Connect with us

Intelligence

The ceasefire in force in Syria as from September 12, 2016

Giancarlo Elia Valori

Published

on

On Saturday, September 10, between Geneva and Munich, the traditional venues for the numberless negotiations on war in Syria, the US State Secretary, John Kerry, and the Russian Foreign Minister, Serghei Lavrov, reached an agreement for truce among the various factions fighting for the spoils of the Middle East State. The agreement will enter into force as from the sunset of September 12 and it will last one week only.

Who is concerned by the ceasefire? First and foremost Assad’s forces, namely the Syrian Arab Army, including its Russian and Iranian allies and the various groups of the Syrian Free Army, of which it is impossible to know the real size of its forces and its inconstant relationship with the other movements of the Syrian jihad.

Hence the agreement regards neither Daesh-Isis nor the militia of Fateh al-Sham, the new name chosen by the Al Nusra Front to distance itself from Al Qaeda as much as possible.

The hostilities will cease especially in the Aleppo area which, for everybody, is the key to the Syrian strategy, with a view to allowing the inflow of supplies, aid and relief to the local populations, hardly hit by both opponents’ actions.

It is worth recalling that so far the war in Syria has had a toll of 350,000 deaths and 11 million refugees, namely 50% of the Syrian population.

The essential political result of the September negotiations is – first and foremost – that the removal of the “tyrant” Bashar al-Assad from power is no longer on the agenda.

In fact, Assad is probably the only one who can keep Syria united – hence he is a necessary and valuable asset for Russia.

Conversely, in one way or another, all the Western countries involved in the conflict are interested in Syria’s splitting up and fragmentation.

Following its neo-Ottoman dream, Turkey wants to annex the Syrian Sunni area, also with a view to counterbalancing the Kurds’ influence both in Syria and on its own territory, by separating them with an enclave controlled by it.

Rojava (the West or Western Kurdistan in the Kurdish language) consisting of three self-governing cantons, namely Afrin, Jazira e Kobani, as well as the Shahba region, are located in the Syrian al-Hasakah Governorate. It is worth noting that the tree Kurdish cantons are multiethnic.

Obviously the Kurdish presence is the real target of the Turkish operations.

Shortly before the ceasefire, Turkey had deployed 43 self-supporting units and at least 200 soldiers, in addition to those of the Turkish garrison, in Gaziantep.

Shortly afterwards the Kurdish People’s Protection Units (YPG) started clashes with the Turkish forces in the Hatay Province.

Moreover no maps of Turkey’s operation “Euphrates Shield” are available and, at the same time, Isis demobilized its elite militants from the Al-Bab region, in the North-East province of Aleppo. Therefore we can predict a future jihadists’ counterattack from the South

The real aim of the Operation Euphrates Shield is to create a “safety area” for Turkey (90 kilometres long and   40 kilometres wide), with a view to avoiding the connection between the Kurds of Rojava and those in Turkey, as well as to definitely breaking Syria’s unity, which means creating strategic continuity between Anatolia and the Sunni Islam of Central Asia.

The United States want to “bring democracy” to Syria and intend to keep on controlling the areas held by their allies of the Syrian Free Army, the well-known “moderate” jihadists.

Without admitting so, also the United States want Syria’s splitting up and fragmentation so as to implement the unfortunate “Yugoslav model” also there, by creating ethnical statelets which – as happened in Kosovo – may possibly become recruiting centres for the jihad in the coming years or centres for managing drug trafficking.

Finally Russia wants a sufficiently united State which can protect the Alawite coastal territory where its naval bases in the Mediterranean are located.

Moreover Iran wants Syria to be a united State, under the leadership of the Alawites, who are Shias – as Imam Mussa Sadr established – which can be a bulwark against the Sunni Turkey and the destabilization trends from Saudi Arabia.

Hence the political and strategic sense is that – once the one-week truce is over – the United States and the Russian Federation should be reunited to fight against Isis-Daesh and Fateh al-Sham, namely the new Al Nusra “brand”.

