What I like about it is that it seems very well designed for the intended purpose and the intended users. Matt and his team are very pragmatic, so I would expect them to get this right.

As I understand it, the intended purpose is to get decision-makers to think about their security programs and policies in new ways — “out of the box” (yes, a tired cliche, but it fits here). By enumerating threat agents, their objectives, their preferred methods, etc. the decision-makers and designers can look at their systems from the attackers point of view.

The other intended purpose is prioritization — Which threats and threat agents really deserve our attention? TARA helps pool knowledge of threat agents across Intel so that each group doesn’t need to start from scratch, and each group can act as peer influence on the others — a form of “collective wisdom”.

The intended users are *not* risk intelligence specialists, so it needs to be simple and it needs to feel right.

It also provides transparency about decisions and why the team did or did not drive decisions based on certain threats and scenarios.

There are a few things missing. First, there is no mention of actually collecting data, internally or externally, to calibrate the relative “risk” of each threat agent in each business situation or unit. You’d really want a data feed from forensic investigations, log analysis, or other data that might inform the relative likelihood of threat agent actions. This is especially important to track strategic changes and innovations in threat agents, especially new synergies, collaborations, or actual integration of previously separate threat agents.

Second, I wouldn’t call TARA a full-blown threat intelligence system because it doesn’t have any explicit methods for incorporating new information and revising threat models in real time. This level of sophistication may or may not be necessary at Intel, but it would certainly be necessary at any “critical infrastructure” or “national defense” organization.

Third, combining 1) and 2), you’d want systematic methods for learning and reasoning about uncertainty. This would tell you where you need to invest to learn, either through more data collection, controlled experiments, information sharing with other organizations, or other methods. All of these are costly and would require some explicit justification.