Graph or Social Network Analysis – what’s the difference?

Posted on July 29, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Common terminology sows the seeds of confusion

If you’re someone who has been involved in fraud protection, Anti-Money Laundering, Counter-Proliferation, Sanctions Evasion, anticounterfeiting (the list goes on) – basically any sort of investigation of networks, you will likely have come across concepts such as graph, link analysis, and network analysis. However, when you start to write use cases for your organisation and develop your functional requirements for technology, this starts to get messy. For those new to this area, the figure below provides an illustration of what social network analysis is:

Illustration of a social network in analyst notebook — Social Network Analysis illustration, US Dept. of Justice (2016)

Unfortunately, the terminology we use every day is the source of much confusion amongst business users (investigators, intelligence analysts, security & fraud professionals), data scientists and technologists alike, making it hard to understand the actual problem which needs to be solved by technology. To understand this space, there are three main concepts to get your head around:

Network Analytics: Is a term that has its origins in computer science and ICT, and is used to help model, monitor and assess the health and performance of computer networks
Graph Analytics: Also known as ‘Graph Technology’, this term actually refers to a type of database – the Graph Database – which stores data in the form of a ‘graph’ or network. Graph is heavily used today in the newly emerged field of Data Science.
Social Network Analysis: Also known as ‘link analysis’, ‘network analysis’, and a variety of other names, this methodology has been around since the 1970’s and stems from the social sciences. It uses algorithms and other methods to model and depict the behaviours of groups of entities (e.g. people, objects), attributes (e.g. the characteristics of objects, such as a person’s name), and the relationships (connections) between them. This is important as Entities typically exist as ‘networks’ in society.

The three concepts outlined above, each a distinct academic discipline, can be applied to three simple User Personas, as outlined below:

User	Use Case
IT Departments	Use network analytics to assess and manage the health of your IT and OT (operational technology – such as SCADA systems) networks
Data Scientists, Data Engineers	Use Graph Databases to facilitate complex modelling, analysis, and other data management related tasks
Intelligence Analytsts, Investigators, Risk & Compliance Officers	Perform social network analysis to understand threat networks, such as criminal networks, organised fraud syndicates, or illicit corporate structures to assist in their identification, targeting and disruption

Three illustrative user personas for graph and social network analysis

Despite often using terminology interachangeably, we are actually referring to three distinct concepts which cause confusion when co-mingled.

What is a graph exactly?

A basic graph – whether we are talking about the way data is visualised within a graph database or as part of social network analysis – is depicted by nodes (entities) and edges (links or relationships). Fraud teams use enhanced depictions of ‘graphs’ to enrich a data with more information. Graphs (social networks) can be queried to return matching results, such as showing all individuals who are connected to a specific address in some way (e.g. home, work, family connections).

For data scientists, one attractiveness of a graph database is that large networks can be more efficiently searched or analysed compared to a Relational Database (RDBM) such as SQL Server or Teradata. There are numerous use cases for graph databases, including:

Entity Resolution – to determine whether two entities are actually the same based on various attributes
Knowledge Graphs – to help answer questions or find the answer to something
Product Recommendation Engines – for customers of eCommerce stores to suggest other products purchased by similar customers
Master Data Management
ICT network infrastructure monitoring
Fraud detection

Examples of graph databases on the market today include those produced by Neo4j, TigerGraph, AWS Neptune, Microsoft Cosmos, and many others.

Why is Social Network Analysis important for countering threat networks?

The term “Threat Network” is used by the U.S. Government when discussing any type of hostile actor (even lone actors are typically part of some social network). Examples include organised crime, nation states, organised fraud syndicates, counterfeiting syndicates, and industrial espionage networks. Without going into too much detail here, every threat network has a number of common roles which are required to achieve its objective.

Let’s say a consumer fraud ring is running a boilerroom scam to defraud elderly investors. The network needs people to manage its finances, communications, recruitment, targeting to spot vulnerable investors, scammers to actually defraud them, and managers and leaders to coordinate the scheme. This concept is illustrated below in relation to drug production and trafficking:

Organisational structure showing roles within a typical organised crime network — Illustration of various roles within a threat network (JP 3-25)

Social Network Analysis allows for visualisation of relationships and structures of all parties involved in the network, providing the ability to overlay additional information such as functions in the network. Social Science algorithms, such as Betweenness and Centrality, can be applied to social network data to identify key players or connections. These threat network vulnerabilities can then be targeted, such as through arrests or new internal controls, to disrupt threat actor activites. This concept is illustrated below:

Illustration of how a network can be disbanded (disrupted) with effective targeting — Illustration of how disrupting a network can render it ineffective (JP 3-25)

How can I perform Social Network Analysis?

Interestingly, you do not need a ‘graph database’ to perform Social Network Analysis. What you do need though is a suitable user interface for business users (e.g. investigators) which allows them to query, analyse, and interact with their data to achieve an outcome – such as identifying key players in a fraud ring. Without a suitable interface, business users will be unable to exploit the data effectively rendering it useless.

Fraud and law enforcement teams have used Social Network Analysis for decades. You can do simple Social Network Analysis on paper or a whiteboard without the use of software – this is where the term ‘link analysis’ originated from. Whilst pinboards are useful for Hollywood movies and simple networks, analysts today are swamped in data making software essential.

man in gray long sleeve suit holding a pen - social network analysis with paper and a pinboard — Photo by cottonbro studio on Pexels.com

In the late 1990’s or early 2000’s, the popular software known as Analyst Notebook was developed and is still in use today. These days, there is a proliferation of thick client and browser based software which performs this function, including Maltego, Linkurious, Palantir, Quantexa, and RipJar.

As outlined here, there is a distinct difference between the concepts of network analysis, graph and social network analysis. Each has its own use cases, methodologies, user groups and supporting software. Understanding this landscape, and how all the pieces fit together, is essential to building any sort of threat intelligence or detection analytics capability.

Comparative Case Analysis: A powerful tool for typology development

Posted on February 4, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is Comparative Case Analysis?

Comparative Case Analysis (‘CCA’), also known as ‘Similar Fact Analysis’, is a technique used in criminal intelligence analysis to identify similarities and support decision making (Sacha et al, 2017).

Cases can be linked in CCA through any of the following:

a) Modus Operandi (or tactics, techniques, procedures)
b) Signatures and patterns
c) Forensic evidence
d) Intelligence
College of Policing (2023), United Kingdom

CCA is useful when analysing process-based crime types where perpetrators need to follow a defined set of steps to effect the crime. Examples of such crime types include fraud and financial crime, cybercrime, money laundering and Intellectual Property Crime (e.g. counterfeiting networks).

I use CCA when developing typologies, which I then convert to analytics-based detection models which are run as part of a continuous monitoring or detection program over a dataset to detect suspect transactions, individuals/ legal entities, or behaviour.

a person pointing on to the photographs — Photo by RODNAE Productions on Pexels.com

Where can you collect cases to perform CCA?

So, you’ve worked out that CCA is appropriate to use in your situation. The next challenge is where to get your case study data from. Common sources include:

Indictments and statements of claim – depending on jurisdiction, these may be published by prosecutorial agencies such as the U.S. Department of Justice, or by the courts (for tips, see my article on searching Australian court records).
Media reports – media monitoring and other Open Source Intelligence (OSINT) capabilities are essential for any financial crime or corporate security function. For information on how to build one, look at my 101 post.
Industry information sharing sessions – industry groups such as the Pharmaceutical Security Institute and the Australian Financial Crimes Exchange exist for this purpose.
Prisoner interviews – may be performed by law enforcement, regulators, journalists or academics for publication.
Academic case studies, published papers and conferences
Examination of your own case files based on historical incidents or near-misses.

