In terms of the framework I'm proposing, Threat Intelligence mediates between Actors and Systems but only in the context of what is exposed, as suggested by it's position in the block diagram.
Performance in this dimension means developing on-going intelligence to these questions:
- Who or what might be a threat to our information or systems?
- In what setting or context?
- What are the capabilities and interests of these threat agents?
- How do threat agents benefit from our information or systems?
- What are the negative consequences to us?
This definition includes both generic intelligence activities (off-line research) and specific threat detection (real-time). I mention this because other proposed frameworks define "detect" as a separate dimension or functional category. From the perspective of cyber security performance, I don't see the value of separating it out and I see benefits for including it with generic intelligence activities and results.
In the list, above, notice the use of the term "threat agent". I suggest that we should develop intelligence about the people and organizations who might cause harm, not just the tactics or techniques that cause harm. This is a controversial position, especially for smaller organizations and individuals. Some experts assert that small organizations and individuals shouldn't waste their time on threat agents and instead should just focus on protecting assets and the like. I think this is dangerous and short-sighted. If any organization and individual does not have the capability themselves, then they should probably hire a service provider to do this for them. By analogy, this is like hiring a tax accountant to keep up with changes in tax law. By including this dimension in the framework, it should prompt every person and organization to consider whether to insource or outsource the relevant functions.
Furthermore, "threat agents" are not necessarily or not always malicious. It can include well-intentioned people who are subject to carelessness, errors, omissions, "cutting corners", or other behaviors. The class of threat agents also includes people and organizations who have access to or control over some private or confidential information, but who might make use of it in a way that violates privacy or confidentiality, even indirectly.
Performance in this dimension is about effectiveness -- doing the right things -- rather than simply efficiency or even volume. We don't need to discover and learn everything about every possible threat agent. Instead, we need to strive to learn the most important things about the most important threat actors, and then make most effective use of these insights to guide other aspects of the cyber security program. Therefore, to measure performance on this dimension we need a way to identify what is important and actionable in terms of intelligence. I'll address this in a future post.
(Next dimension: 3. Effective Design & Development)