Since the fall of the Soviet Union, the Russian Federation (RF) has sought to reclaim its former glory and regain recognition as a great power.
Throughout this progression the national science base to the RF’s economic development is of high importance. This has been demonstrated through policy documents like the RF’s National Security Strategy from 2009. The focus of this analysis is to examine the role of RF intelligence-gathering activities for the purpose of domestic modernization.
The National Security Strategy of the Russian Federation up to 2020 identified five key high-technology sectors: energy, information technology (IT), telecommunications, biomedicine and nuclear technology (RF, 2009). Nanotechnology was also highlighted as an important investment and growth area. In 2010, the RF announced plans that scientific and technological centers would focus on the development and domestic commercialization of modern technologies, motivated in part by the success of America’s Silicon Valley (Medvedev, 2010). There are many ways a nation can bolster a science and technology (S&T) foundation, not just through domestic industry, and each nation tends to use multiple options. A critical way that is not often discussed in mainstream media sources is to procure foreign knowledge and equipment through espionage activities. Russia engages this path aggressively with the likes of the Federal Security Service (FSB).
There is little doubt that the FSB has been active in S&T intelligence collection, concentrating on foreign nations for domestic modernization and improving Russia’s competitiveness in the global economy. The modern era of intelligence-collection capabilities sees the American intelligence community as dominant. Before the modern era (pre-2001), the RF operated one of the world’s largest S&T information-gathering apparatus, which worked almost as a substitute for legitimate industrial domestic research & development (Almquist, 1990). For the RF, intelligence support to the scientific community and its own domestic industrial complex was the standard, not the exception, and in 2010 Russia confirmed that it made no secret of its motivations to gather S&T intelligence for the benefit of its national security interests defined broadly.
The RF intelligence complex, including the FSB, has been obliged by federal law “to assist the country’s economic development and its scientific and technical progress and to ensure the military-technical security of the Russian Federation.” This activity is in line with Article 8 of the Federal Law on the FSB. The collection of S&T intelligence and “industrial espionage practices established a template for Soviet and later Russian [FSB] intelligence gathering that remains in use to this day; as long as U.S. technology maintains its preeminent global position, such espionage will likely continue” (Sibley, 2004). This was validated in 2010 by the American ODNI (Office of the Director of National Intelligence), which stated that the RF “continues to strengthen its intelligence capabilities and directs them against US interests worldwide. Moscow’s intelligence effort includes espionage, technology acquisition and covert action efforts.” (Blair, 2010) Jonathan Evans, the head of the domestic British Security Service (MI5), noted in 2007 that “the scope of the Russian intelligence gathering was equal to the Soviet effort during the Cold War… [and] that Russian intelligence services were particularly interested in British science and technology. (Brogan, 2007)
The RF, and specifically the FSB, has extensively leveraged operational cover from diplomatic missions abroad and the posting of illegal agents in their target countries to approach foreign researchers and entrepreneurs. They would often establish a career in one or several third countries, allowing agents to use academic research institutions or commercial companies as platforms for espionage activities (Kouzminov, 2006). But it has also been observed that the triumphs of human intelligence (HUMINT) operations during the former Soviet era are unlikely to be achieved in the present day RF. In the modern era the primary method for collecting S&T intelligence is through cyber espionage. In 2008, the US noted that more than 1 trillion USD worth of data was lost to cyber espionage (Ackerman, 2009). This fact is further confirmed with the knowledge that the RF is developing advanced offensive cyber capabilities (McAfee, 2009). In addition to cyber espionage, scientific and technological intelligence can be exploited through signals intelligence. This is another area where the RF intelligence services have leveraged the previous Soviet foundation with modern advancements in current technologies.
In conclusion, while the FSB has advanced significantly in S&T intelligence collection since the former Soviet period, “the FSB’s increased influence may prove to be counter-productive in terms of economic modernization and industrial restructuring. Despite its self-confidence, the FSB is scarcely prepared to manage all the industrial complexes with international standing.” (Gomart, 2008) This last point is crucial, as it implies that the gains made covertly through the intelligence community could in fact have an unintended detrimental effect on economic progress and industrial modernization happening more organically with native companies across Russia. This is not the desire effect, of course, but a consequence of the classical dilemma in modern market economies that try to figure out how much governmental intervention is positive before it hits a tipping point and becomes a net negative impact on development. This is not even considering the likely more severe stress this reliance on covert activity has on the entrepreneurial spirit and risk taking that is crucial for any developing economy in the 21st century. The Russian Federation operates no differently than the US intelligence community agencies in that it pursues its own national security interests and aims to improve its domestic standing on the global stage. The issue it should consider, however, is whether or not some old school spy thinking might be a less effective long-term strategy, even if it does produce more immediate results.