As envisaged by the agreement of September 10, Assad’s forces should stop bombings “wherever the other forces are present” so as to allow the arrival of humanitarian aid in Aleppo.

Furthermore, the priority for the inflow of aid will be the city of Aleppo and its surroundings, in addition to the areas which are “hard to be reached”.

Again according to the agreement of September 10, both Assad’s forces and the “rebel” ones should leave Castello Road, which runs throughout the centre of Aleppo from the North of the city to the Eastern area, still held by the “rebels” of Jaish al Fateh and Isis-Daesh.

Also a part of the Kurdish YPG is present along the Aleppo road, which is currently monitored by the Russian soldiers.

There must also be a “secure access” to the area of Ramouseh and, if there will be seven consecutive days of successful truce, even partially, the United States and Russia will operate together to “develop military actions” (sic) against Fateh al Sham and Isis.

At the regular end of the ceasefire, a Joint Implementation Centre will be established to exchange the information required for military activities, but the problem is that the United States will continue to support the “rebels” close or allied to Jaish Al Fateh and that Russia shall convince its ally Assad to stop bombing the cities.

However, if the ceasefire is successful, all the forces whose territory borders on the “Islamic State” can concentrate their forces only against Isis. This will generate a sort of competition between allies, at least as regards the fight against Al Baghdadi’s Caliphate.

Furthermore, a few days before the deal, two “rebel” groups – both supported by the United States – clashed with each other in Jarabulus, north of Aleppo, namely Jaish al Tahrir and the Syrian Democratic Forces.

Hence the situation of military power relations in Syria just before the ceasefire was complex: on September 4, Assad’s forces started again the siege of Aleppo while, on September 5, Isis initiated a series of suicide attacks in Tartous, Homs and Damascus, as well as on the YPG Kurdish positions in Qamishli and Hasaka.

The Isis attack came just a few hours after the elimination of the Caliphate – along the Turkish-Syrian border, in the Aleppo area – by the Turkish Armed Forces and their jihadists of reference, namely the Turkmen.

A military success which was evidently the harbinger of the deal under discussion between Russia and the United States.

It is therefore likely for Isis to seek a new expansion in Western Syria, pending the ceasefire.

However, the deal reached on September 10 is very hard to be maintained.

The agreement is undoubtedly a success of Russian diplomacy, as both President Obama and part of the Pentagon and CIA did not want to acknowledge any role for Bashar al-Assad, while now – at least figuratively – they have sat at the same negotiating table as Syria’s emissaries.

The obsession of President Obama and much of the Pentagon was “Assad must go!”, as if the fall of a “tyrant” could magically change the political balance of a whole country.

The same mistake made with Saddam Hussein in Iraq and with the old “democratic” President, Hamid Karzai, in Afghanistan.

Certainly, if the two major powers on the ground really join, the end of Isis will be a matter of weeks, if not days.

But many ceasefires are “in water writ” and that of September 10 is no exception to the rule.

The Russian Aerospace Defence Forces have continued to hit jihadist targets despite the truce and the coordination center between the United States and Russia, envisaged by the deal, has not yet been definitively put in place to operate. It cannot certainly be created magically from nothing at the end of the fateful one-week truce.

On September 13 the parties exchanged artillery fire in the Aleppo area, while Bashar al-Assad’ Syrian Arab Army and the Hezbollah engaged combat with Jaish al Fateh in the aeras of Qarassi, Zeitan, Khan Touman and Khalsah.

Jaish al Fateh responded by hitting Assad’s outposts in the Malah Farms and the Ramouseh Artillery Base.

On September 12, all Jaish al Fateh forces stated they did not accept the ceasefire because their leaders had not been called to discuss the document and hence their role as primary group of “resistance” to Assad had not been recognized.

The following day, at least according to their sources, the air forces of the Syrian Arab Army shot down an Israeli jet and a drone near Quneitra, but Israel denied it.

However what is the strategic significance of the ceasefire, apart from the repositioning on the battlefield?

