Connect with us


How security decisions go wrong?

Sajad Abedi



Photo by Ryan Young on Unsplash

Information warfare is primarily a construct of a ‘war mindset’. However, the development of information operations from it has meant that the concepts have been transferred from military to civilian affairs. The contemporary involvement between the media, the military, and the media in the contemporary world of the ‘War on Terrorism’ has meant the distinction between war and peace is difficult to make. However, below the application of deception in the military context is described but it must be added that the dividing line is blurred.

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.

Security is both a normative and descriptive problem. We would like to normatively how to make correct decisions about security, but also descriptively understand follow where security decisions may go wrong. According to Schneider, security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, I am interested in how to achieve correct metrics that can help a decision-maker control security. But would successful quantification be the end of the story?

The aim of this note is to explore the potential difference between correct and actual security decisions when people are supposed to decide and act based on quantified information about risky options. If there is a gap between correct and actual decisions, how can we begin to model and characterize it? How large is it, and where can someone maybe exploit it? What can be done to fix and close it? As a specific example, this note considers the impact of using risk as security metric for decision-making in security. The motivation to use risk is two-fold. First, risk is a well-established concept that has been applied in numerous ways to understand information security and often assumed as a good metric. Second, I believe that it is currently the only well-developed reasonable candidate that aims to involve two necessary aspects when it comes to the control of operational security: asset value and threat uncertainty. Good information security is often seen as risk management, which will depend on methods to assess those risks correctly. However, this work examines potential threats and shortcomings concerning the usability of correctly quantified risk for security decisions.

I consider a system that a decision-maker needs to protect in an environment with uncertain threats. Furthermore, I also assume that the decision-maker wants to maximize some kind of security utility (the utility of security controls available) when making decisions regarding to different security controls. These different parts of the model vary greatly between different scenarios and little can be done to model detailed security decisions in general. Still, we think that this is an appropriate framework to understand the need of security metrics. One way, maybe often the standard way, to view security as a decision problem is that threats arise in the system and environment, and that the decision-maker needs to take care of those threats with available information, using some appropriate cost-benefit tradeoff. However, this common view overlooks threats with faults that are made by the decision-maker. I believe that many security failures should be seen in the light of limits (or potential faults) of the decision-maker when she, with best intentions, attempts to achieve security goals (maximizing security utility) by deciding between different security options.

I loosely think of correct decisions as maximization of utility, in a way to be specified later.

Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following.

The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals. One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions.

While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them;this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.

The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.

I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.

There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.

Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.

Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.

These questions may also be extended to consider several self-interested parties. in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.

I’m SajadAbedi a Resident Research Fellow at the National Security and Defense Think Tank. I obtained my Ph. D. degree in National Security from the Nationl Defense University under group of leader of Islamic Republic of Iran. My research interests pertain to Arab-Israeli studies, the Cyber Security studies and National Security.

Continue Reading


Russia Says U.S. Trains Jihadists to Do Chemical Attacks Blamed Against Assad

Eric Zuesse



On March 17th, Russia’s Minister of Defense (equivalent to America’s Secretary of Defense) announced, through Russian General Staff spokesman General Sergey Rudskoy: “We have reliable information at our disposal that US instructors have trained a number of militant groups in the vicinity of the town of At-Tanf, to stage provocations involving chemical warfare agents in southern Syria. Early in March, the saboteur groups were deployed to the southern de-escalation zone to the city of Deraa, where the units of the so-called Free Syrian Army are stationed. They are preparing a series of chemical munitions explosions. This fact will be used to blame the government forces. The components to produce chemical munitions have been already delivered to the southern de-escalation zone under the guise of humanitarian convoys of a number of NGOs.”

He also said:

The provocations will be used as a pretext by the United States and its allies to launch strikes on military and government infrastructure in Syria. We’re registering the signs of the preparations for the possible strikes. Strike groups of the cruise missile carriers have been formed in the east of the Mediterranean Sea, Persian Gulf and Red Sea.”

