Design and Utility of a Graphical User Interface for Hierarchical Attack Representation Models

Ruoqi Guo

doi:10.71222/qaj4yk62

Authors

Ruoqi Guo School of Electrical Engineering & Computer Science, The University of Queensland, UQ Brisbane, QLD 4072, Australia Author

DOI:

https://doi.org/10.71222/qaj4yk62

Keywords:

cybersecurity visualization, human-computer interaction, graphical security models, HARM, attack graph, cybersecurity education, visual analytics

Abstract

The increasing complexity of cyber threats poses significant cognitive challenges for security analysts and creates communication barriers between technical experts and non-technical stakeholders. While graphical security models like the Hierarchical Attack Representation Model (HARM) offer a scalable solution for analysis, their practical utility is often hindered by the lack of intuitive interfaces. This paper presents the design, implementation, and evaluation of a novel web-based Graphical User Interface (GUI) for HARM, built to enhance network security analysis through effective visualization. Grounded in human-computer interaction (HCI) principles, the interface integrates the HARM model with the Harmat analysis engine, allowing users to interactively build, visualize, and analyze multi-layered attack paths. We detail the system's architecture and key design choices, such as the dual-layer canvas for attack graphs and attack trees, visual iconography, and a logical layout aimed at reducing cognitive load. Furthermore, we discuss the broader implications of this tool beyond technical analysis, exploring its potential as an educational platform for cybersecurity training and as a communication medium to facilitate risk-based decision-making in organizational contexts. The results demonstrate that a well-designed visual interface not only improves the efficiency of security analysis but also makes complex security concepts more accessible to a wider audience.

References

1. W. S. Admass, Y. Y. Munaye, and A. A. Diro, "Cyber security: State of the art, challenges and future directions," Cyber Security and Applications, vol. 2, p. 100031, 2024. doi: 10.1016/j.csa.2023.100031

2. J. Lewis, "Economic impact of cybercrime, no slowing down," McAfee, Center for Strategic and International Studies (CSIS), 2018.

3. A. Kuzior, "Cybersecurity and cybercrime: Current trends and threats," Journal of International Studies, vol. 17, no. 2, pp. 220-239, 2024. doi: 10.14254/2071-8330.2024/17-2/12

4. J. B. Hong, D. S. Kim, C. J. Chung, and D. Huang, "A survey on the usability and practical applications of graphical security models," Computer Science Review, vol. 26, pp. 1-16, 2017.

5. V. Shandilya, "Use of attack graphs in security systems," Journal of Computer Networks and Communications, vol. 2014, pp. 1-13, 2014. doi: 10.1155/2014/818957

6. F. Jia, J. B. Hong, and D. S. Kim, "Towards automated generation and visualization of hierarchical attack representation models," In Proceedings of the 2015 IEEE International Conference on Computing and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, 2015, pp. 1689-1696. doi: 10.1109/cit/iucc/dasc/picom.2015.255

7. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, "Automated generation and analysis of attack graphs," In Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002, pp. 273-284.

8. J. B. Hong, and D. S. Kim, "HARMs: Hierarchical attack representation models for network security analysis," In Proceedings of the 10th Australian Information Security Management Conference (Perth, WA, Australia). SRI Security Research Institute, Edith Cowan University., 2012.

9. J. B. Hong, and D. S. Kim, "Towards scalable security analysis using multi-layered security models," Journal of Network and Computer Applications, vol. 75, pp. 156-168, 2016. doi: 10.1016/j.jnca.2016.08.024

10. B. Schneier, "Attack trees," Dr. Dobb's Journal of Software Tools, 1999.

11. S. Y. Enoch, "Model-based cybersecurity analysis: Past work and future directions," arXiv, vol. 2, 2021. doi: 10.1109/rams48097.2021.9605784

12. H. S. Lallie, K. Debattista, and J. Bal, "A review of attack graph and attack tree visual syntax in cyber security," Computer Science Review, vol. 35, p. 100219, 2020. doi: 10.1016/j.cosrev.2019.100219

