Connect with us


President Trump’s new Director of Central Intelligence (DCI)

Giancarlo Elia Valori



[yt_dropcap type=”square” font=”” size=”14″ color=”#000″ background=”#fff” ] D [/yt_dropcap]aniel Ray “Dan” Coats is the new Director of Central Intelligence (DCI) appointed by President Trump – a designation everyone was awaiting since last January. The DCI is a rather controversial figure in the wide and too much fragmented world of the US intelligence agencies.

The Director of Central Intelligence is a post created in 2004 after the evident failure of the main US intelligence services on September 11. Nevertheless it was often opposed by the CIA and NSA Directors who sometimes blocked every news flow from Langley to the DCI office –   as happened in 2009 when Leon Panetta was the CIA Director.

Dan Coats was a member of the House of Representatives from 1981 to 1989 and later replaced Dan Qayle as Senator from Indiana – a Senate seat he held until 2016, by always working for the Select Committee on Intelligence.

After temporarily retiring from the Senate, Dan Coats served as US Ambassador to Germany from 2001 to 2005.

It is also worth recalling that Coats has been officially banned from travelling to Russia due to his heavy mockery and witticism about Putin and, above all, for his requesting much harsher sanctions against Russia for its annexation of Crimea.

However, what is particularly interesting for us is the work carried out by Coats at King & Spalding, the largest law firm for companies and public institutions, founded 130 years ago in Atlanta, Georgia.

Said law firm works for over 50% of the companies included in the Fortune 100 ranking and has over 900 lawyers and attorneys working in 19 branches throughout the United States.

In 2016 King & Spalding earned over 3.702 million dollars from its lobbying activities with representative institutions and government.

It is reported to be among the top ten lobbying organizations in the United States and, in the list of the “National Law Journal Survey”, King & Spalding is among the US top 50 influencers, i.e. structures of political and strategic influence.

Said law firm represented the Lockheed Martin in 2007 and has currently over 191 clients including Boeing.

It is a law firm which does not only deal with litigation. Thanks to its influence, it literally creates and drafts – as it has done also recently for Saudi Arabia – the rules it will later discuss, on behalf of its clients, in the most appropriate legal forums and institutions.

King & Spalding carries out all the lobbying activity for Saudi Arabia in the United States.

The clients of Dan Coats as a partner of King & Spalding include not only the abovementioned Lockheed Martin, for which he had the F-22 project and some arms sales abroad funded, but also the private equity firm “Cerberus Capital Management”, led by John W. Snow, former Secretary of the Treasury under George H. Bush’s Presidency.

Currently Cerberus’ portfolio amounts to 100 billion Us dollars and the firm operates both in the secondary market of securities and in the real estate sector.

Furthermore, Cerberus’ foreign investments are directed by Dan Qayle, former US vice-President with George H. Bush and Dan Coats’ predecessor as Senator from Indiana.

The aforementioned “private equity” firm also owns DynCorp, a private security company operating as a contractor for the US government.

DynCorp’s most recent contracts include the maintenance of logistical equipment and the military ground transmission network in Kosovo, as well as the aircraft management in some US Air Force bases.

In addition, and this is particularly interesting for us, DynCorp also works in the intelligence field, with training and certification programs for US public agencies. It also carries out data collection and independent analysis of said data on the ground, which it later provides to said agencies in exchange for consideration.

The privatization of intelligence services – a terrible future for State security – has already taken place, at least in the United States.

Finally, it is also worth noting that DynCorp owns GeoEye, an operator of earth observation satellites, almost entirely.

In 2013 GeoEye merged with DigitalGlobe.

Building and launching imaging satellites means gain a comparative advantage, in economic terms, to check trade flows across the world. It also means to gain a comparative advantage, in geological terms, to study and predict the development of oil or mineral resources, and in agricultural terms, to forecast the link between crops and global weather phenomena.