Russian Federation (RF). (2009). National Security Strategy of the Russian Federation up to 2020. Russian Security Council. Presidential Decree No. 537.
Medvedev, Dmitry. (2010). Dmitry Medvedev met with winners of international school and student Olympics and university students who hold presidential scholarships. The Kremlin, Moscow. http://en.kremlin.ru/events/president/news/7139.
Almquist, Peter. (1990). Red Forge: Soviet Military Industry Since 1965. New York. Columbia University Press.
Russian Federation (RF). (1995). Federal Law on Foreign Intelligence. No. 5-F, Article 5.
Sibley, K. (2004). Red Spies in America: Stolen Secrets and the Dawn of the Cold War. University Press of Kansas.
Blair, D. (2010). US Director of National Intelligence Annual Threat Assessment of the US Intelligence Community for the Senate select Committee on Intelligence. Office of the Director of National Intelligence. Washington, D.C.
Brogan, B. (2007). Soaring Number of Russian and Chinese Spies Diverting MI5 Attention from Terror Fight. Daily Mail. http://www.dailymail.co.uk/news/article-491830/Soaring-number-Russian-Chinese-spies-diverting-MI5-attention-terror-fight.html.
Kouzminov, A. (2006). Biological Espionage: Special Operations of the Soviet and Russian Foreign Intelligence Services in the West. Greenhill Military Paperbacks.
Usdin, S. (2009). The Rosenberg Ring Revealed: Industrial-Scale Conventional and Nuclear Espionage. Journal of Cold War Studies. MIT Press.
Ackerman, R. (2009). Threats Imperil The Entire U.S. Infostructure. SIGNAL: AFCEA. http://www.afcea.org/content/?q=threats-imperil-entire-us-infostructure-0.
McAfee. (2009). Virtual Criminology Report 2009. McAfee, Inc.
Gomart, T. (2008). Russian Civil-Military Relations: Putin’s Legacy. Carnegie Endowment for International Peace. Washington D.C.
Information challenges in security agencies
An effort to maintain information security is the responsibility of each individual. This person can be a normal user, technical expert, system administrator, network leader and manager of a system or network in the organization. Paying attention to the importance of information security makes it necessary to ensure the necessary protection of systems and the use of an effective set of security policies is an important step in ensuring this.
In most cases, computers and information will be protected from unauthorized access, and the information can be exchanged securely on the network with others. Information security in electronic organizations, especially municipalities, has been emphasized as one of the basic infrastructures and requirements, because their databases contain confidential information from citizens or customers.
Adopting appropriate security policies and implementing them reduces the risk of sudden loss of information, makes it much more difficult to access the system and provides security tools for detecting attacks and fixing security breaches. To maintain confidential information and to help integrate programs and information stored, a combination of policy making and implementation should be undertaken. This paper covers various components of effective security policies for e-organizations, especially municipal organizations.
In small organizations, the information security requirements can easily be met, and everyone is responsible for their computers and their files.
However, for larger groups such as organizations dealing with business transactions or groups that hold confidential data from citizens or customers (such as municipalities), the need for more formal security policies and procedures becomes more important.
When managers and employees consider the issue of information security, they will always face similar issues. As a result, attention to the role of information as a valuable commodity in today’s trade and the need to protect it is necessary.
Each group needs a certain level of security for its information and clear procedures for implementation by employees, the ability to create and maintain awareness of the needs of customers, and an understanding of how security policies are implemented in an operational environment.
Managers must pay close attention to information security policies in order to achieve their goals. Also, understanding the cost of implementing effective security policies is very important. Technologies Security procedures are a kind of investment and should be evaluated against the cost of likely losses.
Information is like blood in the veins of the organization and without the information of the board of directors (the company’s brain) cannot make key decisions, and the purchasing and financial resources (mouth, heart, etc.) cannot obtain the resources they need to survive the organization’s life.
The role of data and information is crucial in the management of organizations, the more the information system of an organization is more accurate, coherent and systematic, the better the organization can achieve its goals.