13. K. Ingols, R. Lippmann, and K. Piwowarski, "Practical attack graph generation for network defense," In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), 2006, pp. 121-130. doi: 10.1109/acsac.2006.39

14. M. Mohammadzad, "MAGD: Minimal attack graph generation dynamically in cyber security," Computer Networks, vol. 236, p. 110004, 2023. doi: 10.1016/j.comnet.2023.110004

15. A. Palma, and S. Bonomi, "Behind the scenes of attack graphs: Vulnerable network generator for in-depth experimental evaluation of attack graph scalability," Computers & Security, vol. 157, p. 104576, 2025. doi: 10.1016/j.cose.2025.104576

16. J. B. Hong, and D. S. Kim, "Performance analysis of scalable attack representation models," In Security, Privacy, and Information Processing Systems, 2013, pp. 330-343. doi: 10.1007/978-3-642-39218-4_25

17. S. Y. Enoch, "HARMer: Cyber-attacks automation and evaluation," IEEE Access, vol. 8, pp. 129397-129414, 2020. doi: 10.1109/access.2020.3009748

18. G. A. Fink, C. L. North, A. Endert, and S. Rose, "Visualizing cyber security: Usable workspaces," In Proceedings of the 6th International Workshop on Visualizing Cyber Security, 2009, pp. 1-8.

19. M. Zipperle, "PARGMF: A provenance-enabled automated rule generation and matching framework with multi-level attack description model," Journal of Information Security and Applications, vol. 81, p. 103682, 2024. doi: 10.1016/j.jisa.2023.103682

20. S. Y. Enoch, Z. Huang, C. Y. Moon, D. Lee, M. K. Ahn, and D. S. Kim, "HARMer: Cyber-attacks automation and evaluation," IEEE Access, vol. 8, pp. 129397-129414, 2020. doi: 10.1109/access.2020.3009748

21. S. Y. Enoch, J. B. Hong, M. Ge, H. Alzaid, and D. S. Kim, "Automated security investment analysis of dynamic networks," In Proceedings of Australasian Computer Science Week Multi-conference, 2018, pp. 1-10. doi: 10.1145/3167918.3167964

22. J. A. Iman, "Refining UI/UX with minimalist design and AI: Towards sustainable and efficient digital experiences," Procedia Computer Science, vol. 269, pp. 669-680, 2025. doi: 10.1016/j.procs.2025.09.010

23. T. V. Sumithra, "Evolving usability heuristics for visualising augmented reality/mixed reality applications using cognitive model of information processing and fuzzy analytical hierarchy process," Cognitive Computation and Systems, vol. 6, no. 1-3, pp. 26-35, 2024. doi: 10.1049/ccs2.12109

24. N. Loftus, and H. S. Narman, "Use of machine learning in interactive cybersecurity and network education," Sensors, vol. 23, no. 6, p. 2977, 2023. doi: 10.3390/s23062977

25. A. Salman, "Integrating artificial intelligence in cybersecurity education: A pedagogical framework and case studies," In 2024 International Conference on Computer and Applications (ICCA), 2024, pp. 1-5. doi: 10.1109/icca62237.2024.10927933

26. W. Lazarov, "Lessons learned from using cyber range to teach cybersecurity at different levels of education," Technology, Knowledge and Learning, 2025. doi: 10.1007/s10758-025-09840-y

27. P. Sarlin, "Macroprudential oversight, risk communication and visualization," Journal of Financial Stability, vol. 27, pp. 160-179, 2016. doi: 10.2139/ssrn.2583762

28. M. Ge, J. B. Hong, W. Guttmann, and D. S. Kim, "A framework for automating security analysis of the Internet of Things," Journal of Network and Computer Applications, vol. 83, pp. 12-27, 2017. doi: 10.1016/j.jnca.2017.01.033