Unfortunately, it is all too common to find cases that are incomplete. If you don’t control your data (such as cases sourced from the media) your ability to improve data quality is limited – you may need to exclude incomplete cases from the CCA.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

If you are using your own case files, consider changing your internal processes, templates and SOPs to collect the data you need in the future. If you encounter resistance, obtain buy-in from stakeholders by helping them understand what you need and why you need it.

How do you undertake Comparative Case Analysis?

CCA is an invaluable but involved process which will take time to complete. CCA has its roots in academia, particularly the social sciences (see Goodrick et al 2014), so some literature on the topic is irrelevant or too academic to be useful for typology development or intelligence analysis.

photo of women laughing — Photo by RF._.studio on Pexels.com

CCA can be undertaken individually or within a group, although doing the work individually may lead to intelligence blindspots. My high level methodology is as follows:

Step	Task	Considerations
1	Define your scope, case criteria, and other considerations	a) What are you attempting to achieve by performing this CCA? Is CCA the most appropriate method? b) What risk are you seeking to mitigate and what type of case / crime type etc meets these criteria? c) What timeframe, jurisdiction, industry / product / channel / customer type are in scope? d) How might analytical bias arise in your methodology? How will you manage this?
2	Collect your case information and prepare the data for analysis	a) Refer to the ‘where can you collect cases to perform CCA?’ for suggestions
3	Review each case for data quality and completeness	a) Do you have sufficient information for each case? b) Do your cases fit the criteria you defined in step 1? c) Do you need to change your methodology? d) Is the methodology viable with the avilable information? e) What cases (if any) do you need to remove due to incomplete data?
4	Develop a structured form or methodology to undertake the comparison	a) How are you going to compare each case? I build a form or template as part of my approach which I populate with information from each case and use this for case comparison b) What data elements do you want to compare? Details captured usually include entities (people, businesses, things such as vehicles or residences), locations and dates / times, activities (e.g. events, transactions), and attributes such as language in addition to Modus Operandi. c) Comparison of this data enables the identification of patterns or attributes which can be used to link seemingly separate incidents together (remember criminals share with each other, a liked case doesn’t have to reflect the same individual).
5	Determine where you will store your results	a) Where will you store your captured data and analysis? b) If dealing with large volumes of data, you may want to build a database or design a workbook in Microsoft Excel to collect the data for subsequent analysis.
6	Read each case and identify each data element	a) Physically read the material for each case b) Identify the data elements which you want to capture (step 4). One way to do this is using coloured pens or highlighters, with each colour representing a specific data element (e.g. entities). c) Once identified, this information can be used to document your results (step 7)
7	Document your results	a) I tend to find Microsoft Word, PowerPoint or Excel is fine for this purpose, but ensure you store your CCA reports in a central location so they can be peridocially reviewed and updated. b) An alternative is ‘visual CCA’, effectively using a visualisation tool such as Tableau or Microsoft PowerBI to analyse and present your findings (see Sacha et al 2017) c) Ensure any assumptions, data gaps or hypotheses are clearly identified (ideally CCA is factual, so if there are information gaps you are better off leaving this blank than filling a gap with a hypothesis. The fact you have done this can get overlooked in future typology and detection model work and lead to erroneous results).
8	Have an ‘independent party’ peer review or critique your work	a) Having another party (e.g. team or peers, independent experts etc) not involved in original activity perform a review and challenge role. b) This provides an opportunity to identify gaps, assumptions or conclusions in your analysis.
9	Evaluate your results	a) Are they complete? b) How reliable do you think they are? c) Are they sufficiently detailed and rigorous enough to use as a basis for typology development? d) What if any rework do you need to do before finalising your CCA? Perform updates to your work as appropriate.
10	Periodically refresh completed CCAs	a) Threats such as fraud, financial crime and cybercrime are constantly changing in response to new processes, products, channels, internal controls and actions taken by fraud and security teams to mitigate these threats. b) Implement a process to periodically reivew and update historical CCA, such as annually, and incorporate this into any detailed typologies.

Paul Curwell (2023). Comparative Case Analysis methodology, http://www.forewarnedblog.com

A simplified example of a CCA data capture template (step 4) which has been populated with fictional case information (steps 6 and 7) is shown below:

Typology development: the next step in operationalising detection

Whilst CCA is not a pre-requisite to developing a typology, it certainly helps. When designing your CCA approach, I recommend you consider the types of data you will need to build your typology and incorporate these into your methodology (see my previous article, ‘typologies demystified‘).

Analysing Modus Operandi or TTPs requires the application of a number of intelligence analysis methods and is too big to cover here. I will write about this separately in a future post.

Typologies demystified – what are they and why are they important?

Posted on August 20, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What are typologies and what role do they perform?

The term ‘typology’ is used in the sciences and social sciences and can be defined as “a system for dividing things into different types”. According to Solomon (1977) “a criminal typology offers a means of developing general summary statements concerning observed facts about a particular class of criminals who are sufficiently homogenous to be treated as a type“. Use of the term ‘typology’ in this way apparently dates back to italian criminologist Cesare Lombroso (1835–1909).

As we see the increasing convergence of financial crime, cybersecurity and physical threat detection in domains such as insider threats or fraud, it becomes increasingly important to have an end-to-end understanding of the path and actions that ‘bad actors’ must take to realise their objective, as well as other factors such as offender attributes / characteristics, motive, and overall threat posed. Amongst other things, constructing a fraud or insider threat typology requires a good understanding of how and where an organisation’s normal business processes can be exploited, including an understanding of the systems and data needed by offenders to be successful.

How do typologies, modus operandi and TTP’s differ?

The disciplines of fraud, cybersecurity, intelligence analysis, security risk analysis and others have largely evolved in isolation from each other as this is the way we design organisations (by functional specialisation which align to employee positions, not threats which align to the criminals targeting the organisation). This has given rise to a variety of different terms and approaches to doing effectively the same thing.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

As disciplines converge, driven by the need for an end-to-end view of a threat in order to facilitate timely detection, professionals across these domains need to understand the practices and lexicon used by peers. In my experience and from research, a typology provides a broad overview of the threat and will comprise multiple data points, including but not limited to Modus Operandi / TTP’s:

Modus Operandi (MO) and Tactics, Techniques, and Procedures (TTPs) are effectively the same thing in practice and refer to the way a crime (or attack) is executed, the one difference being that MO has its roots in criminal law and TTPs in the military but today is heavily referenced in cybersecurity:

Tactics, Techniques and Procedures (TTPs) – “The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.” (NIST SP 800-150)

Modus Operandi (MO) – Latin meaning “mode of operating.” “In criminal law, modus operandi refers to a method of operation or pattern of criminal behavior so distinctive that separate crimes or wrongful conduct are recognised as the work of the same person” (Cornell Law School). For example, “it was argued that these features were sufficiently similar such that it was improbable that robberies with those features were committed by persons other than the respondents” (NSW Judicial Commission).

Everything we do leaves a trail, including in the digital world (often referred to as ‘digital exhaust‘). Detecting a potential ‘bad actors’ trail to prevent insider threats, financial crime and cybercrime requires both (a) understanding what to look for (which can comprise very subtle, highly nuanced signs amongst a sea of data), as well as (b) having tools sensitive and fast enough to collect, process and analyse these signs so as to prompt a response.

My favourite analogy for a typology is a recipe: If I am going to bake a cake, the typology is to a data scientist (who designs and runs the analytics models for detection) what the recipe is to the baker. In contrast, intelligence analysts are the recipe writers – they understand all the ingredients and how they need to come together. The skills of data scientists and intelligence professionals are complementary.

