Sunday, September 23, 2018

Modified IPB: Reducing Vulnerability To Terrorist Attacks By Identifying Information Needs



Paul, C. and Landree, E. (2008) Defining Terrorists’ Information Requirements: The Modified Intelligence Preparation of the Battlefield (ModIPB) Framework. Journal of Homeland Security and Emergency Management, 5(1) .

Summary: 

The authors of this article developed the modified Intelligence Preparation of the Battlefield (ModIPB) to resolve an issue with vulnerability assessments for terrorist attacks: What information do terrorists need to plan attacks and how accessible are those data? In order to provide substance for their discussion, the authors focused on vulnerability assessments for transportation infrastructure, a historically common target for terrorist attacks. The purpose of developing the ModIPB is to provide a tool that turns an inherent weakness of playing defense into a strength. If we as defenders are unaware that terrorists have identified a vulnerability, we cannot protect it. On the contrary, if we know what terrorists know or what they can learn, we can better identify our own vulnerabilities and adjust our defenses appropriately.
Drawing from US Army IPB doctrine and supported by RAND research on adapting IPB for urban operations and a confiscated “al Qaeda manual”, the ModIPB framework identifies 4 categories of information needs relevant to attacking transportation infrastructure.
Category (1) includes information on avenues of approach and ease of access such as location of the target, surrounding terrain or buildings, and available paths to the target.
Category (2) consists of target features such as possible locations from which to launch the attack, possible times or windows of time to launch the attack, mobility or variability of the target, and relevant features and structures of the target.
Category (3) on security covers information regarding security forces and security measures in place as well as other population groups present at the target.
Category (4) on the analysis of threats to the terrorist operation incorporates information such as the threat posed by security forces and security measures, the threat posed by employees of the target, citizens (e.g. concentrations of or heightened vigilance of), and weather (as it affects effectiveness of the operation).
Applying this framework to identify terrorist information needs is concurrently a vulnerability assessment of both the potential target and the information regarding the target. The ModIPB reveals 3 bounded sets of information on the target with varying degrees of difficulty to defend. The most difficult type of information to defend is what terrorists can learn from off-site reconnaissance, or open source information. The type of information that is more readily defendable is what terrorists can learn through on-site information-gathering activities. Finally, the type of information that is easiest to defend is information available to those who are employees of or closely affiliated with the infrastructure itself. Understanding the relative ease of defending certain types of information will allow policymakers and infrastructure managers to prioritize protection efforts on information that can be protected and thus make it that much harder for terrorists to gather the information they need to execute an attack.  

The authors cite two limitations to applying the ModIPB: the framework does not prioritize the intelligence needs of the terrorists for level of importance, and the framework is not sensitive to the stages of the planning process. For example, the stages of the planning process can proceed in two ways: with the preferred mode of attack determining target selection or the preferred target determining the mode of attack. Despite these limitations, the authors recommend that the ModIPB framework be included in every vulnerability assessment of infrastructure targets so that they can prioritize defense efforts on the right information to reduce vulnerability to terrorist attacks. 

Critique:

The ModIPB framework is a unique and interesting counter-measure to reducing vulnerability of targets. The information protection measures that emerge from such analysis suggests surprisingly manageable defense efforts that can significantly reduce vulnerabilities. By limiting access to readily defendable information, it will be inherently harder for terrorists to execute a successful attack.
An interesting dynamic to the development of the ModIPB model is its’ multi-disciplinary nature, as it draws from both IPB methodology and the “red-teaming” method of applying an offensive approach to defense. The purpose of ModIPB is to reveal defense measures that, if in place, will make it harder for the offense to execute an attack. Despite the limitations identified by the authors, I find the utility of the ModIPB to speak volumes to the value this methodological tool adds to vulnerability assessments. To name just a few, I can see the ModIPB framework as readily applicable to various fields of information security such as counter-intelligence, corporate espionage, cybersecurity, national security, military combat, etc. Applying the ModIPB framework to these other disciplines would be an interesting next step for future applications on this methodology.

7 comments:

  1. Tom, does your critique imply that organizations should have better informational OPSEC, specifically on information that would be available in public forums (like the internet)? The logical extension of that would be for organizations that are exposed to limit the amount of information, even if that hurts the organization with the local populace or customers (depending on what its goal is i.e. a company vs. a diplomatic facility). Care to comment on your view?

    ReplyDelete
  2. Harry, the ModIPB method is an argument in favor of strengthening OPSEC. However, information that is publicly available (like on the Internet) is the most difficult type of information to defend. As a result, the authors suggest that organizations focus their efforts on the type of information they can more easily protect (like facility blueprints, maintenance schedules, employee personnel records, types of security equipment used, etc.). In essence, the organization must acknowledge that they cannot control all information and instead focus on what they can. In a nation where transparency is expected from the local populace or customers, this could foster mistrust among these key groups. But on the other hand, as the local populace and customers typically don't have an interest in such operational information, controlling its availability should not cause trouble for the organization.

    ReplyDelete
  3. I was very interested in the article , it’s quite inspiring I should admit. I like visiting your site since I always come across interesting articles like this one. Keep sharing! Regards. Read more about Advanced Analytics

    ReplyDelete
  4. Thanks for your feedback, Stella! I am glad to hear you enjoyed this article, it certainly discusses a unique approach to countering terrorist attacks that is applicable to a wider range of fields.

    ReplyDelete
  5. I like how you said that the framework for the ModIPB can be applicable to other fields. One of the most difficult things in the national security field is conducting successful defensive measures. I can see how red-teaming strategies would certainly enhance decision making in the other fields you listed, but I feel will continue to be difficult to accomplish in the context of terrorism. The limitations the authors discovered are very practical.

    ReplyDelete
    Replies
    1. ModIPB adds an interesting twist to the traditional IPB method. In my article It talked a lot on the weakness of IPB and the need for mixed methods to make IPB more effective. Do you think ModIPB will fix some of the weaknesses of IPB or do you think a mix methodology is better?

      Delete
    2. Alyssa, because the objective of ModIPB is to identify information needs it differs from the objective of IPB (how to successfully approach a target). ModIPB certainly benefits from the mix methodology of red-teaming, but I think the inherent weaknesses of IPB still apply in the more complicated urban environment.

      Delete