Connect with us

Intelligence

The current Syrian issue

Giancarlo Elia Valori

Published

on

In spite of confidentiality, which is obvious in these cases, President Obama’s plan for Syria was announced a few days ago. Firstly, the secret Presidential directives aim at conquering Mosul by mid-December next and the forces that will liberate the city will be some groups of the US Special Forces, in addition to five US-led Iraqi army divisions.

Furthermore, the agreement between President Obama and the Head of the Autonomous Province of Iraqi Kurdistan, Massud Barzani, envisages that: a) the Kurdish Peshmerga will attack Mosul from the North and from the East; b) the United States will ensure a safety zone from Mosul up to the borders of Barzani’s Kurdistan; c) the United States will prevent the Shiite militias from taking part in military actions and will undertake not to let the Shiite militias enter the cities with a Sunni majority.

Incidentally, the plan for liberating Mosul is the same as the one developed by the United States to leave ISIS out of Tikrit, Ramadi and Fallujah, which indeed failed, as you may recall.

The United States will also coopt the Al-Mutahidun coalition led by Osama Al Nujaifi. As Speaker of the Iraqi House of Representatives, Al Nujaifi, is the highest-ranking Sunni politician in a country with a Shiite majority where, indeed, the longa manus of Iran is often felt.

At military level, in particular, the offensive on Raqqa will be carried out at the same time as the one on Mosul.

The United States will mainly launch an air offensive, with targeted bombings on ISIS military and political infrastructure.

As reported in the documents, the US command will have control over the Russian and Syrian flights on ISIS territory.

This is obvious: Putin has already won its war for influence over the Middle East and hence he does not need to make the war in Syria inveterate.

Nor must we forget the terrible blunder committed by US Vice- President, Joe Biden, when, during his trip to Ankara on August 24 last, he urged the same Kurdish militia that should now participate in the attack against ISIS to retreat along the East bank of the Euphrates, thus following the advice of the Turkish leader Erdogan.

Will the Kurds follow the US orders? We are afraid not. The conquest of Raqqa and Mosul will most likely lead to a de facto separation between Russian, Kurdish and Syrian operations on the ground and those of the pro-US Kurds, at least partially.

And what about the Syrians? It will be hard for Bashar al-Assad’s forces to forget what happened in Deir Al Zur on September 13 last, when US planes hit Syrian forces that clashed with ISIS, leaving 62 dead on the ground.

Not even this will be easily forgotten by the Syrian Arab Army.

Also Russia has a long memory, after the failure of the ceasefire on September 9 last.

The US strategy is now clear. The United States do not want to do favours to Russia, which remains a “strategic rival”, and are not interested in a united Syria.

The US basic idea is the following: if the Syrian regime collapses – and the recent successes seem to make this possibility more unlikely – the United States will create a “war curtain” which will block the strategic continuity between Syria and Iraq and, in the future, will lead to the partition of Syria, thus making it unusable for Russia and China.

The war theatre will stretch from Idlib to Abu Qamal through Aleppo, Raqqa and Deir El Zur – an area which will be truncated horizontally by a Kurdish entity in the North. Briefly Syria as the “Libya of the East”.

However, which is Russia’s current strategic logic in Syria?

Firstly, Russia makes a careful cost-benefit analysis for each war effort.

As the former Italian President, Francesco Cossiga, used to say, “the United States are always about to wage a war, but then they not know how to lead it”.

Moreover, Russia is aware of the fact that an inter-ethnic and inter-religious war is virtually endless and that only negotiations can really stop it.

Insofar as Russia has taken most of its air forces away from the Syrian theatre, although maintaining its bases, it forces both Assad’ Syria and the so-called “rebels” to take the ceasefire of September 12 seriously, while credibly putting pressures on both Saudi Arabia and Turkey, without abandoning Assad’ Syria or its relationship with Iran to its fate.

Nevertheless Iran stated that the splitting up of Syria would lead to a “New Armageddon”, whereas Russia said it could also accept a federal Syria.

The Russian success is now clear: Russia has avoided Turkey creating a statelet depending on Ankara, while the idea of a federal State has electrified the Kurdish minority.