How do they relate to risks?

Should you choose to perform more research into the concept of typologies in criminology, you will find they can be developed for just about anything. But in the case of insider threats, financial crime and cybercrime, we are only interested in those threats which directly impact our respective organisation, customers, products, systems or assets. This means we need to link them to risks: Whilst we can develop other typologies, if the materialisation of the threat does not result in a risk to the organisation, then the exercise may be pointless.

To develop a typology that is capable of being used in an advanced analytics-based detection system, the typology needs to be as specific as possible. This means a typology should be developed for a specific, or highly detailed risk (i.e. 4th level risk). It is common to find there are one or more typologies associated for each 4th level risk. The following figure illustrates the relationship between risks, typologies and analytics-based detection models which generate ‘alerts’ (cases) for disposition and potential investigation:

Author: Paul Curwell (2022) (c) – how typologies bridge the gap between risks and analytics-based detection

Throughout my career I have worked with many typologies, and one of my early learnings was that typologies are highly contextualised. For example, an employee who has resigned and works in sales whose job involves sending out brochures to a prospective customer’s email address is not a problem, whilst an employee who has access to sensitive trade secrets and sends emails with attachments to a personal email address may well be.

Typologies need to address this level of specificity, which is part of the reason for aligning them to 4th level risks. Good typologies also include indicators specific to the parties involved in the activity, the context of the activity, and the associated threat.

What are the components of a typology and why?

Writing good typologies is hard (I refer to them as ‘deceptively simple’). Some typologies are quite generic, written so as to be implemented by any reader with any detection system (examples include those written for Anti-Money Laundering or Counter-Terrorist Financing by bodies such as FATF, FINCEN and AUSTRAC). Substantial work can be required to take these more generic typologies and implement them – sometimes this even requires complete rewriting.

Irrespective, there are a number of fundamental components of any typology. Note however, that some required fields will be specific to the detection system used (i.e. they may be required as inputs to design or build the models):

Typology name
Threat actor details (perpetrator, group affiliation, threat type etc)
Target(s)
Description of how the attack is perpetrated
Illustration (e.g. process map) for how the attack is perpetrated
Indicators (contextual, threat and party specific)
Data sources for each indicator
Description of the steps required for investigation and any associated analytical techniques

In my opinion, a typology is ‘finished’ when it can be readily understood and converted to analytics-based detection model by a data scientist with minimal rework or clarification being required. Often intelligence professionals (who are the experts in a particular threat) write typologies and hand them over to a data scientist, who then needs to become another expert in the threat to implement them! This is not a valuable use of resources and should be avoided. There will always be gaps in intelligence and threat actors keep changing to advoid detection – so a typology may never be 100% complete – but they should be written in a manner that addresses the information and design needs of its intended audience (i.e. data scientists, investigators and risk managers).

When building your typology library, it is good practice to map these to your 4th level risks to identify potential detection gaps. Steps involved in writing a typology will be explored in future posts.

Further reading

Baesens, B., Van Vlasselaer, V., Verbeke, W. (2015). Fraud Analytics Using Descriptive, Predictive, and Social Network Techniques: A Guide to Data Science for Fraud Detection, John Wiley & Sons Inc.
Johnson, C., Badger, L. Waltermire, D. Snyder, J., Skorupka, C. (2016). Guide to Cyber Threat Information Sharing, NIST Special Publication 800-150, U.S. Department of Commerce, United States. https://doi.org/10.6028/NIST.SP.800-150
Judicial Commission for NSW (2022). Tendency and coincidence in Civil Trials Bench Book — Evidence, Sydney Australia, https://www.judcom.nsw.gov.au/
Kovac, M. (2016). Using Digital Exhaust to Improve Sales, Harvard Business Review, 8 July 2016, https://hbr.org/2016/07/using-digital-exhaust-to-improve-sales
Pherson, R. H., & Heuer, R. J. (2021). Structured analytic techniques for intelligence analysis. Thousand Oaks, California: CQ Press, an imprint of SAGE Publications, Inc.
Solomon, H.M. (1977). Crime and Delinquency – Typologies, University Press of America, Maryland, United States. https://www.ojp.gov/ncjrs/virtual-library/abstracts/crime-and-delinquency-typologies
U.S. Government (2009). A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis, Langley, VA.

Defining your ‘Threat Universe’ as a building block of your intelligence capability

Posted on October 17, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

The role of a threat universe in your intelligence capability

The focus of intelligence is generally on what is happening (and likely to happen in the future) external to your organisation. In the commercial world, risk and compliance teams are often inwardly focused, looking at who is doing what and identifying potential implications, rather than focusing on the external source of the risk (i.e., the threat).

Identifying and categorising your actual and potential threats is a first step in building a new intelligence capability. The threat universe is a taxonomy of all possible threats and their associated vectors which could target your organisation, products or supply chain. Defining your universe of threats creates the boundaries for what your intel function does and does not need to focus on, including any strategic intelligence progams such as horizon scanning.

The dangers of intelligence ‘silos’ across your organisation

Depending on your role, you may only be interested in threats associated with a specific functional area, such as fraud, cyber-crime or physical security, as opposed to having an enterprise wide focus. However, silos create problems when threats overlap (e.g. criminals who started with opportunistic theft of physical goods move on to defrauding your organisation through its services).

If you don’t have the right mechanisms in place, your organisation will be blind to these overlaps and you will not realise you are being targeted. An example here is fraud in banks – teams working on credit card fraud might not share their data with teams working on motor vehicle insurance fraud, yet the actual criminal targeting them might be the same person.

The first step in building a threat universe is identifying your most important assets, as this helps inform both a threat actor’s motive and any threat vectors they are likely to use (how a threat actor might successfully defraud or attack you).

Work out what is valuable to your business

A basic rule of security is that you can’t protect your assets if you don’t know what you’re supposed to protect. There are many ways of doing this, but I start with a simple taxonomy and then get into further levels of detail with my clients. When I think of assets, I start with five main categories:

Asset Categories	Description
People	Includes your employees and customers
Facilities	Buildings such as offices, plants, warehouses, laboratories
Information	Includes Intellectual Property (IP such as patents, copyright, personal or private information (generally covered under privacy legislation), and confidential business information (proprietary information) such as marketing plans, strategies, pricing models
Systems	Comprises the computer networks, servers and related technology that keeps the business functional
Brand & Reputation	Represents the premium the market places on your products and services as a result of how you do business

Your products & services are assets too!

Products are all too often overlooked by many security and fraud professionals. There are two things you need to consider. Some threat actors make money by abusing your products or services. Pharmaceutical counterfeiting and loan fraud syndicates are two examples, both of which profit by directly targeting a company’s products or services.

Perhaps more pernicious are those who use of your products or services as a criminal enabler. This means that your company may not lose money by having criminals use your products or services, indeed, some companies might even make money in the form of sales revenue, but your products or services are used to facilitate criminal business operations. Money laundering and identity crime are two common examples. A less obvious one is drug trafficking rings that smuggle illicit product into a legitimate shipment to transport their illicit product.

Identifying the threat actors likely to target your assets

Once you have identified what is likely to be targeted in your business, the next step is to understand who is likely to target you. You will likely not have all the information you need to complete this step without some research, but you will probably be able to complete a high level summary quite quickly. Remember that criminals might be considered to lie on a spectrum, from opportunistic through to serious organised crime.