Regarding the importance of information, it can be said that the discussion of access to information and, on the other hand, the security and protection of information on the national level have been raised for rulers and managers since ancient times. Access to information can lead to the destruction of the organization. The possibility of data loss due to physical factors and threats to the information of the organization exists. But with the development of information technology and the use of information as a commercial tool and profitable capital, the issue of information security is a new dimension. In today’s trade, information plays the role of capital of a company, and the protection of information in the organization is one of the key pillars of its survival. In this way, categorizing and valuing and protecting information resources is very important and important.
In today’s world, the more we go into machining; the other face-to-face relationships and old solutions cannot answer our problems. In today’s cities, we are faced with increasing levels of traffic and, consequently, increasing urban traffic. Previous paperwork can no longer be an appropriate method for addressing the administrative work of citizens. Of these important organizations, such as the municipalities in the big cities, which are somehow the heart of the city, we must abandon the previous methods and enter the world of information technology and the e-government world.
This is where the Municipal Electronic and Information Technology (IT) have a crucial role in most municipal organizations. After the implementation of the electronic program of municipal services, citizens through their international networks or the Internet can provide their services, such as paying tolls, repairs, fees, and application fees, electronic referrals, and circular letters in various stages Receive in the municipality without a face-to-face visit to the municipality.
Nowadays, IT infrastructure is in an environment that is increasingly being added to the number of enemies and attackers who are not interested in continuous, reliable, and useful computer systems. A world where activities are much faster and more reliable and do not require population density in the physical world. We have to think about ways to reduce urban traffic, the cost of doing work, confrontations, mental ill-health, corruption, etc. that we face every day in municipal organizations, and it is the best solution to create an active and dynamic security framework for each organization.
Implementation and deployment of information security in organizations may be reviewed based on the efficiency, ease of use, and communication with other departments and organizations. Since public procurement is not generally a question of profitability, there is a controlling budget, which limits the ability of the organization to provide the latest hardware and software security. At the same time, municipalities should focus on data protection, as their databases contain sensitive information about individuals; information such as personal and medical records, and taxes.
Unfortunately, even in state-owned organizations of the country, it is difficult to protect information, and it suffers from obsolete systems, inappropriate investments, and employees of the disabled who lack the necessary information security dimension.
However, there are tensions between managerial levels. Without a general plan to create a secure environment for information technology, each episode may develop a solution to the security of information that comes from the missions, goals, and operational intentions of the same section, and may be as good as it is for a particular part. Other parts are not used too much. These different strategies may cause information security in some areas to be over-needed or less than the required level, while the presence of supervision on the part of the high-level management will ensure that security experiences are set in such a way that the organization can functionedits better.
In addition to securing its own intelligence resources, an organization must commit itself to set up a set of policies to safeguard its organization’s information. These policies play an important role in information security, but there is still a contradiction in the fact that the policy framework of the organization should be able to increase the level of security. Methods of dealing with insecurity are identified through crisis identification and insecurity and limitation of insecurity as well as its control tools.
There are sufficient information and adequate systems for the use of information as well as appropriate programs for preventing and, in the event of occurrence, controlling the crisis (proper urban programs) of the main components needed to maintain and develop information security.
Islamic State after ISIS: Colonies without Metropole or Cyber Activism?
With the world constantly following the events in the Middle East, much now depends on the shape, form and ‘policy’ Islamic State is going to take. What form will the IS take? What role will cryptocurrencies play in funding terrorists? How can Russia and the US cooperate in fighting mutual security threats? RIAC expert Tatyana Kanunnikova discusses these issues with Dr. Joseph Fitsanakis, Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University.
Islamic State is perceived as an international threat. In which regions is it losing ground and in which ones is it on the rise? Could you please describe IS geography today?
Groups like the Islamic State are mobile. They tend to move and redeploy across international borders with relative ease, and are truly global in both outlook and reach. It is worth noting that, from a very early stage in its existence, the Islamic State incorporated into its administrative structure the so-called vilayets, namely semi-autonomous overseas provinces or possessions. These included parts of Libya, Afghanistan, Somalia, the Philippines, Nigeria, and of course Egypt’s Sinai Peninsula. By the first week of 2018, the Islamic State had all but eclipsed from its traditional base of the Levant. How has the loss of its administrative centers affected the organization’s strategy?