He went on to add that in the most jihadist-friendly province, Idlib, another such “false flag” attack is being prepared by Al Qaeda in Syria, called there, “Al-Nusra Front terrorist group, in coordination with the White Helmets,” which is a group financed by the U.S. and UK Governments to rescue victims of bombings by Syria’s Government and its ally Russia.

This would hardly be the first example of such attacks. For example, on 14 January 2014, MIT’s Theodore Postol and the former U.N. Weapons Inspector Richard Lloyd co-authored a detailed technical study and analysis, regarding “the Damascus Nerve Agent Attack of August 21, 2013” (which was the most-famous sarin-attack, in East Ghouta), saying that “the US Government’s Interpretation of the Technical Intelligence It Gathered Prior to and After the August 21 Attack CANNOT POSSIBLY BE CORRECT,” and documenting that the rocket had actually — and clearly — been fired from an area that even the U.S. Government’s own maps showed to be under the control of the ‘rebels’, whom the U.S. Government supported, and definitely not of the Syrian Government, whom those ‘rebels’ were trying to overthrow. (That was the incident in which U.S. President Barack Obama announced to the world his “red line” and then said that the Government headed by Bashar al-Assad had crossed it and that this justified a U.S. invasion, but Seymour Hersh said that it had become blocked by the UK/s intelligence lab at Porton Down, by their finding that the sarin which had been used in this attack wasn’t of a type that the Syrian Government had in its arsenals.) There have been several such “false-flag” attacks, in order to get the public to support invading Syria. However, the main way that the U.S. and its allies try to overthrow Assad and his Government is to arm and protect Al Qaeda in Syria, which leads the various jihadist groups there (other than ISIS).

Continue Reading


From Radical Ecology to Ecoterrorism

Gagliano Giuseppe



Radical ecology

The schools of thought of contemporary eco-terrorism are many, but those that use an antagonist theoretical-practical approach can be identified in deep ecology, feminist ecology, Marxist ecology, primitivism, degrowth ecology, the Slow Food movement, ecology, animalism (which together with vegetarianism is a logical consequence of radical ecology) and, finally, eco-terrorism. In this sense – beyond the often demagogic rhetoric – eco-terrorism does not differ from the above-mentioned schools of thought because of its ethical-philosophical assumptions but rather by the operative procedures through which its antagonism is carried out. Therefore, an ideological community exists, whether implicit or explicit, in the main schools of thoughts of ecology and eco-terrorism. These schools of thought, however, can be associated with the idea of radical ecology.

Definition of radical ecology

While continuing to take the complexity of current ecology into account, the expression “radical” is used to indicate extremely antagonist ecology, from Pinochot’s utilitarian conservationism, which was deeply anthropocentric and aimed to rationalize the use of nature toward a lasting economic exploitation, to Haeckel’s neo-Darwinian approach, Tanskey’s view, Lotka’s trophic-network ecology, and finally, Odum’s thermodynamic approach. Firstly, radical ecology comprises the holistic preservationism of Thoreau, Emerson, and Leopold, ecofeminism, political ecology, deep ecology, primitivism, social ecology, the degrowth movement, the Slow Food movement, eco-regionalism, animalism, and eco-terrorism. Secondly, although the list of the organizations is not complete, it is important to underline that the several “-isms” do not exclude the possibility of profitable contaminations among the different schools of thought. Thirdly, the epistemological, political and philosophical features shared by the above-mentioned schools of thought can be identified as follows:

  1. they all support a structural modification of the current economic system and are against the supranational institutions that control global capitalism, in particular, the IMF, the WTO, and the World Bank;
  2. they are in favor of the anti-globalization movement, and know its limits and potentials;
  3. they share an eco-centric, bio-centric, anti-anthropocentric, holistic and sometimes organicistic perception of natural reality;
  4. they are against a mechanistic vision of reality such as Bacon’s and Descartes’, and are in favor of legal extensionism;
  5. they support a relevant extension of representative democracy or a radical exceeding of it in favor of an anarchic, neo-tribal society, or a participatory democracy;
  6. they share and develop apocalyptical and radical scenes of current society’s environmental and economic condition;
  7. they advocate a change in the ethic of western civilization through an eco-pacifist reorientation carried out by counter-information;
  8. they are against military institutions and share a typical interpretation of irenic pacifism;
  9. they are against the use of biotechnologies in agriculture and the civil and military use of nuclear energy;
  10. several members of radical ecology share a new interpretation of nature according to neo-romantic or oriental philosophies (such as Buddhism, Hinduism, Taoism and Zen philosophy);
  11. many scholars and activists belonging to radical ecology embrace animalistic and vegetarian views which they deem deeply coherent with an ecocentric vision of nature.
  12. Finally, several exponents of radical ecology refer to 1968 culture, and to underground American and tribal cultures.

In short, regarding the operative procedures carried out by the several schools of thought or radical ecology, we should point out the difference between non-violent and terroristic ones. There are three levels of antagonist procedure: a) non-violent practice strictly antagonist toward political and legal institutions; b) non-violent practice with an entryist political logic toward national and supranational political institutions; c) publically terroristic practice. We should, nevertheless, underline the differences between positions a) and b) both of which are well-organized and opposing: the first clearly condemns the use of terroristic procedures, the second supports terrorist procedures – but without putting them into practice – and is therefore ambiguous.

The historical predecessors of radical ecology

According to Livorsi, the genesis of radical ecology can be easily traced from a historical point of view to the philosophical and religious interpretation of Bachofen and the Marxist psychoanalysis of Reich as well. The author of the “Canticle of the Sun” (“Cantico del Frate Sole”) not only asserts the sanctification of the world by God – in other words, the sun, the moon, and the animal world – but also refers to Mother Earth, anticipating the modern concept of “Gaia” . Moreover the heterodox pantheism of Saint Francis implies a brotherhood between human beings and creatures according to an ecocentric and egalitarian view. The French philosopher Rousseau, in his “Discourse on the Origin and Basis of Inequality Among Men” (“Discours sur l’origine et les fondements de l’inégalité parmi les homes”), emphasized the goodness of the state of nature and the existential authenticity of the human being in this pre-civilized context, while condemning in the meantime private property and therefore civilization determined by technique. Moreover, unlike civilized society, tribal society conducted an ecocentric, egalitarian and communal style of life. Bachofen, in his reinterpretation of the history of civilization, emphasized the existence of a gynocratic, anti-patriarchal view in pre-Achaean society in which there was no private life, there was sexual freedom, nature was accepted as a living organism, and above all, the modus vivendi was built on egalitarian pacifism.

In short, regarding Reich, the rise of patriarchy brought about the triumph of capitalism, the closed family, and sexual repression. The natural and erotic man who struggles for a libertarian socialism has reemerged only rarely in history, such as in the Paris Commune in 1871, for example.

Definition of Terrorism and Eco-Terrorism

According to Pisano, terrorism can be defined as a non-conventional form of conflict because it lies outside both democratic, organized and civil dispute and the traditional battlefield of war regulated by international law. Terrorism is characterized by three elements: a) physical and psychic criminal violence, b) political, religious political or social political movement, and c) the use of illegal structure. Traditional terrorism, as Pisano explains, together with neo-terrorism, coexist both as a threat and as a concrete aggression. Neo-terrorism is performed by dynamic and polymorphous schemes that can intertwine while preserving their methodological and operational autonomy at the same time. Pisano indicates ecologic terrorism, narco-terrorism, the NRBC, and cyber-terrorism as the most important.