Use this simple taxonomy for threat actors to get you started:

Threat Actor	Description
Opportunistic Criminals	Opportunistic criminals are only engaging in crime because they think they won’t get caught. For example, perhaps you are a retailer who sells expensive clothing, and your products can easily be slipped into a bag without paying?
Unsophisticated Criminals	I use this category to describe people who might be engaging in crime more than just opportunistically, but are either just starting out or really aren’t any good. History has plenty of examples here, and this category (particularly those that aren’t any good), are probably the ones most likely to get caught.
Organised criminals	Organised criminals are just that – organised. That implies some level of competence, which likely translates into them being harder to find and catch. This is particularly the case with fraud syndicates. If you have something which is attractive to criminal groups, or can provide them with access to something that is valuable which they couldn’t get any other way (e.g. a way to launder their money or use someone else’s identity), you may be a target. Fraud syndicates and cyber-crime rings are frequently encountered examples here, although there are overlaps between these examples and all other categories.
Organised Crime Groups	We need to make a distinction between ‘organised criminals’, basically sophisticated groups of people engaged in criminal activity, and true ‘organised crime groups’ like the Mafia and Yakuza. Successful criminals are all organised, but not all organised criminals are members of transnational organised crime groups. Organised crime groups these days are generally transnational, and involved in a broad spectrum of legitimate and illegitimate enterprises.
Nation States & their associates	Nation states and their associates (such as front companies and intermediaries) can be involved in a range of activities including Intellectual Property Theft, technology transfer, weapons profileration, economic espionage, foreign interference, information operations (e.g. cyber attacks, misinformation / disinformation campaigns), supply chain attacks and sabotage (physical and cyber).
Terrorism & Politically Motivated Groups	An unfortunate reality of life is that some crimes are politically motivated – Terrorism is one example. Companies and their assets (including employees) may be directly targeted for some reason – perhaps they are high profile and an easier target than say a police station or government building – or they may just be in the wrong place at the wrong time. If your office is in the same building as a government agency or other high profile business, you would be wise to ensure this is on your threat universe.
Issue Motivated Groups	Issue Motivated Groups might sound a bit strange, but these are effectively groups of people who are willing to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important. Examples include environmental activists, anti-abortion activists, religious motivations, animal rights activists and others. They range from peaceful and benign (e.g. peaceful protests) through to very serious – such as the bombing of anti-abortion clinics or the murder of staff associated with them. You need to know if your company operates in an industry that is targeted by IMGs.
Street criminals / gangs	This might seem a strange addition to the list depending on where you live or operate, but it is important to remember the threats facing corporate travelers as companies have a duty of care towards their employees. Theft (including cargo theft), robbery, random acts of violence, and even opportunistic kidnappings perpetrated by common criminals or organised groups may need to feature on your risk register if you send employees to high risk locations.
Insider Threats	Refers to any person who has the potential to harm an organisation for which they have inside knowledge or access, including employees, contractors, consultants, and employees / contractors of suppliers and business partners. An insider threat can have a negative impact on any aspect of an organisation. Insiders can also collude or collaborate with external threats such as organised crime groups.

As you start to define your threat universe, you can develop sub-categories which will help you further identify and manage the threat. For example, if your organisation is exposed to organised crime, start to categorise them. Add sub-categories such as middle east organised crime, outlaw motorcycle gangs etc. Then you can undertake research to find out what sort of activities they typically engage in, and whether your business, products or supply chain are typically targeted by each group in your region. Having done this exercise once, you can keep it up to date by building a media monitoring capability to identify emerging trends.

Applying your threat universe in practice

A threat universe could comprise something similar to an an organisational chart, and be supplimented with prorfiles and information you gather on each group. Advanced versions will be in a database or similar system. Your threat universe should be a living document, which develops as both your business evolves and the external environment in which your business operates changes.

Once complete, you can start to focus your intelligence resources. Not everything on your threat universe is going to be a problem right now (i.e. be a ‘current threat’) – indeed, there may not be any threats targeting you within a specific category right now, but this can change without warning. When something strange happens or the beginnings of a new trend start to emerge, you can easily look to your threat universe and assess whether this is something you need to be worried about.

How do you assess management’s track record?

Posted on March 27, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

In any business transaction, understanding a prospective counterparty’s management team’s behaviors, evaluating their historical performance, and determining whether they are compatible as a future partner is critical to success. Whether undertaking Mergers & Acquisitions / Joint Ventures, selecting a business partner (such as a distributor, who you might partner with for years or even decades), suppliers who might be relied upon to provide a business-critical project, or making an investment as an external investor. These insights into a management team’s track record are typically incorporated into a broader program of due diligence, the needs of which will differ depending on circumstances or transaction-specific requirements.

Often, an assessment of management’s track record is performed by the prospective partner in an unstructured or informal manner, with business leads for the transaction going off ‘gut feel’ or perhaps spending time getting to know the other party to determine whether a partnership will work. However, in some cases, this is not feasible, or alternately an independent and unbiased view might be sought which is where business intelligence professionals play a key role. So what exactly is a management track record review anyway?

Elements of a Management Track Record review

There is no standard approach to assessing the track record of a management team, however there are common elements which will typically form part of any assessment. The scope of any review of management’s track record is really dependent on the context and questions that need to be answered by stakeholders. Common elements are outlined below:

a. Character and Personality Traits

Running a successful business takes more than being in the right place and the right time, it requires having the right team who are prepared to make decisions and sacrifices to achieve an objective. Understanding the personalities behind the management team is critical and often overlooked in favour of more quantitative metrics, however most readers will have encountered managers or peers who succeed and gain promotion through playing politics or riding on the backs of others rather than through any unique skills or attributes of their own.

Questions about an executive’s character that are considered within an assessment of management include:

What type of personality are they? Methods such as Myers-Briggs Personality Type and Deloitte’s Business Chemistry can help provide answers
What are their leadership qualities and style? How does this result in their success?
How do they perform under pressure? What are their strengths and weaknesses? Do they ‘default’ to a common pattern of behaviour under particular conditions?
What is their integrity like? Are they ethical and trustworthy? Will they behave in a socially-acceptable manner in the absence of scrutiny?
What is employee engagement like? Do employees ‘rally behind’ and trust their leader (with all their innate faults as a human), or are employees disengaged and unmotivated to perform?
Are they resilient? Leadership takes its toll personally on any leader, and they need to be in it for the long game, not for five minutes.
What are their life goals? Do they align with where the organisation is going? Any mismatch may result in an unexpected departure which could affect business outcomes unless an adequate succession plan is in place.
Are they driven to succeed? What drives them and is this sustainable?

In cases where you already have a strong relationship with the management team, such as the final stages of an acquisition or a few years into a business partnership, you may be in a position to bring in an organisational psychologist to help assess these traits. However this is often not possible in many situations, such as where a company is discretely scanning the market for a new distributor or acquisition. In many cases, the inputs to these assessments need to be gathered based on publicly available information – this is common practice in the intelligence community, where foreign leaders are regularly profiled to help anticipate likely decisions or pressure points.

b. Organisational Culture

The results of many studies show that culture is a key predictor of a company’s performance. Given that executives and the board set the ‘tone from the top’ in terms of behaviours and values for any organisation, part of any management track record assessment must consider the type of culture its leadership not just espouse through codes and comments, but what they actually do through their actions.

Gaining insights into culture requires speaking to current and former staff, customers, suppliers, regulators and even competitors to build a comprehensive picture of fact versus fiction.

c. Performance

A management team’s performance is comprised of many different factors, each of which are inter-related. While I am also a great believer that people make their own success and that some successes are partly the result of being in the ‘right place at the right time’, there are a number of traits which can help qualify a management team’s performance. These include:

Have they demonstrated the ability to develop a viable strategy?
Do they have a track record of executing on that strategy, and of successfully adapting that strategy to changing internal and external (market) contexts?
Do they consistently deliver on promises and to meet expectations of customers, employees, and shareholders?
Have they been able to consistently deliver positive results over time to demonstrate a track record of success, rather than benefiting from one-off ‘lucky’ guesses?
Can you identify any lies or claims of exaggerated performance? Are you able to establish a pattern of slight, but regular exaggerations of fact?

