All humans have a basic set of needs which they work to satisfy – as described by Maslow in his seminal, “A Theory of Human Motivation.” Maslow did not create a true hierarchy. He describes how there are sometime competing and/or complementary needs. Instead of a strict hierarchy, these needs form dominating preferences or priorities.
It made me question whether there was a cyber operational equivalent: a set of hierarchical needs or requirements necessary for the adversary/hacker to meet their goal. Like Maslow, I do not believe that this hierarchy is necessarily serial in nature but rather inform priorities and dominate preferences. Nor do I believe that they must necessarily be satisfied in order, serially.
For instance, a hacker may create a capability and then sell that capability, or their skills to use the capability, to an organization thereby gaining funding for the rest of the operation. However, while the capability was the first achieved in the chain, it was a vehicle to achieve a more base need: funding.
Basic Necessities: Obviously those things which allow a person to live and work effectively
Funding: Even the most basic funding is required for equipment (computer(s)) and/or purchasing other things like connectivity to the Internet and the like.
Connectivity: A hacker must be connected to a network to which s/he can reach potential targets
Target Vulnerabilities: A hacker must have a set of vulnerabilities and exposure upon which they can exploit to achieve their goals
Capabilities/Infrastructure: I believe these are both equally important but both are a requirement for operations – the capability to achieve their effect, and the infrastructure to deliver the capabilities to the target victims
Targets: A hacker must have a one or more targets of which they can use to achieve their intent
Access: A hacker must have access to the target to achieve any effects and ultimately achieve a positive outcome
Outcome: The successful exploitation, attack, etc. of which was the entire intent of the hacker
Reward: The reward for their successful operation (fame, fortune, notoriety, etc.)
So, what do you think? Do they map to your understanding of the hierarchy for the operational needs of a hacker? How would you use this model?