Russia emerges as the true leader of the future in Syria. The United States operate with their Turkish allies in the North, but this is an anti-Kurdish operation and the various Kurdish militias are US allies.

Shortly a clash will be recreated between both factions backed by the United States, which evidently have no strategy whatsoever in Syria except for the stale and impossible “exporting of democracy.”

Maybe the ceasefire will hold, but later the Syrian crisis will remain stable, with tensions on the Euphrates, the Kurdish reaction, the backlash of the Iranian Shiite units and the Russian raids.

The Western forces have no strategic project and therefore Russia – and hence Bashar al-Assad – will win because it has one, but after unimaginable ruins and the creation of a flow of migrants to the EU that will be very difficult to manage.

Advisory Board Co-chair Honoris Causa Professor Giancarlo Elia Valori is an eminent Italian economist and businessman. He holds prestigious academic distinctions and national orders. Mr Valori has lectured on international affairs and economics at the world’s leading universities such as Peking University, the Hebrew University of Jerusalem and the Yeshiva University in New York. He currently chairs "La Centrale Finanziaria Generale Spa", he is also the honorary president of Huawei Italy, economic adviser to the Chinese giant HNA Group and member of the Ayan-Holding Board. In 1992 he was appointed Officier de la Légion d'Honneur de la République Francaise, with this motivation: "A man who can see across borders to understand the world” and in 2002 he received the title of "Honorable" of the Académie des Sciences de l'Institut de France

Continue Reading
Comments

Intelligence

Information challenges in security agencies

Sajad Abedi

Published

on

An effort to maintain information security is the responsibility of each individual. This person can be a normal user, technical expert, system administrator, network leader and manager of a system or network in the organization. Paying attention to the importance of information security makes it necessary to ensure the necessary protection of systems and the use of an effective set of security policies is an important step in ensuring this.

In most cases, computers and information will be protected from unauthorized access, and the information can be exchanged securely on the network with others. Information security in electronic organizations, especially municipalities, has been emphasized as one of the basic infrastructures and requirements, because their databases contain confidential information from citizens or customers.

Adopting appropriate security policies and implementing them reduces the risk of sudden loss of information, makes it much more difficult to access the system and provides security tools for detecting attacks and fixing security breaches. To maintain confidential information and to help integrate programs and information stored, a combination of policy making and implementation should be undertaken. This paper covers various components of effective security policies for e-organizations, especially municipal organizations.

In small organizations, the information security requirements can easily be met, and everyone is responsible for their computers and their files.

However, for larger groups such as organizations dealing with business transactions or groups that hold confidential data from citizens or customers (such as municipalities), the need for more formal security policies and procedures becomes more important.

When managers and employees consider the issue of information security, they will always face similar issues. As a result, attention to the role of information as a valuable commodity in today’s trade and the need to protect it is necessary.

Each group needs a certain level of security for its information and clear procedures for implementation by employees, the ability to create and maintain awareness of the needs of customers, and an understanding of how security policies are implemented in an operational environment.

Managers must pay close attention to information security policies in order to achieve their goals. Also, understanding the cost of implementing effective security policies is very important. Technologies Security procedures are a kind of investment and should be evaluated against the cost of likely losses.

Information is like blood in the veins of the organization and without the information of the board of directors (the company’s brain) cannot make key decisions, and the purchasing and financial resources (mouth, heart, etc.) cannot obtain the resources they need to survive the organization’s life.

The role of data and information is crucial in the management of organizations, the more the information system of an organization is more accurate, coherent and systematic, the better the organization can achieve its goals.

Regarding the importance of information, it can be said that the discussion of access to information and, on the other hand, the security and protection of information on the national level have been raised for rulers and managers since ancient times. Access to information can lead to the destruction of the organization. The possibility of data loss due to physical factors and threats to the information of the organization exists. But with the development of information technology and the use of information as a commercial tool and profitable capital, the issue of information security is a new dimension. In today’s trade, information plays the role of capital of a company, and the protection of information in the organization is one of the key pillars of its survival. In this way, categorizing and valuing and protecting information resources is very important and important.