While the United States wage war as a quasi-metaphysical solution to the struggle between good and evil, Russia’s recourse to weapons paves the way for a positive peace – it is a political instrument, not a phase in which, according to Carl von Clausewitz, politics is suspended. Furthermore, from an economic viewpoint, Russia needs Turkey. Turkey is the second largest buyer of Russian energy after Germany, while Russia imports large amounts of agrifood products from Turkey, especially after the silly sanctions which have brought the EU economy – and Italy’s in particular – to its knees.

Turkey, however, remains the largest buyer of Russian wheat.

Our politicians are good only to say yes to their Masters, who do not care about them. They still live in a Cold War perspective and no one can wake them up from their old dream.

Another problem for Russia, which has already been solved, is the clash with Saudi Arabia.

Russia rightly believes that Saudi Arabia is the base of Middle East jihadism and of the global “holy war”, which is precisely the Saudi instrument for world hegemony, the other side of oil.

On the other hand, Russia wants to maintain good relations with Saudi Arabia so as to support the oil barrel price, which is too low for the fragile Russian economy. It also wants to show to be friendly vis-à-vis the Muslims residing on its own territory, except for the Wahabi minorities in the Caucasus and Central Asia, that are in line with Saudi interest.

A chess game which avoids war and succeeds in punishing Russia’s enemies.

The same holds true for Iran. Russia does not like the JCPOA reached between Iran and the West – indeed, with its support.

An old Russian diplomat used to say that a “pro-American Iran is more dangerous for us than a nuclear Iran”.

The doors opened with Turkey and Saudi Arabia are needed by Russia to counterbalance Iran and make it understand it is a marriage of convenience.

Hence, by using the old and never failed system of the balance of power, Russia has managed to become again a great global power and avoid the long exhausting war in Syria, by forcing Assad to negotiate, and above all to defend Russia’s national interest.

While the West’s international relations are now devoted to the nonsense of “human rights” and to bring democracy, Russia is proving to be the only world country where foreign policy is not implemented by thinking to female or black voters.

Advisory Board Co-chair Honoris Causa Professor Giancarlo Elia Valori is an eminent Italian economist and businessman. He holds prestigious academic distinctions and national orders. Mr Valori has lectured on international affairs and economics at the world’s leading universities such as Peking University, the Hebrew University of Jerusalem and the Yeshiva University in New York. He currently chairs "La Centrale Finanziaria Generale Spa", he is also the honorary president of Huawei Italy, economic adviser to the Chinese giant HNA Group and member of the Ayan-Holding Board. In 1992 he was appointed Officier de la Légion d'Honneur de la République Francaise, with this motivation: "A man who can see across borders to understand the world” and in 2002 he received the title of "Honorable" of the Académie des Sciences de l'Institut de France

Continue Reading
Comments

Intelligence

Information challenges in security agencies

Sajad Abedi

Published

on

An effort to maintain information security is the responsibility of each individual. This person can be a normal user, technical expert, system administrator, network leader and manager of a system or network in the organization. Paying attention to the importance of information security makes it necessary to ensure the necessary protection of systems and the use of an effective set of security policies is an important step in ensuring this.

In most cases, computers and information will be protected from unauthorized access, and the information can be exchanged securely on the network with others. Information security in electronic organizations, especially municipalities, has been emphasized as one of the basic infrastructures and requirements, because their databases contain confidential information from citizens or customers.

Adopting appropriate security policies and implementing them reduces the risk of sudden loss of information, makes it much more difficult to access the system and provides security tools for detecting attacks and fixing security breaches. To maintain confidential information and to help integrate programs and information stored, a combination of policy making and implementation should be undertaken. This paper covers various components of effective security policies for e-organizations, especially municipal organizations.

In small organizations, the information security requirements can easily be met, and everyone is responsible for their computers and their files.

However, for larger groups such as organizations dealing with business transactions or groups that hold confidential data from citizens or customers (such as municipalities), the need for more formal security policies and procedures becomes more important.

When managers and employees consider the issue of information security, they will always face similar issues. As a result, attention to the role of information as a valuable commodity in today’s trade and the need to protect it is necessary.

Each group needs a certain level of security for its information and clear procedures for implementation by employees, the ability to create and maintain awareness of the needs of customers, and an understanding of how security policies are implemented in an operational environment.

