The Value of Qualitative Research: Using "Courses of Action" to Express Qualitative Risk and Enable Predictive Response
David Ethington
Coffee Snob | Principal Security Engineer | Pentester | Cloud Security | Container Security| SecDevOps | Eye of Sauron | OSCP | CISSP | PNPT | Azure Fundamentals | ITIL | CEH | Project+
Often, qualitative data is difficult to represent in a single graphic. That's because qualitative research, at its heart, is exploratory in nature. There's no attempt to prove a hypothesis, and there's no neat rows of statistics providing a warm and comfortable confidence level that can be used for making decisions.
However, the benefit in qualitative research is that it provides a deeper understanding of a phenomenon, for example, a security breach. Yes, it's pleasant to know that you have a 75% chance of a DDoS attack happening on the eve of your newest project launch, and it certainly has immediate and actionable value. However, it's difficult to get there without exploring how we came to this conclusion to begin with.
Often, in the military, as intelligence analysts, we develop courses of actions that the adversary might use. These range from what we believe to be the most likely adversary approach to the most dangerous one. This is less about telling the leadership what is GOING to happen, but rather provide a number of scenarios that they can look at, understand the intent and the why the adversary would commit to these actions, and apply their own expertise and experience. This exploratory analysis is critical for developing strong situational awareness.
To that end, it's important that leadership doesn't simply know that there is a high risk of an event happening, but that they know why the threat may behave this way. This permits leadership to be more adaptable and flexible if the threat changes tactics, or allows them to stay one step ahead of the adversary if they begin to follow a specific course of action.
These courses of actions require research and an understanding of the threat. The analyst must have a solid understanding of adversary intent, their traditional methods of attack, their capabilities, and how long it takes, from planning to execution, to commit to an attack, by phase. This permits an organization to move from a reactionary mode of thought to a predictive one.
Quantitative research will always have value to an organization. It provides specific figures and allows for correlation of data to provide a degree of probability and historical data to provide baselines. However, qualitative understanding provides a key component of contextual understanding, and should not be ignored. It can reveal threat actions before they take place, and enable leadership to take a more proactive role, knowing the adversary and how they operate.
Human rights are not debatable. Sales strategy and messaging are my contributions to the corporate world.
6 年Would another example be preparing SecOps teams for responses after natural disasters? For example, Florida companies seem to see a surge in DDoS and DNS attacks after hurricanes, even when the hurricane hit the opposite side of the state? Reason: hackers are looking for vulnerabilities after disasters because they believe the attention is diverted.??