Assessing performance elements of management’s track record involves understanding the performance of the organisation as a whole (or for large organisations, the relevant business unit), and the impact or effect of the management team on it. These factors are often most visible in cases where a highly successful management team resigns en-mass for a competitor or to pursue a new opportunity.

d. Competency and tenure

Whilst the tenure of a leader is relatively easy to identify and validate, competency can be much harder to assess. I’m sure we have all be in situations where we worked with someone we believed or understood to be highly competent, only to be let down or disappointed. Competence of management is more than just a reflection of their technical skill as a professional (e.g. accountant, lawyer, banker, engineer). The ability to lead, motivate and manage teams, engage the workforce, and effectively deploy the organisation’s resources must all be considered. This information often needs to collected via interview.

How long did they spend in their various leadership roles? Anything less than a few years is likely to be a red flag
Did they resign from an organisation shortly after receiving a promotion at an executive level? If yes, did the timing of their resignation coincide with an adverse event at the business (e.g. regulatory action, failure to hit earnings estimates) or occur shortly thereafter?
Have they spent time in any ‘special projects’ type roles where they might have been grandfathered out of the business?
What do people who have worked for them, and with them say about their abilities? Have they heard anything adverse on the grapevine? How do competitors view them?

e. Compensation

The last element of a management track record review we will consider here is the compensation of individuals. At the end of the day, most executives get paid to make decisions that results in the company growing and creating value for shareholders. Executive remuneration typically needs to provide a balance of short term (e.g. salary, bonuses) and long term (e.g. shares) to incentivise and reward desired behaviours. That said, a number of factors should be considered in relation to executive compensation and management’s track record:

Does the management team’s compensation (or that of a specific individual) match the performance of the business as a whole? Also, how does this compensation align with industry benchmarks? If not, why not?
What has the management team done with their stock options?
Is the management team entitled to any sort of loan from the company?

In private (non-public) companies, it is often hard to obtain compensation data as this does not need to be disclosed, whilst in the case of partnerships partners often ‘cash out’ upon resigning from the partnership where they have equity. In these cases, other types of information may need to be used as a proxy to help gauge compensation arrangements.

When it comes to executive compensation, it is useful to remember the case of Enron where executives reportedly received a line of credit using company funds which they were able to draw upon each month, only to repay this loan with Enron stock which at that time did not require any reporting to the SEC, limiting transparency (Bean, pp.100-101).

Techniques for obtaining inputs to a review of management’s track record

Any review of management’s track record typically starts with desktop research. Reviews of company and industry documentation, public records, media articles, presentations / speeches, and similar information is always an excellent starting point. Often, a cursory desktop review can also help frame the scope and identify where to focus in relation to a second, more detailed exercise.

The next step to obtaining this information depends on whether the subjects know you are doing this (e.g. friendly acquisition or diligence on a prospective business partner) or whether this is unknown to the subject (e.g. early stages of proposed acquisition that has not been announced to the target). Situations where your interest is known to the subject is relatively straightforward – it becomes a case of collecting and analysing the information, and then presenting it to the subject(s) for comment. Where this work is not known to the subject at that time, the range of sources available to may be more limited.

After scoping and desktop research is complete, interviews with other parties such as suppliers, competitors, current / former employees etc can be undertaken to learn more about the management team and to corroborate key findings from desktop research. In some cases, it may be appropriate to do some sort of inspection or audit with their consent (e.g. compare the company’s performance against key events or dates), depending on the context. Obviously, care must be taken to avoid propagating any frivolous, vexatious or similar unsubstantiated claims that could give rise to a future defamation action, particularly when it comes to the specific actions (inactions) of an individual.

Once the information has been gathered, the exercise becomes an analytical one, where the goal is to build a picture using the information gathered and answer any ‘so what’ questions posed in the scope. Reviews of management’s track record are typically documented in a report which can then be used by decision makers as part of any planning. Importantly, the goal of any management track record is not to create a catalog of an executives weaknesses – noting that fraudulent claims should be identified and treated appropriately – however, for all other cases the goal is to help make an informed decision about whether the businesses involved are likely to be compatible. Where opportunities for improvement are identified with a compatible organisation, these learnings can be used to help inform plans for improvement.

The trouble with company registers – not a uniquely Australian problem

Posted on March 13, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

On Friday 28th February 2020, Dan Oaks and Jeremy Story Carter of the Australian Broadcasting Corporation (ABC News) reported again on the issue of director registration in Australia. Whilst this recent article was presumably triggered largely by most recent sitting of the Parliamentary Joint Committee on Corporations and Financial Services on the same date, the official hansard for the previous sitting date of 19 November 2019 is now available. In the hansard, Senator Whish-Wilson asks a number of questions about ASIC’s director registration process of Commissioner John Price. Commissioner Price’s responds to the Senator’s questions as follows:

“I think it is really important for members of the committee to understand that the company registration process is just that—a registration process. We do not test identity data about directors of companies.That is not provided for in the legislation we have at the moment. The government is looking at a program of work called registry modernisation. It may well be as part of that, and the introduction of what is known as director identification numbers will be an authentication process for director identity when that is introduced.” (p26).

According to an excellent report prepared by the World Bank Stolen Assets Recovery Initiative (STAR) called “The Puppet Masters“, company registers have a four-fold function (van der Does de Willebois et al, 2011, p69):

To record the establishment of a new legal entity (typically an incorporated entity and not a trust, foundation, partnership or other unincorporated vehicle),
To capture any information required by law,
To keep the registry up to date (with limitations, as highlighted by Oaks and Story Carter, such as how a director’s appointment might be backdated), and,
To make certain information available to the public.

“Elvis Presley, Homer Simpson and Bob Marley could be installed as Australian company directors, ASIC admits”

Dan Oaks and Jeremy Story Carter, ABC News, Friday 28 February 2020.

While it might be tempting to think this is a uniquely Australian problem, the identification of directors in company registers is part of a global issue, as reported by the Tax Justice Network in relation to the 2019 Financial Action Task Force (FATF) report on Beneficial Ownership.

How has this problem arisen? Why do we find ourselves here?

In order to understand why we find ourselves at this juncture, we must first understand how company registers are used today. As part of global trade and commerce and increasing risk and regulation, as a society we are increasingly required to rely on the content of company registers for processes including Anti-Money Laundering / Counter Terrorist Financing (AML/CTF), credit risk, supplier vetting or end user verification, identifying employee conflicts of interest, anti-corruption and economic & trade sanctions enforcement, which contrasts with the original intended purpose of company registers as outlined in the Puppet Masters report. Interestingly, in some countries company registers have even been privatised. At the most basic level, there is a fundamental issue with the way most company registers operate:

“Registries generally take information on good faith, with most documents and filings being accepted “as is” unless an omission of information is blatant. On-site visits and data verification fall well outside the typical duties of registries. The information is usually in the form of self-declarations by applicants and subscribers.” (van der Does de Willebois et al, 2011, p71).

