A Review and Theoretical Explanation of the ‘Cyberthreat-Intelligence (CTI) Capability’ That Needs to Be Fostered in Information Security Practitioners and How This Can Be Accomplished

Given the global increase in crippling cyberattacks, organizations are increasingly turning to cyberthreat intelligence (CTI). CTI represents actionable threat information that is relevant to a specific organization and that thus demands its close attention. CTI efforts aim to help organizations “know their enemies better” for proactive, preventive, and timely threat detection and remediation—complementing conventional risk-management paradigms designed to improve ‘general readiness' against known or unknown threats. Organizational security (OrgSec) and behavioral security research has lagged behind CTI's growing potential to address current cybersecurity challenges. Instead, CTI has largely been the purview of computer science from an algorithmic perspective. However, OrgSec and behavioral researchers can contribute a further combined knowledge of design for the organization, human factors, and organizational governance to foster CTI. In this theory-building and review manuscript, we propose the CTI capability model (CTI-CM) to prescribe the key capabilities necessary for a CTI practitioner to engage effectively in CTI activities. The CTI-CM defines a practitioner's CTI capability in terms of three highly interrelated but conceptually distinctive dimensions: analytical component capability, contextual response capability, and experiential practice capability. We further explain how these capabilities can be fostered, and the key implications for leading security practice in organizations