Analyze this; 2.5

“On a scale of one to five, which number represents thermonuclear war and which represents peace? The answer is simple; it depends on the value of one.”

This question is an oversimplified explanation of quantitative analysis. Every action has a numeric value and when those values are taken together, massaged with an algorithm, and plotted on a graph they tell you everything you need to know. Ask yourself this however, is that really true? Can quantitative analysis really tell you what you need to know in each discipline? Perhaps in finances, traffic accidents, and poker games the answer is yes, but when it comes to real world risk analysis, numbers are as useful as elven magic.

Before you click away in an angry huff, consider this: You’ve been asked to analyze the risk of recidivism of a convicted felon who is about to be released from prison. When you look through his criminal history you see he committed two armed robberies, six shoplifts, and four assaults over a three year period. He spent the last seven years in prison. Based on that information what is his risk of recidivism?

Odds are if you presented those facts to a criminal intelligence analyst or a police detective you would be told the risk is high. They would assign a numerical value to each crime, add them up, use some crazy algorithm and tell you this person is going to be a problem. If you went strictly by the numbers, then yes, this ex-con will more than likely offend again. If you step outside of the number parameters however, you encounter the reality of the assessment which is, the ex-con is a human being.

Saying the convict is human is not social commentary, it’s a fact that requires a different method for cataloging. Enter qualitative analysis. Based on the person’s history there is cause to believe he may re-offend, however there are several variables at play. For example, what were the socio-economic conditions of the subject prior to incarceration? Has the person found religion while in prison? What conditions will greet the subject upon his release? What factors that were present seven years ago will still be present upon release? All of these questions are extremely important when analyzing the risk of recidivism or any risk involving human beings. If you don’t believe me, ask yourself this; what number value should be associated with anomalous human behavior?

The challenges facing an analyst converted to the world of qualitative analysis is knowing which questions to ask and where they rank in the final risk analysis. Each situation demands a new grouping of questions, however over time, the analyst will recognize core questions asked in each analysis. This is why risk analysis on people require more than one analyst and should go through a rigorous vetting process with other equally skilled analysts. After all, we are mapping human behavior and can’t exclude the possibility of personal bias.

It is time we train our law enforcement risk analysts and investigators to use a qualitative system. It will be a change, and challenges lie ahead, but as we encounter the growing need for threat intelligence, predictive analysis, and efficient forecasting we need to focus on the reason for the analysis; evaluating possibility. Numbers alone won’t do the trick.

Open Source- The New Art

There is no shortage of high priced OSINT practitioners filling classrooms and lecture halls across the country. The once disregarded art of surfing the Internet for information has become a full blown discipline. Many of the practitioners travelling the country as subject matter experts (SME) are indeed qualified and very experienced in extracting information from various internet sources. The one aspect however most of the current instructors miss is what to do with the information once extracted.

Just like the intelligence cycle, competent OSINT has a specific workflow; Research, Extract, Sort, Analyze, and Disposition. Research is the topic of most open source classes and symposia. Thousands of law enforcement, security, and intelligence professionals are very adept at scouring the Internet for information.  Most of them are equally adept at extracting the information they need. Where the cycle falls apart in many cases is at the sorting phase. Here practitioners need to stop research and extraction and look through the data they have. Decisions need to be made on what is important and what is not based on mission parameters. The data needs to be further categorized in terms of direct impact on the mission, ancillary impact, and questionable impact. From here, the deep analysis begins.

Analysis of open source information is contingent on the overall impact to the mission. If, for example, you are investigating a series of photographs depicting a subject holding firearms, and the subject is a prohibited possessor, the analysis of the photos will need to be rigorous. An investigator will need to determine if the suspect is readily identifiable. Is the weapons he or she possesses real or fake, and what clues lead to either conclusion? How recent is the photograph? Where was the photograph taken? Finally, what was said about the photograph by the poster and the followers? From a criminal intelligence stand point, what about this post has ramifications beyond this case? A private security officer who is examining the photographs must review each comment to measure the general mood of the posts. A lot can be learned about employee social networks and insider threats by reading comments.

Aside from meaningful analysis, the disposition of open source information can be one of the hardest phases of the cycle. Here, a practitioner needs to store the information or deliver it to the needed customer. In law enforcement you have two main choices; case information and criminal intelligence. Case information means the information is evidence and needs to be stored and processed in accordance with court procedures for prosecution. The implications of such a disposition are many due to the various methods for storing digital information. If it is determined the information falls into the criminal intelligence realm, it is governed by 28 CFR Part 23 and will need to be audited. In the intelligence field, this information may need to be sent to other intelligence professionals for analysis on larger threats or trends. Private security may share the information with Human Resource professionals, or store it as a part of insider threat investigations. In any case, disposition of the information will ultimately be scrutinized and must therefore be carefully handled.

Open source intelligence (OSINT) is still an emerging tradecraft and will go through many iterations before it is commonly accepted. Following the cycle above and seeking out training that reinforces the cycle will build a cultural foundation for practitioners and make the discipline far more reputable. As challenges arise, security will be found in establishing solid industry standards like the cycle described above. For those in command positions; seek out full scope training and move away from training that only focuses one aspect of the discipline. After all, looking at a small piece of the canvas is nowhere near as inspiring as seeing the full painting.