Using the Estimative Language Taxonomy in MISP

Using the Estimative Language Taxonomy in MISP

  1. Using the Course of Action Taxonomies in MISP
  2. Using the Data Classification Taxonomies in MISP
  3. Using the Estimative Language Taxonomy in MISP

According to the MISP taxonomies listing for Estimative Language, this taxonomy is used to descrie the quality and credibility of the underlying information sources, data, and methodologies as described under the Intelligence Community Directive 203 (ICD 203) and JP 2-0. In this article I will describe how these tags may be applied by either an intelligence originator, or when the information is polled from a known credible source to convey likelihood.

What is Estimative Language

Properly expresses and explains uncertainties associated with major analytic judgements. Analytic products should indicate and explain the basis for the uncertainties associated with major analytic judgements, specifically the likelihood of occurrence of an event or development, and the analyst’s confidence in the basis for this judgement.

Source MISP taxonomies (https://www.misp-project.org/taxonomies.html#_estimative_language)

In part, this language and taxonomy would be associated with threats (internal and external) to describe the likely frequency associated with a threat actor / vector being used to exploit a vulnerability. Generally, this determination would be made by the intelligence analyst who generates the original intelligence material, and would more than likely be associated with a whole MISP event, rather than an individual attribute.

The taxonomy for Estimative Language is applied using the estimative-language predicate, followed by the likelihood-probability sub-predicate. For example as below:

estimative-language:likelihood-probability="value"

The value component of the taxonomy is derived from an estimative assessment based a sliding scale of almost-no-chance through to almost-certain.

Confidence LevelDescriptionAssociated Numerical Value
Almost No ChanceAlmost no chance – remote1 to 5%
Very UnlikelyVery unlikely – highly improbable5 to 20%
UnlikelyUnlikely – improbable (improbably)20 to 45%
Roughly Even ChanceRoughly even change – roughly even odds45 to 55%
LikelyLikely – probable (probably)55 to 80%
Very LikelyVery likely – highly probable80 to 95%
Almost CertainAlmost certain(ly) – nearly certain95% to 100%

Leave a Reply

seven + 14 =