typeface (Arial instead of Verdana), size (9-point), and style (plain, except for the title in boldface). Also, cleared the "auto-scale" check box for all text items.
• Removed the plot area border and background fill.
• Removed the chart area border and background fill.

Chapter 6: 'Visualization'

Visit the Addison-Wesley Professional website for a detailed description and to learn how to purchase this title.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SAP security administration SAP TechEd 2009 Phoenix: SearchSAP.com Special Report How to stop SAP users from displaying SAP HR tables content Locating user email addresses in SAP SU01 transaction code How to map multiple SAP roles and profiles Viewing SAP transaction codes and profiles Managing SAP user access and password expirations Can SAP developer include authority check for S_TCODE in a called transaction? Cisco and SAP integrate technologies to create data privacy application SAP administration information for a Basis interview Transferring R/3 Admin skills to SAP NetWeaver

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary