Skip to main content

Developing Requirements for Your Intelligence Section

February 13, 2014

"Intelligence drives operations, operations directs intelligence."

The main way an intelligence analyst begins to create a product is to have a requirement identified to collect against. In a previous blog, “Intelligence: Friend of the Enterprise,” we spoke briefly about the intelligence cycle. The intelligence cycle is a repeatable process used by an analyst or group of analysts to attack a specific problem or threat the organization faces. The end result should ultimately be a finished product to be disseminated throughout the organization. 

The four elements of the intelligence cycle are requirement, collection, analysis and dissemination.

Elements of Intelligence

One of the problems that organizations face is defining requirements for the intelligence cycle. How do you know what threats your organization could face, and in return, what actions should be taken to defend against them? This post will concentrate on understanding the goal of a requirement and a way to determine how to properly structure them so the intelligence organization can be properly directed.

Intelligence Requirements

Requirements can be structured into two categories, Primary Intelligence Requirements (PIRs) and Intelligence Requirements (IRs). PIRs are those that are most critical to be answered for the organization and IRs for the general threat environment.

To accomplish each, an analyst must first what data to collect in order to fill a gap in knowledge. It is important for the requirement to be defined as strictly as possible so the analyst does not end up collecting unnecessary or conflicting information. Intelligence requirements are defined as such because you are required to answer them as part of a strategy to analyze the threat or operating environment. 

Criteria for Defining a PIR or IR

PIRs and IRs should:

  • Be in the form of a question.
  • Focus on a specific fact, event or activity.
  • Provide resulting intelligence required to support a single decision.

Engaging senior management is a good place to start in discovering what PIRs and IRs are necessary. The CIO/CISO/VP level should be asked what gaps they have that need to be filled by intelligence collection and analysis.

For example, a CIO might want to know what the biggest threat the organization faced in the preceding fiscal quarter. This question can be made in to a simple PIR “What threat impacted the organization the greatest in Q4 of 2013?”

A good way to go about validating this PIR is to run it against four detailed criteria: necessity, feasibility, timeliness and specificity.

Necessity: Is it necessary to answer this question?
Yes. By answering this question, the intelligence analyst can trend the threat landscape the organization faced in the fourth quarter of 2013 and recommend actions that can be taken to better protect against that threat in the future.

Feasibility: Can we feasibly collect this information?
Yes. The analyst should have access to the organizations case and incident management system(s) to collect the required data.

Timeliness: Is the intelligence requirement timely?
Yes. The analyst will be evaluating the preceding fiscal quarter’s data with the results being applicable to the current quarter.

Specificity: Is the requirement specific enough?
Yes. The requirement is limited to a timeframe and defined subject.

PIR Validation Criteria

Requirement Management

When generating PIRs and IRs, it’s a good idea to provide for a simple way to manage them. By doing this, the analyst or group of analysts can track them and update as necessary. The simplest and easiest way is assigning a numerical value.

Primary Intelligence Requirements:

  • PIR #1: What is the largest threat West Coast based assets face?
  • PIR #2: What is the largest threat East Coast based assets face?

Intelligence Requirements:

  • IR #1: What threat impacted the organization the greatest in Q4 of 2013?
  • IR #2: What was the source of the largest network reconnaissance scan detected?

Dependent upon the collection against the PIR or IR, it might be necessary to add sub-requirements. When looking at IR #1, we can further break this down to “What was the source of the threat?” or “What system was impacted?” The sub IRs can be published as such:

  • IR #1: What threat impacted the organization the greatest in Q4 of 2013?
    • IR #1.1: What was the source of the threat?
    • IR #1.2: What system was impacted?

In Summary

Intelligence requirements are essential when tasking the intelligence function. They lead to defined collection efforts, and the specificity allows for precise and actionable intelligence to be produced.

Intelligence requirements should be generated to support senior level strategic objectives in identifying and securing critical assets and information. By utilizing this framework, the intelligence cycle will be fulfilled, leading to the establishment of either follow-up requirements or re-engaging existing ones as necessary.

Related Blogs

April 03, 2018

Escape and Evasion Egressing Restricted Networks – Part 2

Attackers and security assessors alike are utilizing a technique called domain fronting, which masks malicious command and control (C2) traffic. This ...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

September 19, 2017

Governance Risk and Compliance Services

Optiv works with your organization to optimize its investment in RSA Archer.

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.