Skip to main content

Argument-Driven Inquiry for Cyber Threat Intelligence

In this article, we'll explore how argument-driven inquiry can be applied to cyber threat intelligence, how argument-driven inquiry aligns to the intelligence cycle, a step by step implementation, and highlight some of the benefits of integrating argument-driven inquiry into cyber threat intelligence. 

When argument-driven inquiry is applied to the field of Cyber Threat Intelligence, these 7 steps align with the Intelligence Lifecycle. The Intelligence Lifecycle is a framework that is widely used in the intelligence community, and it consists of six stages: Planning and Direction, Collection, Processing and Exploitation, Analysis and Production, Dissemination, and Feedback. By aligning the steps of ADI with the Intelligence Lifecycle, cybersecurity professionals can take a more structured and efficient approach to intelligence gathering and analysis.

In the first stage of the Intelligence Lifecycle, Planning and Direction, the focus is on identifying intelligence requirements and prioritizing them based on the level of threat they pose to the organization. This stage aligns with the first step of ADI, which is to identify a problem. By identifying potential threats and vulnerabilities, cybersecurity professionals can prioritize their efforts and focus on those areas that pose the greatest risk.

The second stage of the Intelligence Lifecycle, Collection, involves gathering information from a variety of sources, including internal data sources and external intelligence sources. This stage aligns with the fourth step of ADI, which is to collect data. By gathering information from a variety of sources, cybersecurity professionals can gain a more comprehensive understanding of potential threats and vulnerabilities.

The third stage of the Intelligence Lifecycle, Processing and Exploitation, involves organizing and analyzing the collected data to identify patterns and connections. This stage aligns with the fifth step of ADI, which is to analyze the data. By analyzing the data, cybersecurity professionals can identify potential threats and vulnerabilities and develop strategies to mitigate them.

The fourth stage of the Intelligence Lifecycle, Analysis and Production, involves synthesizing the processed data and generating intelligence products that can be used to inform decision-making. This stage aligns with the sixth step of ADI, which is to refine the hypothesis. By refining the hypothesis based on the results of the data analysis, cybersecurity professionals can develop more effective strategies to mitigate potential threats and vulnerabilities.

The fifth stage of the Intelligence Lifecycle, Dissemination, involves sharing the intelligence products with decision-makers and stakeholders. This stage aligns with the seventh step of ADI, which is to draw conclusions. By drawing conclusions based on the results of the data analysis and disseminating the intelligence products, cybersecurity professionals can inform decision-making and help mitigate potential threats and vulnerabilities.

The final stage of the Intelligence Lifecycle, Feedback, involves reviewing the effectiveness of the intelligence products and the decision-making process to identify areas for improvement. This stage aligns with the entire ADI process, as each step can inform the next and contribute to a more effective and efficient intelligence gathering and analysis process.

By aligning the steps of ADI with the Intelligence Lifecycle, cybersecurity professionals can take a more structured and systematic approach to Cyber Threat Intelligence. This can lead to a more comprehensive and effective understanding of potential threats and vulnerabilities, and ultimately help organizations better protect themselves against cyber attacks.


Here's a step-by-step plan for cyber threat intelligence analysts to implement the 7 steps of argument-driven inquiry in the context of cybersecurity:

  1. Identify a problem: Begin by identifying a specific cybersecurity problem or question that needs to be addressed. For example, "What is the likelihood of a ransomware attack against our organization in the next six months?"
  2. Develop a question: Once the problem has been identified, develop a specific and answerable question that can be addressed through the process of argumentation. For example, "What factors contribute to the likelihood of a ransomware attack against our organization in the next six months?"
  3. Develop a hypothesis: Based on available evidence, develop a testable hypothesis that can be used to answer the question. For example, "The likelihood of a ransomware attack against our organization in the next six months is higher if we do not have adequate backup and recovery systems in place."
  4. Collect data: Collect data from a variety of sources, including internal data from the organization's cybersecurity systems, external data from threat intelligence sources, and data from academic research. For example, collect data on the number and types of ransomware attacks targeting organizations similar to yours, as well as data on the effectiveness of backup and recovery systems in preventing or mitigating ransomware attacks.
  5. Analyze the data: Analyze the data to determine whether the hypothesis is supported or refuted. This analysis should be rigorous and take into account any limitations of the data. For example, conduct statistical analyses to determine whether organizations without adequate backup and recovery systems are more likely to experience ransomware attacks.
  6. Refine the hypothesis: Based on the results of the data analysis, refine the hypothesis if necessary. This may involve revising the hypothesis, developing new hypotheses, or developing new strategies to mitigate the threat. For example, refine the hypothesis to account for other factors that may contribute to the likelihood of a ransomware attack, such as employee training and awareness.
  7. Draw conclusions: Based on the results of the data analysis, draw conclusions and develop recommendations for cybersecurity strategy and defense tactics, or develop new policies and procedures to address the identified threat or vulnerability. For example, recommend implementing more robust backup and recovery systems and increasing employee training and awareness around ransomware threats.