There are two competing answers to this question. The first possible answer is that ISIS’ plan is similar to that of the Great Britain in 1940, when the government of Winston Churchill was facing the prospect of invasion by the forces of the German Reich. London’s plan at the time was to use its overseas colonies as bases from which to continue to fight following a possible German takeover of the Britain. It is possible that ISIS’ strategy revolves around a similar plan —in which case we may see concerted flare-ups of insurgent activity in Egypt, Southeast Asia, Afghanistan, Somalia, Kenya, and elsewhere. The second possible answer to the question of ISIS’ strategy is that the group may be entering a period of relative dormancy, during which it will concentrate on cyber activism and online outreach aimed at young and disaffected youth in Western Europe, the Caucasus, and North America. According to this scenario, ISIS will use its formidable online dexterity to establish new communities of Millennial and Generation Z members, and renegotiate its strategy in light of the loss of physical lands in the Levant. This scenario envisages an online geography for the Islamic State, which may eventually lead to the emergence of a new model of activity. The latter will probably resemble al-Qaeda’s decentralized, cell-based model that focuses on sharp, decisive strikes at foreign targets.
Commenting for an article in Asia Times, you said that ISIS returnees are extremely valuables sources of intelligence. How can they be effectively identified in the flow of migrants? How exactly can security services exploit the experience of these militants?
In its essence, the Sunni insurgency is a demassified movement. By this I mean that its leaders have never intended for it to become a mass undertaking. The Islamic State, like al-Qaeda before it, does not depend on large numbers of followers. Rather it depends on individual mobilization. Senior Islamic State leaders like Abu Bakr al-Baghdadi, Mohamed Mahmoud, Tarad Muhammad al-Jarba, and others, have no interest in deploying 10,000 fighters who may be reluctant and weak-willed. They are content with 100 fighters who are unswerving in their commitment and prepared to devote everything to the struggle, including their lives. Consider some of the most formidable strikes of the Sunni insurgency against its enemies: the attacks of 9/11 in the United States, the 7/7 bombings in the United Kingdom, the November 2015 strikes in Paris, and the fall of Mosul in 2014. There have been more large-scale strikes on Russian, Lebanese, Afghan, Egyptian, and other targets. What connects all of those is the relatively small number of totally dedicated fighters that carried them out. The fall of Mosul, for example, which brought the Islamic State to the height of its power, was carried out by no more than 1,500 fighters, who took on two divisions of the Iraqi Army, numbering more than 30,000 troops.
The reliance on a small number of dedicated fighters mirrors the recruitment tactics of the Islamic State (and al-Qaeda before it). The latter rested on individual attention paid to selected young men, who are seen as reliable and steadfast. This is precisely the type of emphasis that should be placed by European, American and Russian security agencies on suspected members of terrorist groups that are captured, or are detected within largest groups of migrants. What is required here is individual attention given by security operatives who have an eye for detail and are knowledgeable of the culture, customs and ways of thinking of predominantly Muslim societies. However, most governments have neither the patience nor expertise to implement a truly demassified exploitation campaign that targets individuals with an eye to de-radicalization and — ultimately — exploitation. The experience of the Syrian migrants in countries like Italy and Greece is illustrative of this phenomenon. The two countries — already overwhelmed by domestic political problems and financial uncertainty — were left primarily to their own means by a disinterested and fragmented European Union. Several members of the EU, including Poland, Hungary, and the United Kingdom have for all practical purposes positioned themselves outside of the EU mainstream. At the same time, the United States, which is the main instigator of the current instability in the Middle East, shows no serious interest in de-radicalization and exploitation programs. This has been a consistent trend in Washington under the administrations of Barack Obama and Donald Trump.
In your opinion, will cryptocurrencies become a significant source of terrorism funding? Some experts believe that pressure on traditional methods of financing may facilitate this process.
In the old days of the 1970s and 1980s, most terrorist groups raised funds primarily through extortion, kidnappings, bank robberies and — to a lesser extent — drugs. Things have changed considerably in our century. Today, cryptocurrencies are not in themselves sources of funding — though it can be argued that the frequent rise in the value of many cryptocurrencies generates income for terrorist organizations — but more a method of circulating currency and providing services that generate funds. With the use of cryptocurrencies and the so-called Darknet, terrorist organizations are now able to engage in creative means of generating cash. They include the sale of pirated music, movies and, most of all, videogames. They also engage in the sale of counterfeit products, including clothing, electronics and other hi-tech accessories. Additionally, they sell counterfeit pharmaceutical products and even counterfeit tickets to high-profile sports events and music concerts. Those who buy those products often pay for them using cryptocurrencies, primarily through the Darknet. Looking at the broad picture, it is clear that the use of cryptocurrencies constitutes a form of asymmetric finance that circumvents established financial structures and operates using irregular means that for now remain largely undetected. Few terrorist groups will resist the temptation to employ this new method of unregulated financial transaction.