In today’s world, the more we go into machining; the other face-to-face relationships and old solutions cannot answer our problems. In today’s cities, we are faced with increasing levels of traffic and, consequently, increasing urban traffic. Previous paperwork can no longer be an appropriate method for addressing the administrative work of citizens. Of these important organizations, such as the municipalities in the big cities, which are somehow the heart of the city, we must abandon the previous methods and enter the world of information technology and the e-government world.

This is where the Municipal Electronic and Information Technology (IT) have a crucial role in most municipal organizations. After the implementation of the electronic program of municipal services, citizens through their international networks or the Internet can provide their services, such as paying tolls, repairs, fees, and application fees, electronic referrals, and circular letters in various stages Receive in the municipality without a face-to-face visit to the municipality.

Nowadays, IT infrastructure is in an environment that is increasingly being added to the number of enemies and attackers who are not interested in continuous, reliable, and useful computer systems. A world where activities are much faster and more reliable and do not require population density in the physical world. We have to think about ways to reduce urban traffic, the cost of doing work, confrontations, mental ill-health, corruption, etc. that we face every day in municipal organizations, and it is the best solution to create an active and dynamic security framework for each organization.

Implementation and deployment of information security in organizations may be reviewed based on the efficiency, ease of use, and communication with other departments and organizations. Since public procurement is not generally a question of profitability, there is a controlling budget, which limits the ability of the organization to provide the latest hardware and software security. At the same time, municipalities should focus on data protection, as their databases contain sensitive information about individuals; information such as personal and medical records, and taxes.

Unfortunately, even in state-owned organizations of the country, it is difficult to protect information, and it suffers from obsolete systems, inappropriate investments, and employees of the disabled who lack the necessary information security dimension.

However, there are tensions between managerial levels. Without a general plan to create a secure environment for information technology, each episode may develop a solution to the security of information that comes from the missions, goals, and operational intentions of the same section, and may be as good as it is for a particular part. Other parts are not used too much. These different strategies may cause information security in some areas to be over-needed or less than the required level, while the presence of supervision on the part of the high-level management will ensure that security experiences are set in such a way that the organization can functionedits better.

In addition to securing its own intelligence resources, an organization must commit itself to set up a set of policies to safeguard its organization’s information. These policies play an important role in information security, but there is still a contradiction in the fact that the policy framework of the organization should be able to increase the level of security. Methods of dealing with insecurity are identified through crisis identification and insecurity and limitation of insecurity as well as its control tools.

There are sufficient information and adequate systems for the use of information as well as appropriate programs for preventing and, in the event of occurrence, controlling the crisis (proper urban programs) of the main components needed to maintain and develop information security.

Continue Reading

Intelligence

Islamic State after ISIS: Colonies without Metropole or Cyber Activism?

Published

on

With the world constantly following the events in the Middle East, much now depends on the shape, form and ‘policy’ Islamic State is going to take. What form will the IS take? What role will cryptocurrencies play in funding terrorists? How can Russia and the US cooperate in fighting mutual security threats? RIAC expert Tatyana Kanunnikova discusses these issues with Dr. Joseph Fitsanakis, Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University.

Islamic State is perceived as an international threat. In which regions is it losing ground and in which ones is it on the rise? Could you please describe IS geography today?

Groups like the Islamic State are mobile. They tend to move and redeploy across international borders with relative ease, and are truly global in both outlook and reach. It is worth noting that, from a very early stage in its existence, the Islamic State incorporated into its administrative structure the so-called vilayets, namely semi-autonomous overseas provinces or possessions. These included parts of Libya, Afghanistan, Somalia, the Philippines, Nigeria, and of course Egypt’s Sinai Peninsula. By the first week of 2018, the Islamic State had all but eclipsed from its traditional base of the Levant. How has the loss of its administrative centers affected the organization’s strategy?