By following these steps, cyber threat intelligence analysts can use the principles of argument-driven inquiry to develop evidence-based cybersecurity strategies that are supported by rigorous data analysis and testing.

Implementing the 7 steps of argument-driven inquiry can provide several benefits to cyber threat intelligence analysts and their organizations, including:

  • Improved decision-making: The ADI process can help analysts to make more informed and evidence-based decisions about how to address specific cyber threats or vulnerabilities.
  • Increased efficiency: By using a structured approach to problem-solving, the ADI process can help organizations to identify and address cybersecurity issues more efficiently and effectively.
  • Better use of data: The ADI process requires analysts to collect and analyze data from a variety of sources, which can help organizations to better understand the nature and scope of cybersecurity threats.
  • Enhanced collaboration: By involving multiple stakeholders in the ADI process, including technical and non-technical personnel, organizations can encourage collaboration and knowledge sharing to better address cybersecurity threats.
  • Improved communication: The ADI process provides a common language and framework for discussing cybersecurity issues, which can help analysts to communicate more clearly and effectively with both technical and non-technical stakeholders.

Overall, the benefits of implementing the ADI process can help organizations to better understand and address cybersecurity threats, and to make more informed decisions about cybersecurity strategy and defense tactics.


Popular posts from this blog

The Interconnected Roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and IT in Modern Organizations

In the rapidly evolving digital landscape, understanding the interconnected roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and Information Technology (IT) is crucial for any organization. These concepts form the backbone of an organization's defense strategy against potential disruptions and threats, ensuring smooth operations and the protection of valuable data. Risk Management is the overarching concept that involves identifying, assessing, and mitigating any risks that could negatively impact an organization's operations or assets. These risks could be financial, operational, strategic, or related to information security. The goal of risk management is to minimize potential damage and ensure the continuity of business operations. Risk management is the umbrella under which information security, cybersecurity, and business continuity fall. Information Security is a subset of risk management. While risk management covers a wide range of pot...

Attack Path Scenarios: Enhancing Cybersecurity Threat Analysis

I. Introduction A. Background on Cybersecurity Threats Cybersecurity threats are an ongoing concern for organizations of all sizes and across all industries. As technology continues to evolve and become more integral to business operations, the threat landscape also becomes more complex and sophisticated. Cyber attackers are constantly seeking new ways to exploit vulnerabilities and gain unauthorized access to sensitive data and systems. The consequences of a successful cyber attack can be severe, including financial losses, reputational damage, and legal consequences. Therefore, it is critical for organizations to have effective cybersecurity strategies in place to identify and mitigate potential threats. B. Definition of Attack Path Scenarios Attack Path Scenarios are a type of threat scenario used in cybersecurity to show the step-by-step sequence of tactics, techniques, and procedures (TTPs) that a cyber attacker may use to penetrate a system, gain access to sensitive data, and ach...

A Deep Dive into the Analysis and Production Phase of Intelligence Analysis

Introduction In the complex and ever-evolving world of intelligence, the ability to analyze and interpret information accurately is paramount. The intelligence cycle, a systematic process used by analysts to convert raw data into actionable intelligence, is at the heart of this endeavor. This cycle typically consists of five stages: Planning and Direction, Collection, Processing, Analysis and Production, and Dissemination. Each stage plays a vital role in ensuring that the intelligence provided to decision-makers is accurate, relevant, and timely. While all stages of the intelligence cycle are critical, the Analysis and Production phase is where the proverbial 'rubber meets the road.' It is in this phase that the collected data is evaluated, integrated, interpreted, and transformed into a form that can be used to make informed decisions. The quality of the intelligence product, and ultimately the effectiveness of the decisions made based on that product, hinge on the rigor and ...