Moreover, Dan Coats has been selected to represent the interests of the Ad Hoc Coalition for Fair Pipe Imports from China, a lobby and advocacy group of US steel producers against steel imports from China.

Coats also worked for the Lithuanian Achema Group, a group of companies mainly dealing with fertilizers which also owns a small but important media empire in its own country.

The new DCI also lobbied for the purchase of industrial training programs from the German Festo Group in Iraq, Saudi Arabia, Kosovo and Afghanistan.

In short, which direction will the US intelligence privatization take during Trump’s Presidency?

Just take a look at the most recent appointments.

The appointment of Joe Hagin, the deputy Chief of Staff for Operations, directly implies an important role for the company he founded, namely the Command Consulting Group (CCG).

David Cohen, the former CIA Deputy Director for Operations, is a partner of CCG, a company whose founders also include Steve Atkiss, former Chief of Staff of the US Customs and Border Protection and Ralph Basham, former Head of the “United States Secret Service” (USSS), which is the structure in charge of protecting the US President, Vice-President and high-ranking government officials.

CCG also owns the Command Global Services (CGS), which led the operations designed to investigate and audit into Muammar Gaddafi’s financial reserves.

That specific activity was led by Charles Seidel, a former official of the CIA Directorate of Operations.

Currently Seidel chairs the Middle East unit of the Patriot Defense Group (PDG), founded by former CIA agent Todd Wilcox.

There is also the old and powerful private intelligence company Booz Allen Hamilton, which has been collecting, processing and analyzing data for the DCI and the major military officers and US government officials for at least thirty years – although we do not know to what extent it is close to the new US President.

In Trump’s era, we must also study the future of CSRA Inc. – which has developed and manages the NSA whole classified data internal system and carries out intelligence support actions for the US Commands in Europe and Africa – as well as the future of SAIC, a military contracting company which has entered the lucrative privatized intelligence business by buying SCITOR, a company which is well-established in the Pentagon secret satellite system.

In this strange picture of US privatized intelligence services, reference must also be made to CACI International, which hit the headlines for having supplied the staff for the interrogations at the Abu Ghraib prison. Recently said company has bought the National Security Solutions and the Six3 Intelligence Solutions, which provided the targeting against the Taliban to the NATO forces in Afghanistan, and will shortly supply intelligence to the US forces arriving in Syria.

The staff used by these private agencies is huge: Booz Allen has 12,000 employees, including analysts and operatives, while CACI international has 10,000 employees. As a whole, all private intelligence agencies – including human intelligence (HUMINT) and signals intelligence (SIGINT) – deploy approximately 50,000 people.

The total number of people used by the Department of Defense (DoD) amounts to 1.4 million, including 770,000 civilian employees, while the private contractors working for the US DoD employ approximately 750,000 people for intelligence and other military activities.

In Iraq, in mid-2016, there were 2,485 contractors compared to 4,087 US military staff.

In Afghanistan, the US military staff envisaged for this year is around 8,000, but the “civilian” contractors will be at least 26,500.

According to some American journalists, approximately 70% of the budget for national intelligence is destined to private contractors and, with Trump’s Presidency, much of cybersecurity will be in private hands.

Hence if it is thought that intelligence is just a mere collection of individual sensitive and rare empirical data – as often happens in the US intelligence community – some privatization may be useful, considering the greater intrinsic flexibility of private companies compared to public bureaucratic structures.

Conversely, if we believe that intelligence services must not only collect – and use for media purposes – sensitive data which could not be acquired otherwise, but must mainly analyze said data with a strategic and geopolitical mind and perspective, the privatization of intelligence is both dangerous and useless.

Furthermore, if we rightly think that intelligence is a primary function of national interest, this privatization of intelligence services can be harmful because, also in this sensitive sector, a private enterprise wants above all to maintain and preserve its business indefinitely.

Moreover, “terrorism” is such a phenomenon as to provide material for an equally endless search of data and hotbeds.

