The Investigations & Intelligence Lifecycle - Trust & Safety Professional Association

What Is the Investigations & Intelligence Lifecycle?

The investigations and intelligence lifecycle refers to a systematic framework that captures how intelligence is collected, processed, analyzed, disseminated, and refined in a repetitive manner to help an organization gain better understanding of the unknowns. Though this cycle has variations in naming, all versions of the investigations and intelligence cycle feature some resemblance to the following: planning, collection, exploitation, analysis, and dissemination.

Planning

The lifecycle often begins at the planning stage, which involves defining the intelligence requirements and developing a plan for collecting and analyzing the necessary information. The planning stage more often comes out from the request of a “customer,” an individual or organization, that wishes to know more about a specific issue or problem. Moreover, this stage requires defining the objectives and priorities, as well as determining the resources, methods, and tools that will be used to collect and analyze the information. The key questions analysts should be asking in this phase include “What do we already know?” and “What do we want to know?”

Collection

Once these requirements and a course of action have been identified, the cycle proceeds to the collection phase, in which information is gathered from a variety of sources, such as human intelligence (HUMINT), signals intelligence (SIGINT), and open-source intelligence (OSINT). Unfiltered information collected at this stage is often referred to as raw data.

Exploitation

At the exploitation stage, analysts process and convert the raw data into a format that can be analyzed. This stage may involve tasks such as translation, decryption, labeling, or cleansing the data into a standardized format for further analysis. (Read more about how T&S teams use data in this chapter.)

Analysis

Analysis is the stage where the information is examined and evaluated to identify relevant patterns, trends, and insights. This stage involves using various methods and tools to process and interpret the cleansed data. The analysis is focused on establishing the significance of the finding, often trying to answer the question “So what?”

Dissemination

Finally, analysts consolidate their analysis and disseminate the finished product for the “customers.” The finished product encourages the relevant stakeholders, such as policymakers or product teams, to make an informed decision based on the assessment so far. As this lifecycle is, indeed, a cycle, this phase is often combined with feedback to refine the intelligence questions, and repeat the process. Examples of feedback from policymakers can include requests for additional data, clarification on data collection and analysis methodologies, or simplifying the findings so a broader audience can understand. In trust and safety, the investigations and intelligence lifecycle repeats and evolves frequently to keep up with evolving threats and respond to feedback received from stakeholders.

How Might T&S Professionals Use It?

Just as the investigations and intelligence lifecycle has been applied to inform decision-making for governments, trust and safety professionals have also applied this framework to develop understanding of the threats, guide investigations, and inform product and policy launches. Consider the hypothetical scenario below.

There has been an increased amount of hate speech on XYZ’s platform targeting individuals from protected classes in a fictional country named Alpha.

Planning. In this initial phase, members of policy or product teams may reach out to the intelligence or investigations team to develop how malicious actors are conducting their hate speech operations on the platform. In conjunction, the analyst may sit down with the customers to ask why they are seeking the information and define the intelligence requirements for this specific abuse vertical. The analyst may then proceed to ask the question: “Who has access to this information and where can I find them?” to develop a collection plan.

Collection. Collection can occur both directly and indirectly. The analyst may be able to directly access proprietary data, such as the number of user reports over the past month, to check the prevalence and corroborate the rise in hate speech. They may also indirectly task these out to a third party to collect the relevant information on XYZ’s behalf. Many cybersecurity firms specialize in the field and may be able to infiltrate online forums, including the dark web, where these abuses can be coordinated within. Subject matter experts (SMEs) on hate speech and internal stakeholders in Alpha can also be valuable sources for understanding context.

Exploitation. Once the raw data has been obtained, the analyst can proceed to start making sense of what it means. For example, if the analyst was able to identify several identifiers (e.g., monikers) associated with a specific hate term in the open source, they may be able to map them to XYZ’s platform to track the corresponding user. Other exploitation mechanisms include translating foreign language texts and evaluating the relevance and reliability of the information that has been retrieved. As such, this is also the opportunity to start filtering out the “noise,” getting rid of the irrelevant data and false positives. (Learn more about Precision & Recall here.)

Analysis. This phase involves analyzing the data to draw out an informed conclusion that establishes the significance of their finding. A common analytical methodology within trust and safety is using link analysis software, whether developed internally or acquired from a third party. These tools can help them understand the connections between the data points that the analyst has collected, such as the degree of connection between suspected organizers of hate speech campaigns.

Dissemination. At this stage, it’s time for the analyst to consolidate their findings and answer the question: “So what?” The deliverable should attempt to capture the findings, explain how the analyst collected and analyzed data from the previous stages, and indicate why a rise in hate speech in Alpha should require attention from product and policy. In such a way, the analysis can guide cross-functional teams to make informed decisions, such as placing product interventions, revising policy, adjusting risk matrix, and assessing legal risks.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.