Managers must pay close attention to information security policies in order to achieve their goals. Also, understanding the cost of implementing effective security policies is very important. Technologies Security procedures are a kind of investment and should be evaluated against the cost of likely losses.

Information is like blood in the veins of the organization and without the information of the board of directors (the company’s brain) cannot make key decisions, and the purchasing and financial resources (mouth, heart, etc.) cannot obtain the resources they need to survive the organization’s life.

The role of data and information is crucial in the management of organizations, the more the information system of an organization is more accurate, coherent and systematic, the better the organization can achieve its goals.

Regarding the importance of information, it can be said that the discussion of access to information and, on the other hand, the security and protection of information on the national level have been raised for rulers and managers since ancient times. Access to information can lead to the destruction of the organization. The possibility of data loss due to physical factors and threats to the information of the organization exists. But with the development of information technology and the use of information as a commercial tool and profitable capital, the issue of information security is a new dimension. In today’s trade, information plays the role of capital of a company, and the protection of information in the organization is one of the key pillars of its survival. In this way, categorizing and valuing and protecting information resources is very important and important.

In today’s world, the more we go into machining; the other face-to-face relationships and old solutions cannot answer our problems. In today’s cities, we are faced with increasing levels of traffic and, consequently, increasing urban traffic. Previous paperwork can no longer be an appropriate method for addressing the administrative work of citizens. Of these important organizations, such as the municipalities in the big cities, which are somehow the heart of the city, we must abandon the previous methods and enter the world of information technology and the e-government world.

This is where the Municipal Electronic and Information Technology (IT) have a crucial role in most municipal organizations. After the implementation of the electronic program of municipal services, citizens through their international networks or the Internet can provide their services, such as paying tolls, repairs, fees, and application fees, electronic referrals, and circular letters in various stages Receive in the municipality without a face-to-face visit to the municipality.

Nowadays, IT infrastructure is in an environment that is increasingly being added to the number of enemies and attackers who are not interested in continuous, reliable, and useful computer systems. A world where activities are much faster and more reliable and do not require population density in the physical world. We have to think about ways to reduce urban traffic, the cost of doing work, confrontations, mental ill-health, corruption, etc. that we face every day in municipal organizations, and it is the best solution to create an active and dynamic security framework for each organization.

Implementation and deployment of information security in organizations may be reviewed based on the efficiency, ease of use, and communication with other departments and organizations. Since public procurement is not generally a question of profitability, there is a controlling budget, which limits the ability of the organization to provide the latest hardware and software security. At the same time, municipalities should focus on data protection, as their databases contain sensitive information about individuals; information such as personal and medical records, and taxes.

Unfortunately, even in state-owned organizations of the country, it is difficult to protect information, and it suffers from obsolete systems, inappropriate investments, and employees of the disabled who lack the necessary information security dimension.

However, there are tensions between managerial levels. Without a general plan to create a secure environment for information technology, each episode may develop a solution to the security of information that comes from the missions, goals, and operational intentions of the same section, and may be as good as it is for a particular part. Other parts are not used too much. These different strategies may cause information security in some areas to be over-needed or less than the required level, while the presence of supervision on the part of the high-level management will ensure that security experiences are set in such a way that the organization can functionedits better.

In addition to securing its own intelligence resources, an organization must commit itself to set up a set of policies to safeguard its organization’s information. These policies play an important role in information security, but there is still a contradiction in the fact that the policy framework of the organization should be able to increase the level of security. Methods of dealing with insecurity are identified through crisis identification and insecurity and limitation of insecurity as well as its control tools.

There are sufficient information and adequate systems for the use of information as well as appropriate programs for preventing and, in the event of occurrence, controlling the crisis (proper urban programs) of the main components needed to maintain and develop information security.

Continue Reading

Intelligence

Islamic State after ISIS: Colonies without Metropole or Cyber Activism?

Published

on

With the world constantly following the events in the Middle East, much now depends on the shape, form and ‘policy’ Islamic State is going to take. What form will the IS take? What role will cryptocurrencies play in funding terrorists? How can Russia and the US cooperate in fighting mutual security threats? RIAC expert Tatyana Kanunnikova discusses these issues with Dr. Joseph Fitsanakis, Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University.

