Indicators or Signposts of Change
A SAT that creates lists of observable events or trends to track targets, monitor developments, spot emerging patterns, and warn of unanticipated change.
Purpose
Instill rigor into the analytic process by establishing objective baselines for tracking. Can “depersonalize” disagreements by shifting attention from competing judgments to a shared set of objective criteria.
Method
- Identify competing hypotheses or scenarios
- Create separate lists of expected activities, statements, or events for each hypothesis
- Regularly review and update lists to track which indicators are changing
- Identify the most likely hypothesis based on indicator patterns
Best practice: develop two lists per hypothesis — indicators that a development is occurring and indicators that it is not. Especially useful in What if? analysis.
Example: Political Instability Tracking Matrix
Categories tracked: Government Capacity, Legitimacy of Regime, Opposition Activity, Economic Factors, Environmental Issues, Trigger Mechanisms (contested elections, unpopular policy changes, coup plotting, etc.)
Biases Primarily Controlled
| Bias | How this technique counters it |
|---|---|
| Availability Heuristic | Requires listing all hypotheses and their expected indicators, not just those that come readily to mind |
| Status Quo Bias | Defines a set of criteria for recognizing change before change occurs; prevents the status quo from invisibly persisting |
| Hindsight Bias | Prospectively documented indicators create a verifiable record of what was expected before the outcome, countering retrospective revision |
| Overconfidence Bias | Monitoring for indicators that don’t appear (absence of expected evidence) surfaces uncertainty that overconfidence hides |
Applied in Cybersecurity
- Threat Intelligence: monitors long-term trends in threat actor behaviors or geopolitical shifts signaling emergent threats (Riley: SATs in Cybersecurity (2024))
- Risk Analysis: assesses likelihood and impact of cyber threats
- Cybersecurity Auditors: tracks deviations in compliance trends suggesting deeper systemic issues
- Vulnerability Analysts: tracks trends in vulnerability exploitation for proactive mitigation