As a professional, I use the information held in company registers almost every day, however I recognise this is only a starting point for any inquiry and that it has not been verified. I frequently come across other professionals who do not understand the concept of identity or the origins of company registers generally. Many individuals seek to place reliance upon company registers for processes that need to be legally defensible, such as with regulatory compliance. However, this perspective does nothing for risk scenarios such as fraud or credit risk, where the consumer of that information may suffer a loss or become a victim as a result of placing reliance upon that information without performing further due diligence. In these scenarios, caveat emptor again applies when consuming company register information:

“The value of company registries has its limitations. For example, most registries are government depositories and inherently archival in nature. Indeed, all the registry representatives with whom we spoke were involved in almost exclusively receiving and logging information, rather than undertaking any quality controls or verifying the information received from incorporators.” (van der Does de Willebois et al, 2011, p17).

So what can be done about this problem?

So, now we understand how company registries have evolved from limited historical use to becoming a foundational element of many commercial processes today. And we understand the functions of a company register, the fact that some are even privatised, that company registers are actually quite limited in terms of their coverage of the universe of legal entity types in a given jurisdiction (i.e. typically incorporated only), and that verification of information provided by the company is the exception rather than the rule (although to be fair, if you are caught and it can be proven you provided false information, you may often be prosecuted).

ASIC talks about implementing some sort of unique numbering system for company directors in Hansard but a simple starting point might be adapting existing standard Australian identification and verification processes and simply bolt these on to existing ASIC processes, along with a reconciliation of current director data against government information holdings to identify current offenders.

The nuts and bolts of a standard Identification and Verification Process in Australia

About 14 years ago, my first assignment on joining the consulting firm Booz Allen Hamilton was as an adviser on Identity Crime and Identity Security to the Howard Government’s now withdrawn ‘Access Card‘ program run by the Department of Human Services. I had joined Booz Allen from another consulting firm, where I worked on a project with the Chief Internal Auditor of Centrelink to review their Identity Fraud programs. Since then, the concept of identity has evolved substantially but the concepts remain the same.

Any identification process, whether of legal entities or individuals, involves a two-stage process:

Identity Validation – this step seeks to answer the question ‘does the identity exist’, and is achieved by taking the biographical (and potentially biometric) attributes for a claimed identity and comparing them to the relevant official government register to ensure the identity is not fictitious or invented.
Identity Verification – is the second step in any identification process, which seeks to answer ‘is the person claiming the identity actually the true owner of that identity’

The process of Identity Verification aims to conclusively tie the person or legal entity claiming that identity to (1) something they know, such as a password or date of birth, (2) something they have, such as a passport, official document or RSA SecureID token, or (3) something they are, which is a biometric identifier including a fingerprint or iris scan.

To simplify the application of identification concepts in an Australian context, where there is no single identity credential (such as a national identity card), the National Identity Proofing Guidelines have evolved to encompass five distinct steps (Commonwealth of Australia, 2016):

Objective 1: Confirm uniqueness of the identity in the intended context to ensure that individuals can be distinguished from one another and that the right service is delivered to the right individual.
Objective 2: Confirm the claimed identity is legitimate to ensure the identity has not been fraudulently created (i.e. the identity is that of a real person) through evidence of commencement of identity in Australia.
Objective 3: Confirm the operation of the identity in the community over time to provide additional confidence that an identity is legitimate in that it is being used in the community (including online where appropriate).
Objective 4: Confirm the linkage between the identity and the person claiming the identity to provide confidence that the identity confirmed through objectives 2 and 3 is not only legitimate, but that the person claiming the identity is its legitimate holder.
Objective 5: Confirm the identity is not known to be used fraudulently to provide additional confidence that a fraudulent (either fictitious or stolen) identity is not being used.

Tools for Automated Identification & Verification (IDV) in Australia

In Australia, we have the Document Verification Service (DVS) which was setup in 2009 and is now managed by the Australian Government’s Department of Home Affairs, to help streamline the Identification and Verification (IDV) process. By typing the details of an official document, such as the Biographical Data Page of an Australian Passport into the DVS portal, users receive an automated ‘yes’ (match) or ‘no’ (no match) result based on the comparison of document identifiers against the Issuer’s (Issuing Government Department) records. Note that this service does not actually verify the person holding the identity document is who they actually claim to be (i.e. it does not verify biometrics, such as comparing a photo of the holder with the person presenting the passport for a service). However, there is a second element to DVS, the Face Verification Service, which recently started coming online for selected government agencies.

The challenge of identifying foreign nationals

As a global citizen, Australia allows foreign nationals (i.e. those individuals without Australian Citizenship, Permanent Residency or a long term visa) to operate a business in Australia. Whilst some countries have a residency requirement for company directors (e.g. Singapore), this does not apply in Australia. This means that it is quite conceivable that the director of a company will be from overseas. Conducting IDV for foreign nationals can be a challenge. Contrary to popular belief, there is no ‘global database’ of all people in the world, and most countries do not share wholesale databases of their citizens with other countries (even friendly ones). This means that when you try to check that a foreign passport is legitimate, you cannot use DVS (the record is not held there).

Aside from sighting the identification documents of the foreign national to see if they appear real (e.g. do an initial check of the passport), there are only two options for validating and verifying a foreign identity:

Verify the visa details, which involves entering the holder’s name and passport details into the Immigration Department’s VEVO platform to obtain a ‘match’ or ‘no match’ for the records (which can also be verified via the DVS platform), or,
Verify the individuals identity information against a database or service similar to DVS but operated by the foreign national’s government (e.g. Singapore, for a Singaporean Citizen).

This second option is much more complicated and may be subject to restrictions on privacy, IP address geoblocking, and other challenges. The challenge with the VEVO option is that the person’s details may not be in the system if they don’t hold the right visa, or if they haven’t notified Immigration of things like a new passport number. Unfortunately, an exceptions process is still required at this time for cases where IDV cannot be easily automated through platforms such as DVS.

The promise of a trusted digital identity – an ideal solution for verifying Company Directors in Australia?

Aside from political resolve to increase transparency, addressing the problem of company director aliases could be relatively simple through the use of emerging Digital Identity technology, which could be easily integrated into any online ASIC application for Australian citizens and permanent residents. Whilst some IDV workarounds would initially be required for foreign nationals who are Australian company directors, as other countries bring their Digital Identification solutions online they could also be linked to ASIC’ processes, thereby avoiding the issue I flagged with DVS above in that it only works with people who already have a strong nexus to Australia.

Digital Identification is one technological innovation with real promise, especially since the need to identify someone is only increasing in society today. I was privileged enough to consult a few years ago on product fraud and security risk to a company which develops Digital Identity products, giving me real insight into the benefits and utility of the solution for a whole range of applications, from obtaining credit to confirming the identity of a tradesperson before engaging them.

Digital Identity products work like a virtual identity credential in the online environment, however unlike traditional identity credentials such as a physical driver’s licence they can be verified with the Issuer of the identification credential and updated in real time. These products can even be designed in ways that increase the privacy of the user whilst also increasing the utility of the identity token; take, for example, where a digital identity might tell a user the holder is over 18 without disclosing their date of birth. Those who are interested can read more about how Australia’s Digital Identity ecosystem is being designed at the Digital Transformation Agency.

Building a media monitoring capability 101

Posted on March 6, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Media Monitoring as part of a wider externally-focused risk intelligence capability

Businesses cannot operate effectively without an external listening capability that helps identify current and emerging issues in the operating environment. Competitors, regulatory change, technological innovation, and important developments involving suppliers and key customers have historically been ‘followed’ by businesses everywhere. However, with the rising importance of reputation risk and regulatory compliance, topics such as economic & trade sanctions, corruption, fraud, privacy & security incidents, business interruptions, modern slavery and environmental issues are also being increasingly watched, especially where suppliers or contractors pose a risk ‘by association’ to the buyer.

