Many people have encountered the phenomenon of opening a new device or appliance, tossing the instruction manual to the side, and then digging right into the device with the thought of “I don’t want to read all of that. I’ll just learn as I use it.” This occurrence is one of the many examples of Cognitive Load Theory, a theory developed by John Sweller, that discusses how people learn and store information.
While its application is mostly centered in traditional education like schools, Cognitive Load Theory applies to how security professionals conduct their day-to-day workflows. In this blog, we take a dip into what Cognitive Load Theory is, its application to cybersecurity, and how the way information is presented to security professionals can impact time to respond to threats.
Cognitive Load Theory
Developed in the late 1980s, Sweller wanted to put into words and research why sometimes visual learning works better than having the information written down on a table. Sweller identified three types of cognitive load called “intrinsic, extraneous, and germane” loads.
- Intrinsic cognitive load is the “inherent level of difficulty associated with a specific instructional topic.”1 In the example above, it is the idea of the average heights of different types of trees.
- Extraneous cognitive load is “generated by the manner in which information is presented.”2 In the example, the way the average heights of different types of trees are presented in a table. Note that the table does not have a header to indicate the types of trees are, indeed, trees.
- Germane cognitive load is “the working memory resources that learner dedicates to intrinsic load.” 3 Because there is no header that indicates this table lists types of trees, the learner has to pull pre-existing information from their working memory such that oaks, elms, and acacias are trees.
The occurrence of us jumping straight to the new appliance or device instead of the instruction manual to learn how to use it is the difference in the extraneous load of the new information we are learning. In other words, it is much easier to visualize the new information on the device or appliance than to read out the words on the instruction manual. This is because the extraneous cognitive load of practicing on the device (tapping the on/off button or adjusting the temperature dial) engages in perceptual processing rather than cognitive processing.
Cognitive Processing vs Perceptual Processing
Cognitive processing is a slower and more nuanced way of processing information. Learners ingest information at a slower pace but gather “more information” or in other words, a deeper understanding of information. Perceptual processing takes the intrinsic cognitive load and simplifies it, typically into something visual, so that learners can process the information faster, but with less detail.
For example, the height of different types of trees is the intrinsic cognitive load. The table below shows that information in a way that engages a learner’s cognitive processing. Here, learners can see the specific details of how tall the tree is. When the intrinsic cognitive load is visualized into drawings of trees, learners engage in perceptual processing and quickly see that redwoods are the tallest types of trees while firs are the shortest within the first few seconds on looking at the visualization. The learner might not pick up the specific height of the fir and redwood trees until seconds later in the processing and might not even notice or remember the types of trees that fall in between the two.
If the question the learner was answering is “which tree is the tallest and which is the shortest,” then the tree visualization allows the learner to answer within seconds on processing the question and the answer. Visualizations, when done purposefully, can direct learners to answers to their questions quickly and effectively, without having to sort through the noise of the other available information.
Cognitive Load Theory Applied to Cybersecurity
Modern cybersecurity requires analysts and engineers to consume a large amount of information at very fast speeds to get ahead of the modern attacker. Especially with the way modern networks sprawl over datacenters, identities, cloud servers, applications, and more, the volume of data and information needs to be presented in a way that allows professionals to minimize extraneous cognitive load. In other words, security vendors must present information simply, quickly, and intuitively. The most effective method is typically done through visualizations of data.
Instead of painfully ingesting many lines of detections in a list, security professionals can quickly get the information they need to properly investigate and respond to attackers through a visualization of that data. Transforming that list of data into a diagram allows security professionals to optimize their extraneous cognitive load, siphoning that saved time to deeper investigations into the most urgent threats. In turn, this lets security professionals quickly respond to threats with the proper context and information and get ahead of the attacker.
Applying visualizations to cybersecurity workflows can take security to the next level by adding layers and interactions to the visualizations. In the example above, the visualization is color-coded to show the severity of the connection between a host and a domain and has an attached timeline that demonstrates when certain connections were established. Instead of reading and memorizing the dates and actions of each host, account, or domain associated with the threat, security professionals are presented all the important information in one go while telling a holistic story of how an attacker behaves.
Vectra AI’s Take on Cognitive Load Theory
The Vectra AI Platform integrates cognitive load theory directly into our GUI with our Hunt and Respond modules.
The Hunt Module
The graph on the Hunt module provides analysts with a way to decipher which threats are worth further investigation based on their attack rating (y-axis) and importance (x-axis). The threats are distinguished between types with icons so that a more network-oriented analyst will be able to focus on the hosts (computer icon) in the graph and a cloud-oriented analyst can focus on accounts (person icon). This allows analysts to relatively quickly determine which entities to prioritize first. Compare the effectiveness of gathering information from the graph versus the table of threats below; it becomes obvious which form of data is more digestible. However, because we understand graphs may not give more nuanced information, we designed our UI to include the data in table format as well.
The Respond Module
Another example of how Vectra AI takes the Cognitive Load Theory into account is through our Respond module. While this doesn’t resemble a graph or illustration, the Respond module aims at optimizing analysts’ extraneous cognitive loads by showcasing bite-sized pieces of information with guidance on next steps.
Threats are listed based on priority and urgency and are aggregated under one “entity” with a short summary of why it was scored the way it was. Once analysts view the bite-size pieces of information and have internalized the who, what, why of the threat, they can click on “Show Active Detections” to take the next step in analysis. After they expand a detection, a summary of its behavior is given, allowing them to take in the story that's being told. Our descriptions once again give them a hypothesis to pursue, and there are a few data points that they can begin to triage.
The Hunt and Respond modules on the Vectra AI Platform are just two examples of how we design our UI for security analysts. We are constantly innovating our user experience to streamline the analyst workflows and optimize time, effort, and talent.
Having visualizations like Vectra’s Hunt and Respond modules is pivotal to defending your environment against modern attackers that move from attack surface to attack surface within minutes. These visualizations simplify the complexity of a modern attack while providing the critical information needed to build hybrid attack resilience.
To learn more about the Vectra AI Platform analyst experience, visit: https://www.vectra.ai/platform