NOTE: Expressing the confidence or the lack of it in an analysis is a critical step to help a partner or a third-party to check your hypotheses and conclusions.
To ascertain this confidence level you can use for example the MISP Taxonomies called https://www.misp-project.org/taxonomies.html#_admiralty_scale[admiralty-scale] and/or https://www.misp-project.org/taxonomies.html#_estimative_language[estimative-language].
This is a very human way to describe either globally an event or individual indicators of an event, with a set of easy to read human tags. (e.g: admiralty-scale:source-reliability="a/b/c...", estimative-language:likelihood-probability="almost-no-chance", estimative-language:confidence-in-analytic-judgment="moderate")
Generally it is good practice to do this globally for the event as this will enrich the trust/value if set.
Using this in an automated way is also possible but without human intervention, or AI that actually works, not recommended.
Also, on events with hundreds of attributes this is cumbersome and perhaps unfeasible and will just frustrate operators.
The obvious side-effect of this approach is that automation will be the overall benefactor too upping the trust on that level too.
- Allow receiving organisations to filter, classify and score the information in an automated way based on related tags
- Information with low-confidence can still be shared and reach communities or organisations interested in such information without impacting organisations filtering out by increased confidence level
- Support counter analyses and competitive analyses to validate hypotheses expressed in original reporting
TIP: MISP taxonomies contain an exhaustive list of confidence levels including words of https://www.misp-project.org/taxonomies.html#_estimative_language[estimative probability] or confidence in analytic judgment.
TIP: threat-intelligence.eu includes an overview of the https://www.threat-intelligence.eu/methodologies/[methodologies and process to support threat intelligence].