Our 24/7 news cycle and the global pace of change means it is no longer viable to read the newspaper once a day or occasionally Google a competitor every few months in your spare time to identify changes in your operating environment – media monitoring today needs to be a core part of your risk intelligence capability, employed on a systematic, continuous basis and integrated into other business processes to add value.

Conceptually, media monitoring seems relatively straightforward, but it follows the iceberg principle with most of the challenges laying beneath the surface. Many organisations struggle with media monitoring when they need to operate across large volumes of search criteria, countries, languages and mediums. Practically speaking, there are also differences between monitoring traditional print, TV and radio channels and social media: This post focuses on traditional channels, whilst social media will be addressed in a future article. The article outlines the key considerations when designing a media monitoring capability, the challenges, what to focus on, and what to do with what you’ve found.

Selecting sources and monitoring tools

The majority of media monitoring programs are run in an ad-hoc manner, without any real understanding of the sources or content of interest. The sophistication of these programs range from performing ad-hoc searches in the internet browser, to using tools such as Google Alerts and data aggregators. Typically, businesses focus on print media to the exclusion of TV and Radio, despite both having interesting and relevant content (take for example, an executive from a competitor being interviewed on the business channel).

The first step in selecting sources involves thinking about what, and who, you want to monitor, and where the content would be published. This ‘where’ is a function of both geography but also industry, as some of the richest coverage might be featured on niche industry platforms. Media monitoring typically focuses either on people or entities, both of which involve name-based searches (e.g. ‘Apple’ or ‘Tim Cook’). Where large numbers of search results are returned, it is normal to use boolean operators to write queries which search for the individual or entity’s name in conjunction with other search criteria, such as ‘strategy’ or ‘fraud’. This process can get quite complex, involving potentially dozens of words of interest (or derivatives of them, such as ‘Crim*’ to search for ‘criminal’, ‘crime’, etc in the same search) in addition to the entity name (i.e. “[name]” and “crim*”).

Media Monitoring Challenges

Licensing and Copyright – news information is subject to copyright, and many IP Rights Owners require their content to be licensed. These costs, and any licensing constraints (e.g. forwarding of a complete article is prohibited without an enterprise license) will require some thought around how any capability is designed, as well as impacting budget.

Syndication – increasingly common globally, syndication has the effect of increasing the volume of search results. Platforms such as Factiva have in-built tools to remove duplicates, however manual processes (e.g. Google Alerts) may take additional time to process

Reliability of free tools – free media monitoring tools use a variety of technologies to identify and index content, which can impact reliability. Unlike platform providers, they typically require closer scrutiny to ensure they are performing as intended.

Press Freedom and ‘Right to Forget’ laws – the reliability and coverage of the mainstream media is increasingly being influenced by attacks, government constraints on journalists, and corruption. In other jurisdictions, ‘Right to Forget’ laws mean the subjects of adverse coverage can have articles such as coverage of convictions or imprisonment deleted, impacting historical search results.

Where large volumes of search queries are required and where budgets allow, news aggregators such as Factiva and ProQuest, as well as other specialised industry journals, represent an excellent option provided they have coverage of the content you are seeking. Once you have identified your sources, you should check to see where their content is published as some publications are not covered by aggregators or news syndication services.

As with print media, television and radio content is also searchable via specialised aggregators. Typically these providers will index the content (i.e. note keywords and other search terms), to enable a word-based search to be performed via their portals. Once results are returned, they can then be screened for relevant content. Two examples of television indexes include BBC Monitoring and InformIT TV News.

Case Management: Reviewing, storing and evaluating matches

Media articles or other search results are typically recorded in some sort of ‘case management system’, which can be anything from a register kept in Microsoft Excel to a database or workflow system such as ServiceNow. There are a few steps in this stage of the process, including:

Reviewing each returned search result to determine whether it meets your criteria for retention (i.e. is it relevant, timely and actionable in relation to the question you are seeking to answer and is this new information, or is it a duplicate?)
Documenting selected fields / information from the article in your case management system – such as names or addresses of parties mentioned
Copying details of names, addresses, relationships, events or other reporting which could affect your relationships with key customers, suppliers or employees into a separate database (this is particularly important for fraud prevention and legal disputes)

This raises the question of who is performing the media monitoring, and how well they understand the intended recipients (i.e. their readers or internal ‘customers’). All too often media monitoring is performed by a central team, with consumers in the business being forwarded copies of news articles they have already read or receiving lots of emails that go unopened. Whether the function is performed centrally or by business line, the most important thing is that information is converted to intelligence so it is actually useful.

Whilst media monitoring can be started with the best of intentions, it quickly becomes a waste of time and effort if the generated content is not relevant and actionable to the recipient (i.e. can they actually do something useful with it) and timely (telling them an event has occurred 3 months after they’ve known about it is useless), if the content is not properly curated and searchable as volumes increase, and if the team performing the role becomes seen as a sender of spam.

Actioning what you’ve found

Once you have identified what’s important, the next step is to do something with it. By this stage of your process, you should be left with a number of articles that contain content of interest. In my experience, this is the stage where many media monitoring processes begin to fall apart.

Case Study:

A large bank had implemented a robust media monitoring process to track strategic developments involving competitors and the market. They were actively monitoring multiple channels, saving articles of interest to PDF from print media sources, and uploading them to a Document Library on their intranet (SharePoint). Over time they had thousands of articles containing rich information but it was never extracted and developed into intelligence. To make use of their collection, they had to individually review each search result rather than being able to see what all search results meant in the wider context. In time, it became quicker for users to simply use Google and the whole effort became a complete waste of time.

Media monitoring is only the first capability building block in an external listening process, and if your process relies upon emails or file libraries in a shared folder or on SharePoint once you hit a certain number of files you will start to encounter data challenges that affect our ability to extract any real value from your media monitoring. To avoid this situation, I recommend you add two steps to the end of your media monitoring process:

Dealing with information about people, events, places and things

Articles with content such as names, incidents, relationships, events and places need to have this information extracted into a structured format (ideally a database but CSV format will also suffice), with the original article attached. Whilst you can use document tags instead of structured content, it is not as effective (1) because you will still need to extract the data into a structured format to properly analyse it, and (2) over time libraries of tags will become unmanageable and you may encounter system limitations. To keep pace with volumes, I find this information most efficiently captured as the article is reviewed, rather than letting everything pile up.

These sort of articles typically relate to issues such as a key customer or supplier’s financial solvency, highlight relationships between employees and a supplier or customer (i.e. conflicts of interest or fraud risks), and legal disputes which might disrupt the supply chain. Consequently, the typical audience for this information will be finance / procurement, legal, audit, risk and compliance.

Articles of a strategic nature

In contrast to information about people, places and things, information of a strategic nature (e.g. articles on regulatory change, interviews given by a competitor on their new product) should be compiled into a separate document or ‘wiki’. Environmental Scanning is a common technique used in the strategic analysis and intelligence communities and is ideal for compiling and analysing this type of content, and will be covered in a future post.

The key difference between strategic information and that of people, places and things is the way it is used – it is mainly employed by strategy teams, product managers, or in other planning activities rather than more operational tasks, hence it needs to be reviewed less frequently. Strategic information is typically reviewed in the context of other strategic information or when making specific decisions.

Optimising your capability

The last step in developing any capability is to periodically evaluate its performance. For a media monitoring capability, this means running separate searches to ensure you haven’t missed anything with current search criteria (have you had consumers in the business ask about something you didn’t pick up?), ensuring that sources are reliable and credible and that search parameters are current, and that your downstream processes in terms of storing, evaluating and reporting remain valid.