Nevertheless, if we do not rethink, in a creative way, the cultural and political relationship between Islam and the West, between peaceful countries in the Muslim region and the “sword jihad” – and, finally, if we do not do wage credible “cultural wars” – jihadist terrorism will recur, according to the Hegelian category of “bad infinity.”

These are activities which cannot be entrusted to contractors, but rather to a political and strategic elite capable of rising up to future challenges and possibly not interested in making huge and quick profits.

As a Sunni Imam told to an agent of our intelligence services, “let us see one of your great men and we will be convinced you are right.”

Advisory Board Co-chair Honoris Causa Professor Giancarlo Elia Valori is an eminent Italian economist and businessman. He holds prestigious academic distinctions and national orders. Mr Valori has lectured on international affairs and economics at the world’s leading universities such as Peking University, the Hebrew University of Jerusalem and the Yeshiva University in New York. He currently chairs "La Centrale Finanziaria Generale Spa", he is also the honorary president of Huawei Italy, economic adviser to the Chinese giant HNA Group and member of the Ayan-Holding Board. In 1992 he was appointed Officier de la Légion d'Honneur de la République Francaise, with this motivation: "A man who can see across borders to understand the world” and in 2002 he received the title of "Honorable" of the Académie des Sciences de l'Institut de France

Continue Reading


Information challenges in security agencies

Sajad Abedi



An effort to maintain information security is the responsibility of each individual. This person can be a normal user, technical expert, system administrator, network leader and manager of a system or network in the organization. Paying attention to the importance of information security makes it necessary to ensure the necessary protection of systems and the use of an effective set of security policies is an important step in ensuring this.

In most cases, computers and information will be protected from unauthorized access, and the information can be exchanged securely on the network with others. Information security in electronic organizations, especially municipalities, has been emphasized as one of the basic infrastructures and requirements, because their databases contain confidential information from citizens or customers.

Adopting appropriate security policies and implementing them reduces the risk of sudden loss of information, makes it much more difficult to access the system and provides security tools for detecting attacks and fixing security breaches. To maintain confidential information and to help integrate programs and information stored, a combination of policy making and implementation should be undertaken. This paper covers various components of effective security policies for e-organizations, especially municipal organizations.

In small organizations, the information security requirements can easily be met, and everyone is responsible for their computers and their files.

However, for larger groups such as organizations dealing with business transactions or groups that hold confidential data from citizens or customers (such as municipalities), the need for more formal security policies and procedures becomes more important.

When managers and employees consider the issue of information security, they will always face similar issues. As a result, attention to the role of information as a valuable commodity in today’s trade and the need to protect it is necessary.

Each group needs a certain level of security for its information and clear procedures for implementation by employees, the ability to create and maintain awareness of the needs of customers, and an understanding of how security policies are implemented in an operational environment.

Managers must pay close attention to information security policies in order to achieve their goals. Also, understanding the cost of implementing effective security policies is very important. Technologies Security procedures are a kind of investment and should be evaluated against the cost of likely losses.

Information is like blood in the veins of the organization and without the information of the board of directors (the company’s brain) cannot make key decisions, and the purchasing and financial resources (mouth, heart, etc.) cannot obtain the resources they need to survive the organization’s life.

The role of data and information is crucial in the management of organizations, the more the information system of an organization is more accurate, coherent and systematic, the better the organization can achieve its goals.

Regarding the importance of information, it can be said that the discussion of access to information and, on the other hand, the security and protection of information on the national level have been raised for rulers and managers since ancient times. Access to information can lead to the destruction of the organization. The possibility of data loss due to physical factors and threats to the information of the organization exists. But with the development of information technology and the use of information as a commercial tool and profitable capital, the issue of information security is a new dimension. In today’s trade, information plays the role of capital of a company, and the protection of information in the organization is one of the key pillars of its survival. In this way, categorizing and valuing and protecting information resources is very important and important.

