Critical Thinking for Strategic Intelligence
by K. H. Pherson and R. H. Pherson
ISBN ISBN 978-1-4522-2667-5 . amazon.com USD 35.00; Table of Contents.
Reviewed by Richard Austin 1/15/2013
The information security threat environment is undergoing significant change (or even evolution). Though "commodity threats" targeting any vulnerability are still present, directed threats against specific organizations or even specific information within an organization have become much more frequent. Whether the threat agent is a community actor pursuing a modern view of civil disobedience, a competitor or national adversary pursuing economic espionage (either directly or through a thinly veiled proxy) or even a non-state actor such as a criminal or terrorist organization, these directed threats have the potential to inflict (and have inflicted) serious damage to the targeted organization. Might this evolution in the threat environment need to be matched by a similar evolution in how we think about risk and its management? If one believed change was needed, where would one look for ideas? The intelligence community has a long history and much practice in the area of threat analysis and assessment based on amorphous, incomplete and conflicting information. This month's review takes a look at book that describes how intelligence analysts exercise their craft.
The book opens with six short chapters devoted to how an analyst gets started and avoids common pitfalls such as producing a product that doesn't fit the needs of its audience or worse, answers the wrong questions. Understanding the customer and their expectations/needs is a core necessity in risk management and lack of this understanding has doomed many otherwise solid risk assessments in our field.
The next section is devoted to finding and evaluating relevant information. Two chapters delve into assessing the weight that should be assigned to information. In our field, we are inundated with threat assessments, detailed analyses of intrusions, etc., which either may be based on fact or designed to showcase the capabilities of a particular vendor's product. Using the techniques from this section will help assign a probative weight to these information sources as we use them in preparing our product.
The five chapters of the next section "What is my argument?" are absolute gems that justify the price of the book. Ranging from "Are my key assumptions well-founded?" to "How might I be spectacularly wrong?" they provide solid advice on how to avoid drawing conclusions that appear perfectly logical but are actually based on bias, being wedded to a particular theory or failure to consider alternative explanations.
The final section covers the critical task of communicating your conclusion. Too often, excellent analyses and appropriate conclusions are ignored by decision makers because they are poorly communicated. Of particular note is chapter 17, "How should I portray probability and levels of confidence?" which introduces standard vocabulary for describing the fog of uncertainty that surrounds any analytical conclusion (whether uncertainty is measured qualitatively or quantitatively). Though it's titled "How do I know when I am finished?" chapter 20 covers the often ignored final review process that should be applied before a product is released. Having seen many risk assessments that offer easy reasons for being ignored due to spelling or grammar errors, not using the expected format or even having wandered from the core questions during presentation, the solid advice in this chapter will be ignored at your peril.
The final section provides materials for five case studies that are used in end-of-chapter exercises throughout the book. Textbook answers for the exercises would have been helpful to the self-study reader but are not provided.
This is not a book on conducting information security risk assessments - the only material that is directly relevant to our field is in the first case study dealing with STUXNET and its impact on Iran's nuclear program. However, the book provides a wealth of material on how to produce a quality analytic product that meets the needs of the decision makers that are its consumer and these skills are sorely needed in our profession.
It should be noted that many of the "Structured Analytic Techniques" or SAT's used in analysis are only broadly sketched in this book and you will need to refer to its companion volume, "Structured Analytic Techniques for Intelligence Analysis" by R. Heuer and R. Pherson (CQ Press, 2011, ISBN 978-1-60871-018-8) for full details.
I highly recommend this book as a way to improve your ability to conduct analyses and effectively present their results. I would very much appreciate your thoughts on how you might use these techniques or even other fields with relevant methodologies we might be able to use.