Developing Requirements for Your Intelligence Section

Developing Requirements for Your Intelligence Section

"Intelligence drives operations, operations directs intelligence."


The main way an intelligence analyst begins to create a product is to have a requirement identified to collect against. In a previous blog, “Intelligence: Friend of the Enterprise,” we spoke briefly about the intelligence cycle. The intelligence cycle is a repeatable process used by an analyst or group of analysts to attack a specific problem or threat the organization faces. The end result should ultimately be a finished product to be disseminated throughout the organization. 


The four elements of the intelligence cycle are requirement, collection, analysis and dissemination.


Elements of Intelligence


One of the problems that organizations face is defining requirements for the intelligence cycle. How do you know what threats your organization could face, and in return, what actions should be taken to defend against them? This post will concentrate on understanding the goal of a requirement and a way to determine how to properly structure them so the intelligence organization can be properly directed.


Intelligence Requirements


Requirements can be structured into two categories, Primary Intelligence Requirements (PIRs) and Intelligence Requirements (IRs). PIRs are those that are most critical to be answered for the organization and IRs for the general threat environment.


To accomplish each, an analyst must first what data to collect in order to fill a gap in knowledge. It is important for the requirement to be defined as strictly as possible so the analyst does not end up collecting unnecessary or conflicting information. Intelligence requirements are defined as such because you are required to answer them as part of a strategy to analyze the threat or operating environment. 


Criteria for Defining a PIR or IR


PIRs and IRs should:


  • Be in the form of a question.
  • Focus on a specific fact, event or activity.
  • Provide resulting intelligence required to support a single decision.


Engaging senior management is a good place to start in discovering what PIRs and IRs are necessary. The CIO/CISO/VP level should be asked what gaps they have that need to be filled by intelligence collection and analysis.


For example, a CIO might want to know what the biggest threat the organization faced in the preceding fiscal quarter. This question can be made in to a simple PIR “What threat impacted the organization the greatest in Q4 of 2013?”


A good way to go about validating this PIR is to run it against four detailed criteria: necessity, feasibility, timeliness and specificity.


Necessity: Is it necessary to answer this question?
Yes. By answering this question, the intelligence analyst can trend the threat landscape the organization faced in the fourth quarter of 2013 and recommend actions that can be taken to better protect against that threat in the future.


Feasibility: Can we feasibly collect this information?
Yes. The analyst should have access to the organizations case and incident management system(s) to collect the required data.


Timeliness: Is the intelligence requirement timely?
Yes. The analyst will be evaluating the preceding fiscal quarter’s data with the results being applicable to the current quarter.


Specificity: Is the requirement specific enough?
Yes. The requirement is limited to a timeframe and defined subject.


PIR Validation Criteria


Requirement Management


When generating PIRs and IRs, it’s a good idea to provide for a simple way to manage them. By doing this, the analyst or group of analysts can track them and update as necessary. The simplest and easiest way is assigning a numerical value.


Primary Intelligence Requirements:


  • PIR #1: What is the largest threat West Coast based assets face?
  • PIR #2: What is the largest threat East Coast based assets face?


Intelligence Requirements:


  • IR #1: What threat impacted the organization the greatest in Q4 of 2013?
  • IR #2: What was the source of the largest network reconnaissance scan detected?


Dependent upon the collection against the PIR or IR, it might be necessary to add sub-requirements. When looking at IR #1, we can further break this down to “What was the source of the threat?” or “What system was impacted?” The sub IRs can be published as such:


  • IR #1: What threat impacted the organization the greatest in Q4 of 2013?
    • IR #1.1: What was the source of the threat?
    • IR #1.2: What system was impacted?


In Summary


Intelligence requirements are essential when tasking the intelligence function. They lead to defined collection efforts, and the specificity allows for precise and actionable intelligence to be produced.


Intelligence requirements should be generated to support senior level strategic objectives in identifying and securing critical assets and information. By utilizing this framework, the intelligence cycle will be fulfilled, leading to the establishment of either follow-up requirements or re-engaging existing ones as necessary.