There is a relationship between Intelligence, Information and Data whereby the latter of which is often available from a number of sources, but may be interpreted as useless until it has been turned into something more useful.
The Operational Environment generally consists of the network or system on which a user, users, or another system operates within. This could include everything from a network switch through to a domain controller.
Data generally exists in vast quantities, and can be sourced from a number of appliances and sources, this may include firewalls, system logs, etc and may contain information on actions a system has performed (or a number of systems).
Information is processed data which contains some context of the action being performed, and this may include time of the action, by whom and from where. Ordinarily, structured logs could be called Information.
Intelligence is the processing and analysis of data and information, with the objective of providing a broader in-depth knowledge of what that data and information represents. An intelligence output is usually used to support decision-making and response actions.
As analysis occurs to through the pyramid, the objective is to enrich the previous layer’s content to support increasing the value of that data. In a commercial setting, this analysis represents an expenditure of effort, and the application of business logic. Ordinarily, this type of analysis would increase the value of this information considerably, and may attract the attachment of various labels to prevent unauthorised disclosure, or may even necessitate the escalation of a security caveat (depending on the level of sensitivity around that analysis).
An example of this transition could be described as such:
John Doe works from home on his laptop. Even though he is using the corporate network, he is not really being productive on his laptop. There is a lot of bandwidth being consumed from his system, but his supervisor is not really seeing a lot of work output.
Data in this case would be the bandwidth being consumed by John on his laptop. Information would be the system logs being produced through his actions, the network logs being produced through his network usage, and the timesheets he is submitting to his supervisor when he is working.
Intelligence would be the matching of network usage patterns to those timesheets to determine if the usage is inline with working routine. The system logs would be interpreted to determine the functions being performed on the computer during working hours, and perhaps those which may occur outside of working hours.
An intelligence outcome from this analysis may conclude: John reported working 40 hours last week, however during those 40 hours, 27 were spent browsing the Internet on an active basis, with site categories being frequently accessed comprising of online shopping, social networks, and adult entertainment.
Generally speaking, the most valuable asset of an organisation is the intellectual property a business may hold. This may be anything from the secret ingredients of a sauce, through to the proprietary source code of a piece of software.
Just like the example of trade secrets, intelligence is similarly guarded and protected within a business to give the organisation an edge against it’s competitors, but also to guard against intelligence which can be used against that same organisation.
Refining seemingly less valuable data into intelligence can be very expensive, however the outcome may be the production of business intelligence which can be used to influence operational and strategic business making decisions.