In today’s world, the more we go into machining; the other face-to-face relationships and old solutions cannot answer our problems. In today’s cities, we are faced with increasing levels of traffic and, consequently, increasing urban traffic. Previous paperwork can no longer be an appropriate method for addressing the administrative work of citizens. Of these important organizations, such as the municipalities in the big cities, which are somehow the heart of the city, we must abandon the previous methods and enter the world of information technology and the e-government world.

This is where the Municipal Electronic and Information Technology (IT) have a crucial role in most municipal organizations. After the implementation of the electronic program of municipal services, citizens through their international networks or the Internet can provide their services, such as paying tolls, repairs, fees, and application fees, electronic referrals, and circular letters in various stages Receive in the municipality without a face-to-face visit to the municipality.

Nowadays, IT infrastructure is in an environment that is increasingly being added to the number of enemies and attackers who are not interested in continuous, reliable, and useful computer systems. A world where activities are much faster and more reliable and do not require population density in the physical world. We have to think about ways to reduce urban traffic, the cost of doing work, confrontations, mental ill-health, corruption, etc. that we face every day in municipal organizations, and it is the best solution to create an active and dynamic security framework for each organization.

Implementation and deployment of information security in organizations may be reviewed based on the efficiency, ease of use, and communication with other departments and organizations. Since public procurement is not generally a question of profitability, there is a controlling budget, which limits the ability of the organization to provide the latest hardware and software security. At the same time, municipalities should focus on data protection, as their databases contain sensitive information about individuals; information such as personal and medical records, and taxes.

Unfortunately, even in state-owned organizations of the country, it is difficult to protect information, and it suffers from obsolete systems, inappropriate investments, and employees of the disabled who lack the necessary information security dimension.

However, there are tensions between managerial levels. Without a general plan to create a secure environment for information technology, each episode may develop a solution to the security of information that comes from the missions, goals, and operational intentions of the same section, and may be as good as it is for a particular part. Other parts are not used too much. These different strategies may cause information security in some areas to be over-needed or less than the required level, while the presence of supervision on the part of the high-level management will ensure that security experiences are set in such a way that the organization can functionedits better.

In addition to securing its own intelligence resources, an organization must commit itself to set up a set of policies to safeguard its organization’s information. These policies play an important role in information security, but there is still a contradiction in the fact that the policy framework of the organization should be able to increase the level of security. Methods of dealing with insecurity are identified through crisis identification and insecurity and limitation of insecurity as well as its control tools.

There are sufficient information and adequate systems for the use of information as well as appropriate programs for preventing and, in the event of occurrence, controlling the crisis (proper urban programs) of the main components needed to maintain and develop information security.

Continue Reading


Islamic State after ISIS: Colonies without Metropole or Cyber Activism?



With the world constantly following the events in the Middle East, much now depends on the shape, form and ‘policy’ Islamic State is going to take. What form will the IS take? What role will cryptocurrencies play in funding terrorists? How can Russia and the US cooperate in fighting mutual security threats? RIAC expert Tatyana Kanunnikova discusses these issues with Dr. Joseph Fitsanakis, Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University.

Islamic State is perceived as an international threat. In which regions is it losing ground and in which ones is it on the rise? Could you please describe IS geography today?

Groups like the Islamic State are mobile. They tend to move and redeploy across international borders with relative ease, and are truly global in both outlook and reach. It is worth noting that, from a very early stage in its existence, the Islamic State incorporated into its administrative structure the so-called vilayets, namely semi-autonomous overseas provinces or possessions. These included parts of Libya, Afghanistan, Somalia, the Philippines, Nigeria, and of course Egypt’s Sinai Peninsula. By the first week of 2018, the Islamic State had all but eclipsed from its traditional base of the Levant. How has the loss of its administrative centers affected the organization’s strategy?