How can Russian and US intelligence and security services cooperate in combating terrorism? In December 2017, media reported that CIA had helped its Russian counterpart foil a terror attack in St. Petersburg. What should be done to deepen and broaden such kind of cooperation?
Despite friction on the political level, cooperation between Russian and American intelligence agencies in the field of counter-terrorism is far more routine than is generally presumed. Last December’s report of the CIA sharing intelligence with its Russian counterpart was notable in that it was publicly disclosed. Most instances of intelligence cooperation between Washington and Moscow are not publicized. In February 2016, the then CIA director John Brennan stated publicly that the CIA works closely with the Russian intelligence community in counter-terrorism operations directed against Islamist militants. He described the CIA’s relationship with Russian intelligence officials as a “very factual, informative exchange.” He added that “if the CIA gets information about threats to Russian citizens or diplomats, we will share it with the Russians”. And he added: “they do the same with us”. Brennan gave the example of the 2014 Winter Olympics in Sochi, Russia. He said: “We worked very closely with [Russian intelligence agencies]” during the Sochi games to “try to prevent terrorist attacks. And we did so very successfully”. There is no reason to doubt the sincerity of Brennan’s statement.
Professionals are always more likely to find common areas of interest. So, in what areas, apart from combating terrorism, can Russian and US intelligence services cooperate?
There is a virtually endless list of common concerns that ought to and often do bring together American and Russian intelligence agencies. To begin with, there are two major existential threats to the security of both countries and the whole world that demand close cooperation between Washington and Moscow and their respective intelligence agencies. The first threat is the black market in weapons of mass destruction, notably chemical weapons, biological agents, and even radioactive material. In the past 20 years, there have been several cases of individuals or groups trying to sell or trade radioactive substances. The fear of such weapons possibly falling into the hands of non-state insurgents should be sufficient to entice close cooperation between American and Russian intelligence agencies. The second existential threat is that of global warming and its effects on international security. It is no secret that the rise in global temperatures is already having a measurable negative impact on food production, desertification, sea-level rise, and other factors that contribute to the destabilization of the economies of entire regions. Such trends fuel militancy, political extremism, wars, and mass migrations of populations, all of which are serious threats to the stability of the international system. Solving this global problem will require increased and prolonged cooperation on the political, economic, and security/intelligence level between the United States and Russia. The two countries must also work closely on a series of other topics, including standardizing the global regulation of cryptocurrencies, diffusing tensions between the two rival nuclear powers of India and Pakistan, tackling the tensions in the Korean Peninsula, preventing the destabilization of Egypt (the world’s largest Arab country), combating the growth of Sunni militancy in West Africa, and numerous other issues.
Among other things, you are an expert in the Cold War. At present, Russia and the USA are experiencing a period of tensions in their relationship. In your opinion, what should be done in order to overcome these challenges and mend fences?
For those of us who remember the Cold War, and have studied the development of Russia–US relations in the postwar era, the current state of affairs between Washington and Moscow seems comparatively manageable. Despite tensions between Washington and Moscow, we are, thankfully, very far from an emergency of the type of the Berlin Crisis of 1961, the Cuban Missile Crisis, or even the 1984 collision between the US plane carrier Kitty Hawk and the K-314 Soviet submarine in the Sea of Japan. How do we avoid such dangerous escalations? The answer is simple: regularize communications between the two countries on various levels, including executive, political, economic and security-related. Such communications should continue even or, arguably, especially at times of rising tensions between the two nations. The overall context of this approach rests on the indisputable truth that Russia and the United States are the two central pillars on which the idea of world peace can be built for future generations.
First published in our partner RIAC
*Dr. Joseph Fitsanakis is Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University. Prior to joining Coastal, he built the Security and Intelligence Studies program at King University, where he also directed the King Institute for Security and Intelligence Studies. An award-winning professor, Dr. Fitsanakis has lectured, taught and written extensively on subjects such as international security, intelligence, cyberespionage, and transnational crime. He is a syndicated columnist and frequent contributor to news media such as BBC television and radio, ABC Radio, Newsweek, and Sputnik, and his work has been referenced in outlets including The Washington Post, Foreign Policy, Politico, and The Huffington Post. Fitsanakis is also deputy director of the European Intelligence Academy and senior editor at intelNews.org, a scholarly blog that is cataloged through the United States Library of Congress, and a syndicated columnist.