Dr. Joseph Fitsanakis

There are two competing answers to this question. The first possible answer is that ISIS’ plan is similar to that of the Great Britain in 1940, when the government of Winston Churchill was facing the prospect of invasion by the forces of the German Reich. London’s plan at the time was to use its overseas colonies as bases from which to continue to fight following a possible German takeover of the Britain. It is possible that ISIS’ strategy revolves around a similar plan —in which case we may see concerted flare-ups of insurgent activity in Egypt, Southeast Asia, Afghanistan, Somalia, Kenya, and elsewhere. The second possible answer to the question of ISIS’ strategy is that the group may be entering a period of relative dormancy, during which it will concentrate on cyber activism and online outreach aimed at young and disaffected youth in Western Europe, the Caucasus, and North America. According to this scenario, ISIS will use its formidable online dexterity to establish new communities of Millennial and Generation Z members, and renegotiate its strategy in light of the loss of physical lands in the Levant. This scenario envisages an online geography for the Islamic State, which may eventually lead to the emergence of a new model of activity. The latter will probably resemble al-Qaeda’s decentralized, cell-based model that focuses on sharp, decisive strikes at foreign targets.

Commenting for an article in Asia Times, you said that ISIS returnees are extremely valuables sources of intelligence. How can they be effectively identified in the flow of migrants? How exactly can security services exploit the experience of these militants?

In its essence, the Sunni insurgency is a demassified movement. By this I mean that its leaders have never intended for it to become a mass undertaking. The Islamic State, like al-Qaeda before it, does not depend on large numbers of followers. Rather it depends on individual mobilization. Senior Islamic State leaders like Abu Bakr al-Baghdadi, Mohamed Mahmoud, Tarad Muhammad al-Jarba, and others, have no interest in deploying 10,000 fighters who may be reluctant and weak-willed. They are content with 100 fighters who are unswerving in their commitment and prepared to devote everything to the struggle, including their lives. Consider some of the most formidable strikes of the Sunni insurgency against its enemies: the attacks of 9/11 in the United States, the 7/7 bombings in the United Kingdom, the November 2015 strikes in Paris, and the fall of Mosul in 2014. There have been more large-scale strikes on Russian, Lebanese, Afghan, Egyptian, and other targets. What connects all of those is the relatively small number of totally dedicated fighters that carried them out. The fall of Mosul, for example, which brought the Islamic State to the height of its power, was carried out by no more than 1,500 fighters, who took on two divisions of the Iraqi Army, numbering more than 30,000 troops.

The reliance on a small number of dedicated fighters mirrors the recruitment tactics of the Islamic State (and al-Qaeda before it). The latter rested on individual attention paid to selected young men, who are seen as reliable and steadfast. This is precisely the type of emphasis that should be placed by European, American and Russian security agencies on suspected members of terrorist groups that are captured, or are detected within largest groups of migrants. What is required here is individual attention given by security operatives who have an eye for detail and are knowledgeable of the culture, customs and ways of thinking of predominantly Muslim societies. However, most governments have neither the patience nor expertise to implement a truly demassified exploitation campaign that targets individuals with an eye to de-radicalization and — ultimately — exploitation. The experience of the Syrian migrants in countries like Italy and Greece is illustrative of this phenomenon. The two countries — already overwhelmed by domestic political problems and financial uncertainty — were left primarily to their own means by a disinterested and fragmented European Union. Several members of the EU, including Poland, Hungary, and the United Kingdom have for all practical purposes positioned themselves outside of the EU mainstream. At the same time, the United States, which is the main instigator of the current instability in the Middle East, shows no serious interest in de-radicalization and exploitation programs. This has been a consistent trend in Washington under the administrations of Barack Obama and Donald Trump.

In your opinion, will cryptocurrencies become a significant source of terrorism funding? Some experts believe that pressure on traditional methods of financing may facilitate this process.