Dr. Joseph Fitsanakis

There are two competing answers to this question. The first possible answer is that ISIS’ plan is similar to that of the Great Britain in 1940, when the government of Winston Churchill was facing the prospect of invasion by the forces of the German Reich. London’s plan at the time was to use its overseas colonies as bases from which to continue to fight following a possible German takeover of the Britain. It is possible that ISIS’ strategy revolves around a similar plan —in which case we may see concerted flare-ups of insurgent activity in Egypt, Southeast Asia, Afghanistan, Somalia, Kenya, and elsewhere. The second possible answer to the question of ISIS’ strategy is that the group may be entering a period of relative dormancy, during which it will concentrate on cyber activism and online outreach aimed at young and disaffected youth in Western Europe, the Caucasus, and North America. According to this scenario, ISIS will use its formidable online dexterity to establish new communities of Millennial and Generation Z members, and renegotiate its strategy in light of the loss of physical lands in the Levant. This scenario envisages an online geography for the Islamic State, which may eventually lead to the emergence of a new model of activity. The latter will probably resemble al-Qaeda’s decentralized, cell-based model that focuses on sharp, decisive strikes at foreign targets.

Commenting for an article in Asia Times, you said that ISIS returnees are extremely valuables sources of intelligence. How can they be effectively identified in the flow of migrants? How exactly can security services exploit the experience of these militants?

In its essence, the Sunni insurgency is a demassified movement. By this I mean that its leaders have never intended for it to become a mass undertaking. The Islamic State, like al-Qaeda before it, does not depend on large numbers of followers. Rather it depends on individual mobilization. Senior Islamic State leaders like Abu Bakr al-Baghdadi, Mohamed Mahmoud, Tarad Muhammad al-Jarba, and others, have no interest in deploying 10,000 fighters who may be reluctant and weak-willed. They are content with 100 fighters who are unswerving in their commitment and prepared to devote everything to the struggle, including their lives. Consider some of the most formidable strikes of the Sunni insurgency against its enemies: the attacks of 9/11 in the United States, the 7/7 bombings in the United Kingdom, the November 2015 strikes in Paris, and the fall of Mosul in 2014. There have been more large-scale strikes on Russian, Lebanese, Afghan, Egyptian, and other targets. What connects all of those is the relatively small number of totally dedicated fighters that carried them out. The fall of Mosul, for example, which brought the Islamic State to the height of its power, was carried out by no more than 1,500 fighters, who took on two divisions of the Iraqi Army, numbering more than 30,000 troops.

The reliance on a small number of dedicated fighters mirrors the recruitment tactics of the Islamic State (and al-Qaeda before it). The latter rested on individual attention paid to selected young men, who are seen as reliable and steadfast. This is precisely the type of emphasis that should be placed by European, American and Russian security agencies on suspected members of terrorist groups that are captured, or are detected within largest groups of migrants. What is required here is individual attention given by security operatives who have an eye for detail and are knowledgeable of the culture, customs and ways of thinking of predominantly Muslim societies. However, most governments have neither the patience nor expertise to implement a truly demassified exploitation campaign that targets individuals with an eye to de-radicalization and — ultimately — exploitation. The experience of the Syrian migrants in countries like Italy and Greece is illustrative of this phenomenon. The two countries — already overwhelmed by domestic political problems and financial uncertainty — were left primarily to their own means by a disinterested and fragmented European Union. Several members of the EU, including Poland, Hungary, and the United Kingdom have for all practical purposes positioned themselves outside of the EU mainstream. At the same time, the United States, which is the main instigator of the current instability in the Middle East, shows no serious interest in de-radicalization and exploitation programs. This has been a consistent trend in Washington under the administrations of Barack Obama and Donald Trump.

In your opinion, will cryptocurrencies become a significant source of terrorism funding? Some experts believe that pressure on traditional methods of financing may facilitate this process.