Islamic State is perceived as an international threat. In which regions is it losing ground and in which ones is it on the rise? Could you please describe IS geography today?

Groups like the Islamic State are mobile. They tend to move and redeploy across international borders with relative ease, and are truly global in both outlook and reach. It is worth noting that, from a very early stage in its existence, the Islamic State incorporated into its administrative structure the so-called vilayets, namely semi-autonomous overseas provinces or possessions. These included parts of Libya, Afghanistan, Somalia, the Philippines, Nigeria, and of course Egypt’s Sinai Peninsula. By the first week of 2018, the Islamic State had all but eclipsed from its traditional base of the Levant. How has the loss of its administrative centers affected the organization’s strategy?

Dr. Joseph Fitsanakis

There are two competing answers to this question. The first possible answer is that ISIS’ plan is similar to that of the Great Britain in 1940, when the government of Winston Churchill was facing the prospect of invasion by the forces of the German Reich. London’s plan at the time was to use its overseas colonies as bases from which to continue to fight following a possible German takeover of the Britain. It is possible that ISIS’ strategy revolves around a similar plan —in which case we may see concerted flare-ups of insurgent activity in Egypt, Southeast Asia, Afghanistan, Somalia, Kenya, and elsewhere. The second possible answer to the question of ISIS’ strategy is that the group may be entering a period of relative dormancy, during which it will concentrate on cyber activism and online outreach aimed at young and disaffected youth in Western Europe, the Caucasus, and North America. According to this scenario, ISIS will use its formidable online dexterity to establish new communities of Millennial and Generation Z members, and renegotiate its strategy in light of the loss of physical lands in the Levant. This scenario envisages an online geography for the Islamic State, which may eventually lead to the emergence of a new model of activity. The latter will probably resemble al-Qaeda’s decentralized, cell-based model that focuses on sharp, decisive strikes at foreign targets.

Commenting for an article in Asia Times, you said that ISIS returnees are extremely valuables sources of intelligence. How can they be effectively identified in the flow of migrants? How exactly can security services exploit the experience of these militants?

In its essence, the Sunni insurgency is a demassified movement. By this I mean that its leaders have never intended for it to become a mass undertaking. The Islamic State, like al-Qaeda before it, does not depend on large numbers of followers. Rather it depends on individual mobilization. Senior Islamic State leaders like Abu Bakr al-Baghdadi, Mohamed Mahmoud, Tarad Muhammad al-Jarba, and others, have no interest in deploying 10,000 fighters who may be reluctant and weak-willed. They are content with 100 fighters who are unswerving in their commitment and prepared to devote everything to the struggle, including their lives. Consider some of the most formidable strikes of the Sunni insurgency against its enemies: the attacks of 9/11 in the United States, the 7/7 bombings in the United Kingdom, the November 2015 strikes in Paris, and the fall of Mosul in 2014. There have been more large-scale strikes on Russian, Lebanese, Afghan, Egyptian, and other targets. What connects all of those is the relatively small number of totally dedicated fighters that carried them out. The fall of Mosul, for example, which brought the Islamic State to the height of its power, was carried out by no more than 1,500 fighters, who took on two divisions of the Iraqi Army, numbering more than 30,000 troops.

The reliance on a small number of dedicated fighters mirrors the recruitment tactics of the Islamic State (and al-Qaeda before it). The latter rested on individual attention paid to selected young men, who are seen as reliable and steadfast. This is precisely the type of emphasis that should be placed by European, American and Russian security agencies on suspected members of terrorist groups that are captured, or are detected within largest groups of migrants. What is required here is individual attention given by security operatives who have an eye for detail and are knowledgeable of the culture, customs and ways of thinking of predominantly Muslim societies. However, most governments have neither the patience nor expertise to implement a truly demassified exploitation campaign that targets individuals with an eye to de-radicalization and — ultimately — exploitation. The experience of the Syrian migrants in countries like Italy and Greece is illustrative of this phenomenon. The two countries — already overwhelmed by domestic political problems and financial uncertainty — were left primarily to their own means by a disinterested and fragmented European Union. Several members of the EU, including Poland, Hungary, and the United Kingdom have for all practical purposes positioned themselves outside of the EU mainstream. At the same time, the United States, which is the main instigator of the current instability in the Middle East, shows no serious interest in de-radicalization and exploitation programs. This has been a consistent trend in Washington under the administrations of Barack Obama and Donald Trump.