In the old days of the 1970s and 1980s, most terrorist groups raised funds primarily through extortion, kidnappings, bank robberies and — to a lesser extent — drugs. Things have changed considerably in our century. Today, cryptocurrencies are not in themselves sources of funding — though it can be argued that the frequent rise in the value of many cryptocurrencies generates income for terrorist organizations — but more a method of circulating currency and providing services that generate funds. With the use of cryptocurrencies and the so-called Darknet, terrorist organizations are now able to engage in creative means of generating cash. They include the sale of pirated music, movies and, most of all, videogames. They also engage in the sale of counterfeit products, including clothing, electronics and other hi-tech accessories. Additionally, they sell counterfeit pharmaceutical products and even counterfeit tickets to high-profile sports events and music concerts. Those who buy those products often pay for them using cryptocurrencies, primarily through the Darknet. Looking at the broad picture, it is clear that the use of cryptocurrencies constitutes a form of asymmetric finance that circumvents established financial structures and operates using irregular means that for now remain largely undetected. Few terrorist groups will resist the temptation to employ this new method of unregulated financial transaction.

How can Russian and US intelligence and security services cooperate in combating terrorism? In December 2017, media reported that CIA had helped its Russian counterpart foil a terror attack in St. Petersburg. What should be done to deepen and broaden such kind of cooperation?

Despite friction on the political level, cooperation between Russian and American intelligence agencies in the field of counter-terrorism is far more routine than is generally presumed. Last December’s report of the CIA sharing intelligence with its Russian counterpart was notable in that it was publicly disclosed. Most instances of intelligence cooperation between Washington and Moscow are not publicized. In February 2016, the then CIA director John Brennan stated publicly that the CIA works closely with the Russian intelligence community in counter-terrorism operations directed against Islamist militants. He described the CIA’s relationship with Russian intelligence officials as a “very factual, informative exchange.” He added that “if the CIA gets information about threats to Russian citizens or diplomats, we will share it with the Russians”. And he added: “they do the same with us”. Brennan gave the example of the 2014 Winter Olympics in Sochi, Russia. He said: “We worked very closely with [Russian intelligence agencies]” during the Sochi games to “try to prevent terrorist attacks. And we did so very successfully”. There is no reason to doubt the sincerity of Brennan’s statement.

Professionals are always more likely to find common areas of interest. So, in what areas, apart from combating terrorism, can Russian and US intelligence services cooperate?

There is a virtually endless list of common concerns that ought to and often do bring together American and Russian intelligence agencies. To begin with, there are two major existential threats to the security of both countries and the whole world that demand close cooperation between Washington and Moscow and their respective intelligence agencies. The first threat is the black market in weapons of mass destruction, notably chemical weapons, biological agents, and even radioactive material. In the past 20 years, there have been several cases of individuals or groups trying to sell or trade radioactive substances. The fear of such weapons possibly falling into the hands of non-state insurgents should be sufficient to entice close cooperation between American and Russian intelligence agencies. The second existential threat is that of global warming and its effects on international security. It is no secret that the rise in global temperatures is already having a measurable negative impact on food production, desertification, sea-level rise, and other factors that contribute to the destabilization of the economies of entire regions. Such trends fuel militancy, political extremism, wars, and mass migrations of populations, all of which are serious threats to the stability of the international system. Solving this global problem will require increased and prolonged cooperation on the political, economic, and security/intelligence level between the United States and Russia. The two countries must also work closely on a series of other topics, including standardizing the global regulation of cryptocurrencies, diffusing tensions between the two rival nuclear powers of India and Pakistan, tackling the tensions in the Korean Peninsula, preventing the destabilization of Egypt (the world’s largest Arab country), combating the growth of Sunni militancy in West Africa, and numerous other issues.

Among other things, you are an expert in the Cold War. At present, Russia and the USA are experiencing a period of tensions in their relationship. In your opinion, what should be done in order to overcome these challenges and mend fences?