In the old days of the 1970s and 1980s, most terrorist groups raised funds primarily through extortion, kidnappings, bank robberies and — to a lesser extent — drugs. Things have changed considerably in our century. Today, cryptocurrencies are not in themselves sources of funding — though it can be argued that the frequent rise in the value of many cryptocurrencies generates income for terrorist organizations — but more a method of circulating currency and providing services that generate funds. With the use of cryptocurrencies and the so-called Darknet, terrorist organizations are now able to engage in creative means of generating cash. They include the sale of pirated music, movies and, most of all, videogames. They also engage in the sale of counterfeit products, including clothing, electronics and other hi-tech accessories. Additionally, they sell counterfeit pharmaceutical products and even counterfeit tickets to high-profile sports events and music concerts. Those who buy those products often pay for them using cryptocurrencies, primarily through the Darknet. Looking at the broad picture, it is clear that the use of cryptocurrencies constitutes a form of asymmetric finance that circumvents established financial structures and operates using irregular means that for now remain largely undetected. Few terrorist groups will resist the temptation to employ this new method of unregulated financial transaction.

How can Russian and US intelligence and security services cooperate in combating terrorism? In December 2017, media reported that CIA had helped its Russian counterpart foil a terror attack in St. Petersburg. What should be done to deepen and broaden such kind of cooperation?

Despite friction on the political level, cooperation between Russian and American intelligence agencies in the field of counter-terrorism is far more routine than is generally presumed. Last December’s report of the CIA sharing intelligence with its Russian counterpart was notable in that it was publicly disclosed. Most instances of intelligence cooperation between Washington and Moscow are not publicized. In February 2016, the then CIA director John Brennan stated publicly that the CIA works closely with the Russian intelligence community in counter-terrorism operations directed against Islamist militants. He described the CIA’s relationship with Russian intelligence officials as a “very factual, informative exchange.” He added that “if the CIA gets information about threats to Russian citizens or diplomats, we will share it with the Russians”. And he added: “they do the same with us”. Brennan gave the example of the 2014 Winter Olympics in Sochi, Russia. He said: “We worked very closely with [Russian intelligence agencies]” during the Sochi games to “try to prevent terrorist attacks. And we did so very successfully”. There is no reason to doubt the sincerity of Brennan’s statement.

Professionals are always more likely to find common areas of interest. So, in what areas, apart from combating terrorism, can Russian and US intelligence services cooperate?

There is a virtually endless list of common concerns that ought to and often do bring together American and Russian intelligence agencies. To begin with, there are two major existential threats to the security of both countries and the whole world that demand close cooperation between Washington and Moscow and their respective intelligence agencies. The first threat is the black market in weapons of mass destruction, notably chemical weapons, biological agents, and even radioactive material. In the past 20 years, there have been several cases of individuals or groups trying to sell or trade radioactive substances. The fear of such weapons possibly falling into the hands of non-state insurgents should be sufficient to entice close cooperation between American and Russian intelligence agencies. The second existential threat is that of global warming and its effects on international security. It is no secret that the rise in global temperatures is already having a measurable negative impact on food production, desertification, sea-level rise, and other factors that contribute to the destabilization of the economies of entire regions. Such trends fuel militancy, political extremism, wars, and mass migrations of populations, all of which are serious threats to the stability of the international system. Solving this global problem will require increased and prolonged cooperation on the political, economic, and security/intelligence level between the United States and Russia. The two countries must also work closely on a series of other topics, including standardizing the global regulation of cryptocurrencies, diffusing tensions between the two rival nuclear powers of India and Pakistan, tackling the tensions in the Korean Peninsula, preventing the destabilization of Egypt (the world’s largest Arab country), combating the growth of Sunni militancy in West Africa, and numerous other issues.

Among other things, you are an expert in the Cold War. At present, Russia and the USA are experiencing a period of tensions in their relationship. In your opinion, what should be done in order to overcome these challenges and mend fences?