Ecologic terrorism (the topic of our research) is based on lay and/or religious ideological ideas and from an organizational point of view is carried out alternatively by cellular organizations with no hierarchies and by binary structures that are cellular and propagandistic at the same time. Ecologic terrorism furthers its antagonism through several operative procedures: 1) obstructive human barriers (lock box), 2) machinery sabotage, 3) arson and explosive detonation, 4) legal instruments focused on reporting abuse by police, 5) assemblage and road blocks, 6) intrusion within military installations or scientific and university institutions, 7) wide use of misinformation through media, internet and magazines, and 8) instigation to tax evasion. The enemies or targets to strike are several in number as well: 1) national and supranational capitalism, 2) the state, which defends its interests and consolidates its power, 3) national and supranational military institutions, and 4) scientific and university laboratories.

In a nutshell, eco-terrorism presents two fundamental trends: animal (such as ALF, ARM or JD) and environmental (e.g. Earth First!). In conclusion, Pisano suggests that the dangers of eco-terrorism are linked to the potential strengthening of its organizational power, creation of operative or ideological ties with traditional terrorism, and the consolidation of its relations with the anti-globalization movement.

Continue Reading


An American: “Why I Don’t Trust My Government, At All”

Eric Zuesse



Would you trust your government if it were headed by a President who just now appointed to become the head of the CIA, the very same person who had headed the CIA’s interrogation of a 9/11 suspect whose interrogation consisted of 83 waterboardings (plus other tortures, which blinded his left eye), all in order to get him to say that Saddam Hussein was behind the 9/11 attacks, so as to ‘justify’ invading Iraq?

Current U.S. President Donald Trump has appointed, to head the CIA, Gina Haspel, who, as a CIA official in Thailand, the Chief-of-Base there, or Thai “COB”, in 2002, had headed the interrogation of suspect Abu Zubaydeh, and kept using waterboardings and other means of torture against him until he would implicate Saddam Hussein. He told them what he thought they wanted to hear, but didn’t know that this was what they wanted the most to hear. As Raymond Bonner described it at propublica on 22 February 2017:chief of base and another senior counterterrorism official on scene had the sole authority power to halt the questioning.

She never did so, records show, watching as Zubaydah vomited, passed out and urinated on himself while shackled. During one waterboarding session, Zubaydah lost consciousness and bubbles began gurgling from his mouth. … At one point, Haspel spoke directly with Zubaydah, accusing him of faking symptoms of physical distress and psychological breakdown. …

The CIA officials in Thailand understood that the methods they were using could kill Zubaydah and said that should that happen, they would cremate his body. If he survived questioning, Haspel sought assurances that “the subject will remain in isolation and incommunicado for the remainder of his life.”

So far, that promise has been kept. Zubaydah is currently incarcerated at Guantanamo. His lawyers filed a court action in 2008 seeking his release, but the federal judges overseeing the case have failed to issue any substantive rulings [after now 16 years]. …

[Ultimately,] the source on whom the CIA had based its assessment that Zubaydah was number three or four in the al-Qaida organization had recanted his testimony, according to the Senate Intelligence Committee Report on Torture released in 2014. The agency would ultimately conclude that Zubaydah was not even a member of al-Qaeda.

So, a man who wasn’t even in Al Qaeda, is being hidden from the public because the U.S. Government 17 years ago captured him in Pakistan and tried to get him to say that Saddam Hussein was behind 9/11 but they didn’t get the false testimony they required from him, and so he’s still hidden at Guantanamo so as to continue still deceiving the American public (such as to support U.S. use of torture), and to continue keeping his case against the U.S. Government away from whatever (laughable) international-law bodies exist.

Buried in a December 2008 Vanity Fair article by David Rose is this: The tribunal president, a colonel whose name is redacted, asked him: “So I understand that during this treatment, you said things to make them stop and then those statements were actually untrue, is that correct?” Abu Zubaydah replied: “Yes.”