In your opinion, will cryptocurrencies become a significant source of terrorism funding? Some experts believe that pressure on traditional methods of financing may facilitate this process.

In the old days of the 1970s and 1980s, most terrorist groups raised funds primarily through extortion, kidnappings, bank robberies and — to a lesser extent — drugs. Things have changed considerably in our century. Today, cryptocurrencies are not in themselves sources of funding — though it can be argued that the frequent rise in the value of many cryptocurrencies generates income for terrorist organizations — but more a method of circulating currency and providing services that generate funds. With the use of cryptocurrencies and the so-called Darknet, terrorist organizations are now able to engage in creative means of generating cash. They include the sale of pirated music, movies and, most of all, videogames. They also engage in the sale of counterfeit products, including clothing, electronics and other hi-tech accessories. Additionally, they sell counterfeit pharmaceutical products and even counterfeit tickets to high-profile sports events and music concerts. Those who buy those products often pay for them using cryptocurrencies, primarily through the Darknet. Looking at the broad picture, it is clear that the use of cryptocurrencies constitutes a form of asymmetric finance that circumvents established financial structures and operates using irregular means that for now remain largely undetected. Few terrorist groups will resist the temptation to employ this new method of unregulated financial transaction.

How can Russian and US intelligence and security services cooperate in combating terrorism? In December 2017, media reported that CIA had helped its Russian counterpart foil a terror attack in St. Petersburg. What should be done to deepen and broaden such kind of cooperation?

Despite friction on the political level, cooperation between Russian and American intelligence agencies in the field of counter-terrorism is far more routine than is generally presumed. Last December’s report of the CIA sharing intelligence with its Russian counterpart was notable in that it was publicly disclosed. Most instances of intelligence cooperation between Washington and Moscow are not publicized. In February 2016, the then CIA director John Brennan stated publicly that the CIA works closely with the Russian intelligence community in counter-terrorism operations directed against Islamist militants. He described the CIA’s relationship with Russian intelligence officials as a “very factual, informative exchange.” He added that “if the CIA gets information about threats to Russian citizens or diplomats, we will share it with the Russians”. And he added: “they do the same with us”. Brennan gave the example of the 2014 Winter Olympics in Sochi, Russia. He said: “We worked very closely with [Russian intelligence agencies]” during the Sochi games to “try to prevent terrorist attacks. And we did so very successfully”. There is no reason to doubt the sincerity of Brennan’s statement.

Professionals are always more likely to find common areas of interest. So, in what areas, apart from combating terrorism, can Russian and US intelligence services cooperate?

There is a virtually endless list of common concerns that ought to and often do bring together American and Russian intelligence agencies. To begin with, there are two major existential threats to the security of both countries and the whole world that demand close cooperation between Washington and Moscow and their respective intelligence agencies. The first threat is the black market in weapons of mass destruction, notably chemical weapons, biological agents, and even radioactive material. In the past 20 years, there have been several cases of individuals or groups trying to sell or trade radioactive substances. The fear of such weapons possibly falling into the hands of non-state insurgents should be sufficient to entice close cooperation between American and Russian intelligence agencies. The second existential threat is that of global warming and its effects on international security. It is no secret that the rise in global temperatures is already having a measurable negative impact on food production, desertification, sea-level rise, and other factors that contribute to the destabilization of the economies of entire regions. Such trends fuel militancy, political extremism, wars, and mass migrations of populations, all of which are serious threats to the stability of the international system. Solving this global problem will require increased and prolonged cooperation on the political, economic, and security/intelligence level between the United States and Russia. The two countries must also work closely on a series of other topics, including standardizing the global regulation of cryptocurrencies, diffusing tensions between the two rival nuclear powers of India and Pakistan, tackling the tensions in the Korean Peninsula, preventing the destabilization of Egypt (the world’s largest Arab country), combating the growth of Sunni militancy in West Africa, and numerous other issues.

Among other things, you are an expert in the Cold War. At present, Russia and the USA are experiencing a period of tensions in their relationship. In your opinion, what should be done in order to overcome these challenges and mend fences?

