Manage Learn to apply best practices and optimize your operations.

Security Metrics, chapter 6: 'Visualization'

Security Metrics successfully bridges management's quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquith's extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. Whether you're an engineer or consultant responsible for security and reporting to management -- or an executive who needs better information for decision-making -- Security Metrics is the resource you have been searching for.

Download chapter 6: 'Visualization'

This chapter is excerpted from the book titled, 'Security Metrics: Replacing Fear, Uncertainty, and Doubt', authored by Andrew Jaquith, published by Addison-Wesley Professional in March, 2007, ISBN 0-321-34998-9. Copyright 2007 Pearson Education, Inc. For more information, please visit:


Chapter Excerpt:

Label Honestly and Without Contortions

Labels matter. Labels convey an exhibit's intent; lack of proper labels leads to loss of clarity and meaning. Label honestly so that readers understand the units of measure, time intervals, and data series—and do it in a professional manner that does not cause torticollis.

A few guidelines are in order. First, pick a meaningful title that summarizes the exhibit's main point. A plain title like "Application Security Defects" is fine.Moreforceful titles can help too; for example, "Decreased Risk from Applications" succinctly provides the main takeaway message. For charts that display data over a range of time, subtitles help establish the data source and context. For example, a good subtitle might be "Defects reported per application, 2001–2004."

Second, label units of measure clearly. Although this sounds simple enough, you might be surprised to see how many people forget to label either the independent or dependent axes, as if the thing being measured were somehow self-evident. Nothing is worse than a beautifully formatted line chart that insightfully points out that over time, a company observed a clear and definitive increase in the number of . . . uh, something.

Axis labels should succinctly describe the unit of measure and scope of each data point and should typically include one of these magic words: "of," "per," "by," or "from." For example:

  • Number of defects per application
  • Percentage of passwords
  • External attacks, by source
  • Median number of days per patch

Exception: axes containing units expressed in years do not require labels, since the unit of measure is self-evident.

Third, do not tilt text toward the vertical if you're running out of axis room, or, in fact, for any other reason.With apologies to my East Asian and Middle Eastern readers, Western-language text was meant to be read left to right. Slanting x-axis labels or turning them 90 degrees forces viewers to crane their necks. You don't want to be responsible for unwanted chiropractor bills, do you? Of course not. In all seriousness, though, tilted text tends to indicate deeper problems with the exhibit format itself, generally in the orientation. In such cases, try switching the x- and y-axes.

Spreadsheet software (Excel is a notorious offender) often rotates text by default because it believes it is being helpful. Do not let it. Instead, always position chart axis labels with 0° rotation—that is, exactly horizontal.

Fourth, for multiseries charts, consider eliminating series legends if you can get away with it. Place the series labels directly on or near the data series themselves—that is, at the point of use. This practice works especially well with line charts.

Fifth, do not abbreviate. Although it may seem more efficient to label axes with "nmbr.," "app.," and "bus," doing so forces readers to unconsciously pause while reading the chart, an unnecessary distraction from the data. Also, abbreviations look sloppy. Of course, any rule has exceptions. For example, most people understand that % stands for "percentage" and that IT denotes "information technology." In most cases, though, try expanding all abbreviations. If narrow space on the y-axis forces an abbreviation, try giving the axis more breathing room by widening the left margin.

Sixth, use simple and consistent fonts. Charts are not the place to trot out that new typeface downloaded from the Internet. Use classic sans-serif typefaces like Helvetica, Franklin Gothic, or plain old Arial. In addition, keeping text the same size throughout the chart helps readers focus on the data, rather than the labels. Therefore, as a general rule, all labels other than the title (axes, data, subtitles) should be the same size and font. For printed documents, I recommend 9-point Helvetica plain or 9-point Arial plain. For space-constrained exhibits, the "narrow" versions of these fonts work pretty well, too. Opinions differ on correct formatting of titles; I prefer to make them the same size and font as the other labels, but in boldface.

Finally, cite any data sources used to make exhibits. To make a citation, place a small, short caption at the bottom of the exhibit. A simple "Source: Security Metrics Study (1999–2004), Andrew Jaquith Institute" in 6-point type (or something similar) works nicely. In addition to making the exhibit look more official, the caption provides valuable information to readers about sources and methods.


Although my suggested design guidelines may seem onerous, when followed they can dramatically improve the look and feel of metrics exhibits. For example, consider the very basic password-quality data set in Table 6-1.3 The analyst has decided to create a graphical exhibit for management showing the results of the latest password audit. He fires up Excel and selects a standard bar chart (formatted in 3-D because it "looks cool"). Figure 6-1 shows what Excel disgorges when using default settings.

What is wrong with this picture? All sorts of things:

  • Gratuitous 3-D effect
  • Abbreviated category names
  • Unnecessary legend
  • Grid lines add no value
  • Distracting shadows and background
  • No data labels

Let's clean this up. Figure 6-2 shows a redrawn version of the exhibit. I made quite a few changes:

  • Specified a sensible chart title indicating what the exhibit signifies—"Results of Password Audit by Department"—and a relevant time interval—"March 2005."
  • Added a y-axis label, "Number of Weak Passwords."
  • Eliminated the horizontal grid lines.
  • Removed the series legend.
  • Added data labels above each bar.
  • Removed the tick marks from both the x- and y-axes.
  • Removed the series border around each bar and changed the color from lilac to navy blue.
  • Harmonized all labels to use the same typeface (Arial instead of Verdana), size (9-point), and style (plain, except for the title in boldface). Also, cleared the "auto-scale" check box for all text items.
  • Removed the plot area border and background fill.
  • Removed the chart area border and background fill.

Chapter 6: 'Visualization'

Visit the Addison-Wesley Professional website for a detailed description and to learn how to purchase this title.

Dig Deeper on SAP security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.