For those of us who remember the Cold War, and have studied the development of Russia–US relations in the postwar era, the current state of affairs between Washington and Moscow seems comparatively manageable. Despite tensions between Washington and Moscow, we are, thankfully, very far from an emergency of the type of the Berlin Crisis of 1961, the Cuban Missile Crisis, or even the 1984 collision between the US plane carrier Kitty Hawk and the K-314 Soviet submarine in the Sea of Japan. How do we avoid such dangerous escalations? The answer is simple: regularize communications between the two countries on various levels, including executive, political, economic and security-related. Such communications should continue even or, arguably, especially at times of rising tensions between the two nations. The overall context of this approach rests on the indisputable truth that Russia and the United States are the two central pillars on which the idea of world peace can be built for future generations.

First published in our partner RIAC

*Dr. Joseph Fitsanakis is Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University. Prior to joining Coastal, he built the Security and Intelligence Studies program at King University, where he also directed the King Institute for Security and Intelligence Studies. An award-winning professor, Dr. Fitsanakis has lectured, taught and written extensively on subjects such as international security, intelligence, cyberespionage, and transnational crime. He is a syndicated columnist and frequent contributor to news media such as BBC television and radio, ABC Radio, Newsweek, and Sputnik, and his work has been referenced in outlets including The Washington Post, Foreign Policy, Politico, and The Huffington Post. Fitsanakis is also deputy director of the European Intelligence Academy and senior editor at intelNews.org, a scholarly blog that is cataloged through the United States Library of Congress, and a syndicated columnist.

Continue Reading

Intelligence

How security decisions go wrong?

Sajad Abedi

Published

on

Photo by Ryan Young on Unsplash

Information warfare is primarily a construct of a ‘war mindset’. However, the development of information operations from it has meant that the concepts have been transferred from military to civilian affairs. The contemporary involvement between the media, the military, and the media in the contemporary world of the ‘War on Terrorism’ has meant the distinction between war and peace is difficult to make. However, below the application of deception in the military context is described but it must be added that the dividing line is blurred.

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.

Security is both a normative and descriptive problem. We would like to normatively how to make correct decisions about security, but also descriptively understand follow where security decisions may go wrong. According to Schneider, security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, I am interested in how to achieve correct metrics that can help a decision-maker control security. But would successful quantification be the end of the story?

The aim of this note is to explore the potential difference between correct and actual security decisions when people are supposed to decide and act based on quantified information about risky options. If there is a gap between correct and actual decisions, how can we begin to model and characterize it? How large is it, and where can someone maybe exploit it? What can be done to fix and close it? As a specific example, this note considers the impact of using risk as security metric for decision-making in security. The motivation to use risk is two-fold. First, risk is a well-established concept that has been applied in numerous ways to understand information security and often assumed as a good metric. Second, I believe that it is currently the only well-developed reasonable candidate that aims to involve two necessary aspects when it comes to the control of operational security: asset value and threat uncertainty. Good information security is often seen as risk management, which will depend on methods to assess those risks correctly. However, this work examines potential threats and shortcomings concerning the usability of correctly quantified risk for security decisions.

I consider a system that a decision-maker needs to protect in an environment with uncertain threats. Furthermore, I also assume that the decision-maker wants to maximize some kind of security utility (the utility of security controls available) when making decisions regarding to different security controls. These different parts of the model vary greatly between different scenarios and little can be done to model detailed security decisions in general. Still, we think that this is an appropriate framework to understand the need of security metrics. One way, maybe often the standard way, to view security as a decision problem is that threats arise in the system and environment, and that the decision-maker needs to take care of those threats with available information, using some appropriate cost-benefit tradeoff. However, this common view overlooks threats with faults that are made by the decision-maker. I believe that many security failures should be seen in the light of limits (or potential faults) of the decision-maker when she, with best intentions, attempts to achieve security goals (maximizing security utility) by deciding between different security options.

I loosely think of correct decisions as maximization of utility, in a way to be specified later.

Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following.

The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals. One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions.

While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them;this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.

The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.

I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.

There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.

Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.

Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.

These questions may also be extended to consider several self-interested parties. in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.

Continue Reading

Latest

Newsletter

Trending

Copyright © 2018 Modern Diplomacy