For those of us who remember the Cold War, and have studied the development of Russia–US relations in the postwar era, the current state of affairs between Washington and Moscow seems comparatively manageable. Despite tensions between Washington and Moscow, we are, thankfully, very far from an emergency of the type of the Berlin Crisis of 1961, the Cuban Missile Crisis, or even the 1984 collision between the US plane carrier Kitty Hawk and the K-314 Soviet submarine in the Sea of Japan. How do we avoid such dangerous escalations? The answer is simple: regularize communications between the two countries on various levels, including executive, political, economic and security-related. Such communications should continue even or, arguably, especially at times of rising tensions between the two nations. The overall context of this approach rests on the indisputable truth that Russia and the United States are the two central pillars on which the idea of world peace can be built for future generations.

First published in our partner RIAC

*Dr. Joseph Fitsanakis is Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University. Prior to joining Coastal, he built the Security and Intelligence Studies program at King University, where he also directed the King Institute for Security and Intelligence Studies. An award-winning professor, Dr. Fitsanakis has lectured, taught and written extensively on subjects such as international security, intelligence, cyberespionage, and transnational crime. He is a syndicated columnist and frequent contributor to news media such as BBC television and radio, ABC Radio, Newsweek, and Sputnik, and his work has been referenced in outlets including The Washington Post, Foreign Policy, Politico, and The Huffington Post. Fitsanakis is also deputy director of the European Intelligence Academy and senior editor at intelNews.org, a scholarly blog that is cataloged through the United States Library of Congress, and a syndicated columnist.

Continue Reading

Intelligence

How security decisions go wrong?

Sajad Abedi

Published

on

Photo by Ryan Young on Unsplash

Information warfare is primarily a construct of a ‘war mindset’. However, the development of information operations from it has meant that the concepts have been transferred from military to civilian affairs. The contemporary involvement between the media, the military, and the media in the contemporary world of the ‘War on Terrorism’ has meant the distinction between war and peace is difficult to make. However, below the application of deception in the military context is described but it must be added that the dividing line is blurred.

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.

Security is both a normative and descriptive problem. We would like to normatively how to make correct decisions about security, but also descriptively understand follow where security decisions may go wrong. According to Schneider, security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, I am interested in how to achieve correct metrics that can help a decision-maker control security. But would successful quantification be the end of the story?

The aim of this note is to explore the potential difference between correct and actual security decisions when people are supposed to decide and act based on quantified information about risky options. If there is a gap between correct and actual decisions, how can we begin to model and characterize it? How large is it, and where can someone maybe exploit it? What can be done to fix and close it? As a specific example, this note considers the impact of using risk as security metric for decision-making in security. The motivation to use risk is two-fold. First, risk is a well-established concept that has been applied in numerous ways to understand information security and often assumed as a good metric. Second, I believe that it is currently the only well-developed reasonable candidate that aims to involve two necessary aspects when it comes to the control of operational security: asset value and threat uncertainty. Good information security is often seen as risk management, which will depend on methods to assess those risks correctly. However, this work examines potential threats and shortcomings concerning the usability of correctly quantified risk for security decisions.

I consider a system that a decision-maker needs to protect in an environment with uncertain threats. Furthermore, I also assume that the decision-maker wants to maximize some kind of security utility (the utility of security controls available) when making decisions regarding to different security controls. These different parts of the model vary greatly between different scenarios and little can be done to model detailed security decisions in general. Still, we think that this is an appropriate framework to understand the need of security metrics. One way, maybe often the standard way, to view security as a decision problem is that threats arise in the system and environment, and that the decision-maker needs to take care of those threats with available information, using some appropriate cost-benefit tradeoff. However, this common view overlooks threats with faults that are made by the decision-maker. I believe that many security failures should be seen in the light of limits (or potential faults) of the decision-maker when she, with best intentions, attempts to achieve security goals (maximizing security utility) by deciding between different security options.

I loosely think of correct decisions as maximization of utility, in a way to be specified later.

Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following.

The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals. One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions.

While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them;this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.

The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.

I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.

There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.

Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.

Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.

These questions may also be extended to consider several self-interested parties. in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.

Continue Reading

Latest

Newsletter

Trending

Copyright © 2018 Modern Diplomacy