The other day, I was boarding an 8 AM flight with a cup of coffee (purchased after the security checkpoint) in my hand. If you've ever taken an 8 AM flight, you know that you're probably leaving for the airport around 6 AM. Wanting to take a cup of coffee on the flight with you is not such an anomaly. In other words, it's a very expected type of behavior. Nonetheless, TSA pulled me aside as I was waiting to board, in their words "because you want to board the plane with a cup of coffee, we will need to vapor test your coffee". They proceeded to hold what looked like litmus paper over the coffee. They then sprayed the paper with some clear liquid and pronounced my coffee free of harmful vapors. I was then free to board the plane.
There are few issues with this logic:
1) One is allowed to purchase liquids after the security checkpoint and bring them on board the aircraft. This is an accepted behavior that is seen frequently and has been identified as legitimate by TSA authorities. Functionally, this is a white listed behavior. So why waste precious TSA personnel cycles on it?
2) If I wanted to mix something into the coffee to produce some sort of harmful vapor, I would wait until I was on the plane to do so. Why would I waste precious vapors before boarding?
3) I could just as easily order coffee on the plane, mix something into it, and have the same effect without TSA being able to vapor test my coffee. The TSA test is easily avoided.
So, you're probably asking yourself what relevance this has to this blog? In the above example, the TSA inspector (the analyst in this example) pulled me aside for what he considered an anomalous behavior. The problem is that my behavior was routine, legitimate, widely accepted, and easily explained behavior. It wasn't a wise use of precious analyst cycles.
It works the same in the cyber realm. We need to make sure we optimize analyst workflow so that analysts spend most of their day chasing down true anomalies that have no easy explanation, aren't routine, aren't legitimate, and aren't widely accepted. There are a lot of ways to generate fruitless leads for analysts to chase down. The challenge is generating actionable, focused leads. That's where taking an analytical approach can help.
Moving back to the physical realm, I hope the good folks at TSA will take a good look at the value-add of some of these procedures. TSA personnel's time is valuable and limited. They should be focused on procedures with high value-add.