Cyber-threat intelligence for security decision-making: A review and research agenda for practice

Abstract

The increasing militarization of the cyber-threat environment has driven considerable interest in understanding the role of cyber-threat intelligence (CTI) in supporting the enterprise. Despite CTI's value proposition to organizations, the rate of industry adoption has been low and localized within IT Operations. Our review of the research and practice literature on CTI shows that the discourse is heavily dominated by the technology perspective, leaving significant gaps in the knowledge of CTI. We begin with a background study that reinforces the traditional origins of CTI as a process derived from the Intelligence Cycle that is referenced and practiced in military intelligence studies. We describe the Intelligence Cycle and its phases and reinforce the characteristics and attributes of intelligence, asserting the critical importance of synthesizing information into intelligence.We subsequently develop a research agenda for practice researchers addressing the critical research question: “How can cyber-threat intelligence be operationalized in organizations?” We begin by exploring research questions to develop the theoretical foundations of CTI. Towards this objective, we present a useful template for process theory that generates practice outcomes. We then discuss methods suited to practice research in CTI before moving on to inquiries concerning the role and purpose of CTI in practice. We delve into questions on the broad aspects of practice at both the macro-level, focusing on the examination of CTI programs in organizations with different strategic risks, and the micro-level, exploring the distinctions between practice, praxis, and practitioners. Additionally, we explore questions on the role of artifacts, objects, and information systems that support CTI practice, including spaces and the role of practitioners and non-practitioners. After exploring various practice-related topics, we examine potential research opportunities pertaining to the prevailing narratives surrounding technology and information sharing, as identified in our literature review.