How security decisions go wrong?
Information warfare is primarily a construct of a ‘war mindset’. However, the development of information operations from it has meant that the concepts have been transferred from military to civilian affairs. The contemporary involvement between the media, the military, and the media in the contemporary world of the ‘War on Terrorism’ has meant the distinction between war and peace is difficult to make. However, below the application of deception in the military context is described but it must be added that the dividing line is blurred.
The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.
Security is both a normative and descriptive problem. We would like to normatively how to make correct decisions about security, but also descriptively understand follow where security decisions may go wrong. According to Schneider, security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, I am interested in how to achieve correct metrics that can help a decision-maker control security. But would successful quantification be the end of the story?
The aim of this note is to explore the potential difference between correct and actual security decisions when people are supposed to decide and act based on quantified information about risky options. If there is a gap between correct and actual decisions, how can we begin to model and characterize it? How large is it, and where can someone maybe exploit it? What can be done to fix and close it? As a specific example, this note considers the impact of using risk as security metric for decision-making in security. The motivation to use risk is two-fold. First, risk is a well-established concept that has been applied in numerous ways to understand information security and often assumed as a good metric. Second, I believe that it is currently the only well-developed reasonable candidate that aims to involve two necessary aspects when it comes to the control of operational security: asset value and threat uncertainty. Good information security is often seen as risk management, which will depend on methods to assess those risks correctly. However, this work examines potential threats and shortcomings concerning the usability of correctly quantified risk for security decisions.
I consider a system that a decision-maker needs to protect in an environment with uncertain threats. Furthermore, I also assume that the decision-maker wants to maximize some kind of security utility (the utility of security controls available) when making decisions regarding to different security controls. These different parts of the model vary greatly between different scenarios and little can be done to model detailed security decisions in general. Still, we think that this is an appropriate framework to understand the need of security metrics. One way, maybe often the standard way, to view security as a decision problem is that threats arise in the system and environment, and that the decision-maker needs to take care of those threats with available information, using some appropriate cost-benefit tradeoff. However, this common view overlooks threats with faults that are made by the decision-maker. I believe that many security failures should be seen in the light of limits (or potential faults) of the decision-maker when she, with best intentions, attempts to achieve security goals (maximizing security utility) by deciding between different security options.
I loosely think of correct decisions as maximization of utility, in a way to be specified later.
Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following.
The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals. One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions.
While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them;this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.
The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.
I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.
There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.
Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.
Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.
These questions may also be extended to consider several self-interested parties. in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.
ADB Provides $360 Million for Rolling Stock to Boost Bangladesh Railway
The Board of Directors of the Asian Development Bank (ADB) has approved loans totaling $360 million to buy modern rolling...
Consumer Trust in Autonomous Vehicles on the Rise
Consumers are warming up to the concept of fully self-driving vehicles, but some roadblocks may lay ahead for automakers, according...
The war in the Golan Heights and in the Lebanon
The framework of the clash on the borders between Israel, the Lebanon and Syria is currently much more complicated than...
Information challenges in security agencies
An effort to maintain information security is the responsibility of each individual. This person can be a normal user, technical...
EU Doubling Renewables by 2030 Positive for Economy, Key to Emission Reductions
The European Union (EU) can increase the share of renewable energy in its energy mix to 34 per cent by...
What an ‘Impossibility Clause’ can make possible
Since the implementation of the JCPOA in January of 2016, and throughout the current period of accelerating investment by foreign...
Creating Quality Jobs Crucial to Boost Productivity, Growth in Indonesia
Indonesia must create good and quality jobs to help increase the country’s productivity and competitiveness for sustained and inclusive growth,...
Eastern Europe4 days ago
Expanding regional rivalries: Saudi Arabia and Iran battle it out in Azerbaijan
Intelligence3 days ago
How security decisions go wrong?
Americas4 days ago
‘Guns Don’t Kill People, People Kill People’: Time to retire
Economy4 days ago
Economic Warfare and Cognitive Warfare
East Asia3 days ago
China’s soft power and its Lunar New Year’s Culture
South Asia4 days ago
Prime Minister Narendra Modi’s Hug Diplomacy Fails
Economy2 days ago
Agriculture Is Creating Higher Income Jobs in Half of EU Member States but Others Are Struggling
Middle East8 hours ago
The war in the Golan Heights and in the Lebanon