Further reading

Alexander, M. (2016). Appropriately Structure Data in Your Excel Data Models, https://www.dummies.com/article/technology/software/microsoft-products/excel/appropriately-structure-data-in-your-excel-data-models-138384/
BBC (2021). BBC Monitoring – Essential Media Insight, https://monitoring.bbc.co.uk/
Boehm, R. (n.d.) Using Tags for Document Management, Purdue University, https://guides.lib.purdue.edu/tagging
Boolean Black Belt – Sourcing / Recruiting (2008). Basic Boolean Search Operators and Query Modifiers Explained. https://booleanblackbelt.com/2008/12/basic-boolean-search-operators-and-query-modifiers-explained/
Masters, J. (2019). What Are Economic Sanctions?, Council on Foreign Relations, https://www.cfr.org/backgrounder/what-are-economic-sanctions
Schwartz, P. (1996). The Art of the Long View: Planning for the future in an uncertain world, Currency, United States.
United States Army (2012). Open Source Intelligence, ATP 2-22.9
World Economic Forum (n.d.). Global Risks, https://www.weforum.org/global-risks/

HUMINT cycle and the recruitment of insiders

Posted on February 28, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

Employees are an organisation’s most important asset: they are what enables organisations to generate value, respond to opportunities and threats in the operating environment, and create a positive culture which attracts other would-be employees and potential customers. Employees are also crucial to security: when conditions are right, employees help build a positive security culture which enables management to quickly identify and respond to security threats.

In the same manner that security would not be necessary if people did not exist, a security program cannot be successful without the support and active participation of its employees. It goes without saying then that an employee who ‘goes rogue’ and becomes malicious (i.e. intends to do harm), or an employee who doesn’t care about their employer or its security practices (i.e. a complacent employee) can do real harm if approached by an external individual or group wishing to gain ‘inside access’ to the organisation and its assets.

What is the HUMINT cycle and who uses it?

Human Intelligence, or HUMINT, techniques are an example of the tactics typically deployed in this scenario to exploit human vulnerabilities. HUMINT refers to the collection of intelligence by humans – principally spies and agents using methods that involve 1:1 contact.

The HUMINT cycle involves four main steps (illustrated below) which might commence with a broad scan of all employees at an organisation, for example, but rapidly narrow down to one or more individuals with both (1) the access to the desired assets or information and (2) the personal characteristics or ideological sympathies which make them amenable to recruitment (See Sano, 2015)

Importantly, undertaking HUMINT and the use of HUMINT techniques is not limited to governments, but also commonly employed in business by ‘competitive intelligence’ practitioners or ‘Private Intelligence Collectors’. ‘Private Intelligence Collectors’ and unscrupulous competitive intelligence professionals often use HUMINT techniques, as well as any other intelligence collection mediums in their toolbox, to collect confidential information that will either be sold to another party (such as the highest bidder) on commission, or which is collected under the paid instruction of the intended recipient.

For a classical HUMINT example, consider a woman who seduces a male chemist at a pharmaceutical company to provide, or facilitate access to, details of a new blockbuster drug compound under development by the pharmaceutical company (referred to in the trade as a ‘honey trap‘). Other threat actors who use HUMINT techniques include organised crime groups, issue motivated groups and terrorists.

How can the HUMINT cycle be leveraged for insider threats?

Once the HUMINT collector has identified (spotted) their target, they begin engaging with them to build a rapport and develop a relationship. Importantly with HUMINT, it may not be necessary to actually recruit the target (or someone who has access to the ultimate target) in order to achieve their objectve. In some instances, the required information can be obtained without the need for a formal and risky recruitment pitch.

It is particularly important to incorporate these learnings into any insider threat awareness training, as employees who are aware of steps taken by HUMINT collectors are more likely to be aware to them, and to be able to seek help early. Examples of ways (vectors) HUMINT collectors might obtain the information they require can include:

Infiltration – getting an ‘agent’ or sympathiser of the HUMINT collector (or their cause) into the organisation through standard recruitment processes, as a contractor, or via a supplier
Elicitation – refers to techniques used by HUMINT collectors to obtain information from a target without them knowing or realising it, which results in them volunteering the information rather than being asked directly
Social engineering – involves the use of deception to manipulate someone into disclosing confidential information, either in a business or personal context
Spear Phishing and Phishing scams – can involve the use of legitimately-appearing emails (or even SMS messages, in the case of vishing) to introduce malware into an otherwise secure computer network, allowing later exfiltration of that information. Unlike Phishing which is more general, Spear Phishing is highly targeted and focused on an individual with access to the target, such as a senior executive

There are a variety of forums in which HUMINT collectors operate, including via ‘official’ or business-events, and through social personal interaction. These might include:

Conferences and trade shows
Professional Associations
Clubs and social associations
Universities
Social Media platforms
Emails
Unsolicited phone calls

When performing any insider threat or security related risk assessments, organisations need to consider what are their most critical assets, who might be interested in them, and how might they obtain them (i.e. what forums, mediums or platforms). Once this is thoroughly understood, awareness training and incident reporting mechanisms can be clearly established and targeted.

What can organisations do to manage this threat vector?

Complacency is a big driver of insider threat incidents, so it is critical that organisations develop a good security culture and that ‘at risk’ employees have a good understanding of the threats and tactics which may be used against them.

The regular use of security awareness training across the organisation as a whole, supported by targeted training for ‘at risk’ teams, is critical to ensuring these threats remain front of mind.

Staff in ‘at risk’ teams, as well as managers, should be familiar with insider threat behavioural indicators which can suggest an employee or contractor is experiencing some difficulty in their personal life, which might make them vulnerable to exploitation. Early identification of these problems, when raised properly (such as through employee wellbeing programs), might mitigate these risks.

Good security culture is also critical for organisations, ensuring employees understand why security is important, what the threats may be to their organisation, and what they can do to help protect their organisation. For employees to play their part, they often also need to feel trusted and engaged with their employer, otherwise complacency may set in and potential threats selectively ignored.

The preceding paragraphs focus on what organisations can do to mitigate insider threats once they are already in the organisation (i.e. employed or contracted), however equally important is the use of employment screening (‘background investigations’ or ‘background checks’) to prevent individuals with vulnerabilities or unwanted character traits joining the organisation in the first place. Any discussion on background checks is an article in itself, and will be addressed through a future post, however readers who want to more detail (including a model process) can read the chapter on ‘due diligence’ in my recent book co-authored with Oliver May.

Common terminology sows the seeds of confusion

What is a graph exactly?

Why is Social Network Analysis important for countering threat networks?

How can I perform Social Network Analysis?

Further Reading

What is Comparative Case Analysis?

Where can you collect cases to perform CCA?

How do you undertake Comparative Case Analysis?

Further Reading

How do typologies, modus operandi and TTP’s differ?

What are the components of a typology and why?

The dangers of intelligence ‘silos’ across your organisation

Work out what is valuable to your business

Your products & services are assets too!

Identifying the threat actors likely to target your assets

Applying your threat universe in practice

Further reading

Elements of a Management Track Record review

a. Character and Personality Traits

b. Organisational Culture

c. Performance

d. Competency and tenure

e. Compensation

Techniques for obtaining inputs to a review of management’s track record

Further Reading

How has this problem arisen? Why do we find ourselves here?

The nuts and bolts of a standard Identification and Verification Process in Australia

Tools for Automated Identification & Verification (IDV) in Australia

The challenge of identifying foreign nationals

The promise of a trusted digital identity – an ideal solution for verifying Company Directors in Australia?

Further Reading

Selecting sources and monitoring tools

Actioning what you’ve found

Dealing with information about people, events, places and things

Articles of a strategic nature

Optimising your capability

How can the HUMINT cycle be leveraged for insider threats?

What can organisations do to manage this threat vector?

Further Reading