This blog sets out to define the Cone of Plausibility scenario generation methodology and demonstrate its usefulness in the field of Cyber Threat Intelligence (CTI). We at SecAlliance regularly use Cone of Plausibility in our work, and have included examples in this blog to demonstrate its application. ThreatMatch customers can see the use of Cone of Plausibility in our quarterly Horizon Scanning reports, as well as certain one-off reports.
TL;DR: Cone of Plausibility is a structured analytic technique that can be used by intelligence analysts to generate possible threat actor scenarios based on known drivers and geopolitical events. This in turn can help identify potential attack vectors and inform decision making, enabling network defenders to prioritise defences.
Cone of Plausibility is a scenario generation method used extensively in intelligence production. Its purpose is to guide an understanding of how the situation could realistically change depending on the influence of multiple key factors.
The methodology consists of the following steps:
1. First, a question is devised – what do you want to know?
2. Then, drivers (factors) and associated assumptions are brainstormed based on the current situation that lead to a baseline scenario: at SecAlliance, we use the PESTLE-M methodology for the drivers (see below example).
3. Next, based on changes in the assumptions, plausible and wildcard scenarios can be generated (either positive or negative, denoted by the upward and downward arrows respectively).
Each driver may have multiple assumptions that could impact on the scenarios. For instance, the Technological driver could encompass innovation in technologies, both new or advancements in existing technology, tech disputes or shortages. New technology, soon after it is rolled out, is often found to be vulnerable to exploitation; technological development can also enable threat actors and improve their capabilities. Conversely, tech shortages, such as the current semiconductor chip shortage (see our Strategic Relation-Chip Goals blog), may motivate nations to target those companies involved in developing the technology.
Cone of Plausibility can be used in conjunction with other analytical techniques, such as Analysis of Competing Hypotheses (ACH) and Backcasting; however, these techniques are outside the scope of this blog.
Cone of Plausibility has been used by military intelligence analysts for decades to forecast the consequences of certain drivers on the operational environment, enabling military planning; its use has also been touted by intelligence services, police forces and academic researchers.
Proponents of the methodology claim that the approach provides more effective intelligence oversight as it requires logical thinking, helping analysts overcome inherent biases often associated with analysis. It also allows analysts to identify key influential drivers with a clear audit trail that can be “red-teamed” by peers.
Cone of Plausibility can be used by CTI analysts in particular to generate possible scenarios for the different threat actor categories, helping to identify potential attack vectors. The analysis can provide situational awareness to decision makers, enabling them to understand the implications for the business and the adequacy of its cyber risk mitigation measures. Information on potential attack vectors can also be communicated to network defenders, allowing them to prioritise monitoring and defences.
The methodology is both quick and easy to do at desk level to help document thoughts and analysis, but also a methodology that can be highly detailed and done in groups: the example detailed in the following section is a balance of both.
This section provides a worked example of applying Cone of Plausibility in a CTI environment, in particular related to the situation in Ukraine.
Question: What could happen in Ukraine in the short-medium term and how could it impact on threat actors’ activities?
N.B.: changed assumptions are denoted with a coloured box. The Intelligence Cut-Off Date (ICOD) for these cones is 08 February 2022 – the situation has changed a bit since then...
Due to a lack of space in the scenario box, a table can be used to detail high-level plausible scenarios that may also be considered, categorised by threat actor category and accompanied by the intended effect (confidentiality / integrity / availability).
The Cone of Plausibility scenario generation methodology is a structured analytic technique that can be used by CTI analysts to generate possible threat actor scenarios based on known drivers and geopolitical events. The drivers and factors lead to a baseline scenario, from which analysts can generate plausible and wildcard scenarios based on changes in the assumptions relating to the drivers.
The methodology’s purpose is to guide an understanding of how the situation could realistically change depending on multiple key factors. This in turn can help identify potential attack vectors and inform decision making, enabling network defenders to prioritise defences.
ThreatMatch customers can see the use of Cone of Plausibility in our quarterly Horizon Scanning reports, as well as certain one-off reports.
Defence Intelligence Futures and Analytical Methods Team (2016). Quick Wins for Busy Analysts v2.0. UK MOD, pp. 28-31. Retrieved from Link
Taylor, C. (1990). Creating Strategic Visions. US Army War College, pp. 12-20. Retrieved from Link