Some of those statements, say two senior intelligence analysts who worked on them at the time, concerned the issue that in the spring of 2002 interested the Bush administration more than almost any other — the supposed operational relationship between al-Qaeda and Iraq. Given his true position in the jihadist hierarchy, Abu Zubaydah “would not have known [about] that [even] if it was true,” says Coleman. “But you can lead people down a course and make them say anything.”

Some of what he did say was leaked by the administration: for example, the claim that bin Laden and his ally Abu Musab al-Zarqawi were working directly with Saddam Hussein to destabilize the autonomous Kurdish region in northern Iraq. There was much more, says the analyst who worked at the Pentagon: “I first saw the reports soon after Abu Zubaydah’s capture. There was a lot of stuff about the nuts and bolts of al-Qaeda’s supposed relationship with the Iraqi Intelligence Service. The intelligence community was lapping this up, and so was the administration, obviously. Abu Zubaydah was saying Iraq and al-Qaeda had an operational relationship. It was everything the administration hoped it would be.”

Within the administration, Abu Zubaydah’s interrogation was “an important chapter,” the second analyst says: overall, his interrogation “product” was deemed to be more significant than the claims made by Ibn al-Shaykh al-Libi, another al-Qaeda captive, who in early 2002 was tortured in Egypt at the C.I.A.’s behest. After all, Abu Zubaydah was being interviewed by Americans. Like the former Pentagon official, this official had no idea that Abu Zubaydah had been tortured.

“As soon as I learned that the reports had come from torture, once my anger had subsided I understood the damage it had done,” the Pentagon analyst says. “I was so angry, knowing that the higher-ups in the administration knew he was tortured, and that the information he was giving up was tainted by the torture, and that it became one reason to attack Iraq.”

As I documented in my “America’s News Is Heavily Censored”, George W. Bush knowingly lied on 7 September 2002 when he said that the IAEA had just issued a new report that Saddam Hussein was within six months of having a nuclear weapon. When the IAEA denied, several times, that there was any such new report, the press ignored it, and the public impression from the President’s lie remained unchallenged in the press.

Barack Obama was no better, and he continued almost all of the cover-ups and lies from his predecessor. This is not a partisan matter. It is a matter of a bipartisan dictatorship, which rules in Washington.

I give this here as only one of the large number of conclusive, rationally undeniable, reasons why it would be ludicrous to trust the U.S. Government.

Continue Reading


Intelligence7 hours ago

Russia Says U.S. Trains Jihadists to Do Chemical Attacks Blamed Against Assad

On March 17th, Russia’s Minister of Defense (equivalent to America’s Secretary of Defense) announced, through Russian General Staff spokesman General...

Intelligence8 hours ago

From Radical Ecology to Ecoterrorism

Radical ecology The schools of thought of contemporary eco-terrorism are many, but those that use an antagonist theoretical-practical approach can...

Defense13 hours ago

Why At Least Two Nuclear Super-Powers Are Essential

My distinguished colleague at Strategic Culture Foundation, Federico Pieraccini, has recently argued that “nuclear-armed powers decrease the likelihood of a...

East Asia16 hours ago

Ice Silk Road: From Dream to reality

Authors: Mahdi Torabi, Vahid Pourtajrishi The history of Silk Road backs to thousands years ago. The aim of creation of...

Cities1 day ago

Entrepreneurs in unexpected places: How one Midwest city promotes diverse local innovation

In September of 2017, thousands of people from around the world congregated in an unlikely place: Wausau, Wisconsin. This diverse...

Africa1 day ago

The World without Colonies – Dakhla without Potemkin Village

Last November marked forty two years since 350,000 Moroccans crossed into the Western Sahara as part of the staged manipulation...

Americas1 day ago

What Results When U.S. Invades a Country

The U.S. Government certainly leads the world in invasions and coups. In recent years, it has invaded and occupied —...



Copyright © 2018 Modern Diplomacy