Security is dependent upon threat insights, otherwise known as intelligence. Without intelligence enterprises are unable to calibrate controls – they are blind, or at best, myopic. Cyber defense requires fighting battles on multiple fronts. Unlike in conventional warfare, enterprises cannot return fire – they must absorb the punishment of distant enemies. Occasionally, adversaries loiter closer to home, perhaps even within their own citadels. Enterprises must also be fortified against the carelessness of their own forces, whose mistakes may cost battles that at worst lead to corporate demise. To avoid such eventualities enterprises must be hardened against compromise, and incident response must be rehearsed – for history suggests breaches are all but inevitable. Post-compromise, enterprises are judged not only in the court of public opinion, but in regulator's offices, the rulings from whence could render billions of dollars in fines. Two principal factors determine the scale of such penalties: were proportionate defensive controls implemented? and, was breach response effective? Meeting the first of these requirements necessitates an enterprise risk assessment. Breach risks include confidentiality losses via stolen intellectual property or personally identifiable information (PII), integrity damage, such as the altering of bank balances, and availability impacts, such as extortionists encrypting enterprise assets. An evolving additional risk is that attackers endanger human safety, such as via the manipulation of traffic lights, or of manufacturing processes – such risks are rapidly transitioning from science fiction to science fact. The impact of these risks manifesting includes brand damage, competitive advantage forfeit, financial loss, and even enterprise extinction. Breaches are also often resume-generating events for executives, in particular the CEO, CIO, and CISO. A 2020 Ponemon study estimates breaches with less than 99,730 client records stolen cost enterprises an average of $3.86m. The same study found compromises of 1 to 10 million records resulted in an average $50m loss, whilst breaches exceeding 50 million records cost businesses an average $392m [1]. As regulations are made stringent, more of these costs are associated with fines. For example, Capital One was fined $80m for a 2019 breach that compromised the credit applications of 100 million users [2]. An even more severe £183m (~$250m) fine was issued to British Airways after a 2018 breach exposed 500,000 customer records, this was later reduced to £20m (~$26m) in recognition of the crippling impact the pandemic was having on the airline sector [3]. Cyber Defense Consultancy Director Dan Baker, who has worked with scores of technology executives, comments, “it isn't fear of criminals, it's fear of regulations that drives enterprise security investment” [4]. We can expect further large fines in the coming years.

Intelligence enables defense calibration minimizing breach risk. It is said that intelligence is the world's second oldest profession.¹ One of the first warfare philosophers, Sun Tzu, commented around 2500 years ago that, “the reason the enlightened prince and the wise general conquer the enemy whenever they move and their achievements surpass those of ordinary men is foreknowledge [intelligence]” [5, p. 144]. At its best, intelligence locates adversaries, reveals their intent and capabilities, and allows the devising of defensive countermeasures to diminish, or even remove, associated risks. Cyber security is critically dependent on intelligence. Traditional bricks and mortar enterprises had few exposure points. Security resided in physical security measures such as guards, and industry-specific controls such as merchandise alarm tags. Digital transformations, accelerated by the pandemic, have resulted in what scholar Frances Cairncross terms the “death of distance” – physical distance no longer hinders adversaries [6]. Therefore, enterprises now face a greater number of more diverse threats. The threat actors are often well-funded, highly skilled, and extremely persistent. Intelligence allows assessment of these disparate threats and controls calibration. Intelligence is also crucial in reducing an overwhelming number of security alerts to reveal critical events, and in improving the performance of the second factor regulators use in determining breach fines: incident response. Ultimately, intelligence enables better business decisions.

Cybercrime represents the majority of enterprise attacks [7, p. 9]. Criminals manage their operations as multi-national high-revenue businesses and focus heavily on innovation. A rich and collaborative criminal eco-system underwrites the industry's prodigious success. Adversarial capabilities range from misguided self-taught teens, to organized criminal enterprises the sophistication of which rivals some nation states. Cybercriminals typically operate from jurisdictions beyond the reach of their victim's governments. For instance, criminal marketplaces often forbid their products use in the Commonwealth of Independent States (CIS), the home of a high concentration of cybercriminals [8], 22:00].² Malware may enforce geographic filters to ensure such diktats are not violated. Cybercriminals may also bribe local law enforcement to turn a blind eye to their operations, with the caveat that the criminal's activities must not target countries with which their government has good relations (for Russia, the CIS). In short, cybercrime offers perpetrators a drastic risk reduction in comparison to physical crime, a reality which has driven cybercrime's vertigo-inducing growth. There are several methods cybercriminals use to part enterprises from their profits.