For those of us who remember the Cold War, and have studied the development of Russia–US relations in the postwar era, the current state of affairs between Washington and Moscow seems comparatively manageable. Despite tensions between Washington and Moscow, we are, thankfully, very far from an emergency of the type of the Berlin Crisis of 1961, the Cuban Missile Crisis, or even the 1984 collision between the US plane carrier Kitty Hawk and the K-314 Soviet submarine in the Sea of Japan. How do we avoid such dangerous escalations? The answer is simple: regularize communications between the two countries on various levels, including executive, political, economic and security-related. Such communications should continue even or, arguably, especially at times of rising tensions between the two nations. The overall context of this approach rests on the indisputable truth that Russia and the United States are the two central pillars on which the idea of world peace can be built for future generations.

First published in our partner RIAC

*Dr. Joseph Fitsanakis is Associate Professor of Political Science in the Intelligence and National Security Studies program at Coastal Carolina University. Prior to joining Coastal, he built the Security and Intelligence Studies program at King University, where he also directed the King Institute for Security and Intelligence Studies. An award-winning professor, Dr. Fitsanakis has lectured, taught and written extensively on subjects such as international security, intelligence, cyberespionage, and transnational crime. He is a syndicated columnist and frequent contributor to news media such as BBC television and radio, ABC Radio, Newsweek, and Sputnik, and his work has been referenced in outlets including The Washington Post, Foreign Policy, Politico, and The Huffington Post. Fitsanakis is also deputy director of the European Intelligence Academy and senior editor at, a scholarly blog that is cataloged through the United States Library of Congress, and a syndicated columnist.

Continue Reading


How security decisions go wrong?

Sajad Abedi



Photo by Ryan Young on Unsplash

Information warfare is primarily a construct of a ‘war mindset’. However, the development of information operations from it has meant that the concepts have been transferred from military to civilian affairs. The contemporary involvement between the media, the military, and the media in the contemporary world of the ‘War on Terrorism’ has meant the distinction between war and peace is difficult to make. However, below the application of deception in the military context is described but it must be added that the dividing line is blurred.

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.

Security is both a normative and descriptive problem. We would like to normatively how to make correct decisions about security, but also descriptively understand follow where security decisions may go wrong. According to Schneider, security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, I am interested in how to achieve correct metrics that can help a decision-maker control security. But would successful quantification be the end of the story?

The aim of this note is to explore the potential difference between correct and actual security decisions when people are supposed to decide and act based on quantified information about risky options. If there is a gap between correct and actual decisions, how can we begin to model and characterize it? How large is it, and where can someone maybe exploit it? What can be done to fix and close it? As a specific example, this note considers the impact of using risk as security metric for decision-making in security. The motivation to use risk is two-fold. First, risk is a well-established concept that has been applied in numerous ways to understand information security and often assumed as a good metric. Second, I believe that it is currently the only well-developed reasonable candidate that aims to involve two necessary aspects when it comes to the control of operational security: asset value and threat uncertainty. Good information security is often seen as risk management, which will depend on methods to assess those risks correctly. However, this work examines potential threats and shortcomings concerning the usability of correctly quantified risk for security decisions.

I consider a system that a decision-maker needs to protect in an environment with uncertain threats. Furthermore, I also assume that the decision-maker wants to maximize some kind of security utility (the utility of security controls available) when making decisions regarding to different security controls. These different parts of the model vary greatly between different scenarios and little can be done to model detailed security decisions in general. Still, we think that this is an appropriate framework to understand the need of security metrics. One way, maybe often the standard way, to view security as a decision problem is that threats arise in the system and environment, and that the decision-maker needs to take care of those threats with available information, using some appropriate cost-benefit tradeoff. However, this common view overlooks threats with faults that are made by the decision-maker. I believe that many security failures should be seen in the light of limits (or potential faults) of the decision-maker when she, with best intentions, attempts to achieve security goals (maximizing security utility) by deciding between different security options.

I loosely think of correct decisions as maximization of utility, in a way to be specified later.

Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following.

The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals. One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions.

While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them;this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.

The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.

I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.

There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.

Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.

Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.

These questions may also be extended to consider several self-interested parties. in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.

Continue Reading




Copyright © 2018 Modern Diplomacy