4 Decomposition and Visualization
4.8 NETWORK ANALYSIS
N
etwork Analysis is the review, compilation, and interpretation of data to determine the presence of associations among individuals, groups, businesses, or other entities; the meaning of thoseassociations to the people involved; and the degrees and ways in which those associations can be strengthened or weakened.2 It is the best method available to help analysts understand and identify opportunities to influence the behavior of a set of actors about whom information is sparse. In the fields of law enforcement and national security, information used in Network Analysis usually comes from informants or from physical or technical surveillance. These networks are most often
clandestine and therefore not visible to open source collectors. Although software has been
developed to help collect, sort, and map data, it is not essential to many of these analytic tasks. Social Network Analysis, which involves measuring associations, does require software.
Analysis of networks is broken down into three stages, and analysts can stop at the stage that answers their questions.
* Network Charting is the process of and associated techniques for identifying people, groups, things, places, and events of interest (nodes) and drawing connecting lines (links) between them on the basis of various types of association. The product is often referred to as a Link Chart.
* Network Analysis is the process and techniques that take the chart and strive to make sense of the data represented by the chart by grouping associations (sorting) and identifying patterns in and among those groups.
* Social Network Analysis (SNA) is the mathematical measuring of variables related to the distance between nodes and the types of associations in order to derive even more meaning from the chart, especially about the degree and type of influence one node has on another.
When to Use It
Network Analysis is used extensively in law enforcement, counterterrorism analysis, and analysis of transnational issues such as narcotics and weapons proliferation to identify and monitor individuals who may be involved in illegal activity. Network Charting (or Link Charting) is used to literally
“connect the dots” between people, groups, or other entities of intelligence or criminal interest.
Network Analysis puts these dots in context, and Social Network Analysis helps identify hidden associations and degrees of influence between the dots.
Value Added
Network Analysis has proved to be highly effective in helping analysts identify and understand
patterns of organization, authority, communication, travel, financial transactions, or other interactions between people or groups that are not apparent from isolated pieces of information. It often identifies
key leaders, information brokers, or sources of funding. It can identify additional individuals or groups who need to be investigated. If done over time, it can help spot change within the network.
Indicators monitored over time may signal preparations for offensive action by the network or may reveal opportunities for disrupting the network.
SNA software helps analysts do these tasks by facilitating the retrieval, charting, and storage of large amounts of information. Software is not necessary for this task, but is enormously helpful. The SNA software included in many network analysis packages is essential for measuring associations.
Potential Pitfalls
This method is extremely dependent upon having at least one good source of information. It is hard to know when information may be missing, and the boundaries of the network may be fuzzy and
constantly changing, in which case it is difficult to determine whom to include. The constantly
changing nature of networks over time can cause information to become outdated. You can be misled if you do not constantly question the data being entered, update the chart regularly, and look for gaps and consider their potential significance.
You should never rely blindly on the SNA software but strive to understand how the application being used works. As with any software, different applications measure different things in different ways, and the devil is always in the details.
The Method
Analysis of networks attempts to answer the question “Who is related to whom and what is the nature of their relationship and role in the network?” The basic network analysis software identifies key nodes and shows the links between them. SNA software measures the frequency of flow between links and explores the significance of key attributes of the nodes. We know of no software that does the intermediate task of grouping nodes into meaningful clusters, though algorithms do exist and are used by individual analysts. In all cases, however, you must interpret what is represented, looking at the chart to see how it reflects organizational structure, modes of operation, and patterns of behavior.
Network Charting: The key to good network analysis is to begin with a good chart. An example of such a chart is Figure 4.8a, which shows the terrorist network behind the attacks of September 11, 2001. It was compiled by networks researcher Valdis E. Krebs using data available from news sources on the Internet in early 2002.
Figure 4.8a Social Network Analysis: The September 11 Hijackers
Source: Vladis Krebs, Figure 3, “Connecting the Dots: Tracking Two Identified Terrorists,” Orgnet.com. www.orgnet.com/tnet.html.
Reproduced with permission of the author.
There are tried and true methods for making good charts that allow the analyst to save time, avoid unnecessary confusion, and arrive more quickly at insights. Network charting usually involves the following steps.
Identify at least one reliable source or stream of data to serve as a beginning point.
Identify, combine, or separate nodes within this reporting.
List each node in a database, association matrix, or software program.
Identify interactions among individuals or groups.
List interactions by type in a database, association matrix, or software program.
Identify each node and interaction by some criterion that is meaningful to your analysis. These criteria often include frequency of contact, type of contact, type of activity, and source of information.
Draw the connections between nodes—connect the dots—on a chart by hand, using a computer drawing tool, or using Network Analysis software. If you are not using software, begin with the nodes that are central to your intelligence question. Make the map more informative by
presenting each criterion in a different color or style or by using icons or pictures. A very complex chart may use all of these elements on the same link or node. The need for additional elements often happens when the intelligence question is murky (for example, when “I know something bad is going on, but I don’t know what”); when the chart is being used to answer multiple questions; or when a chart is maintained over a long period of time.
Work out from the central nodes, adding links and nodes until you run out of information from the good sources.
Add nodes and links from other sources, constantly checking them against the information you already have. Follow all leads, whether they are people, groups, things, or events, and regardless of source. Make note of the sources.
Stop in these cases: when you run out of information, when all of the new links are dead ends, when all of the new links begin to turn in on each other like a spider web, or when you run out of time.
Update the chart and supporting documents regularly as new information becomes available, or as you have time. Just a few minutes a day will pay enormous dividends.
Rearrange the nodes and links so that the links cross over each other as little as possible. This is easier to accomplish if you are using software. Many software packages can rearrange the nodes and links in various ways.
Cluster the nodes. Do this by looking for “dense” areas of the chart and relatively “empty” areas.
Draw shapes around the dense areas. Use a variety of shapes, colors, and line styles to denote different types of clusters, your relative confidence in the cluster, or any other criterion you deem important.
Cluster the clusters, if you can, using the same method.
Label each cluster according to the common denominator among the nodes it contains. In doing this you will identify groups, events, activities, and/or key locations. If you have in mind a model for groups or activities, you may be able to identify gaps in the chart by what is or is not present that relates to the model.
Look for “cliques”—a group of nodes in which every node is connected to every other node, though not to many nodes outside the group. These groupings often look like stars or pentagons.
In the intelligence world, they often turn out to be clandestine cells.
Look in the empty spaces for nodes or links that connect two clusters. Highlight these nodes with shapes or colors. These nodes are brokers, facilitators, leaders, advisers, media, or some other key connection that bears watching. They are also points where the network is susceptible to disruption.
Chart the flow of activities between nodes and clusters. You may want to use arrows and time stamps. Some software applications will allow you to display dynamically how the chart has changed over time.
Analyze this flow. Does it always go in one direction or in multiple directions? Are the same or different nodes involved? How many different flows are there? What are the pathways? By asking these questions, you can often identify activities, including indications of preparation for offensive action and lines of authority. You can also use this knowledge to assess the resiliency of the network. If one node or pathway were removed, would there be alternatives already built in?
Continually update and revise as nodes or links change.
Figure 4.8b is a modified version of the 9/11 hijacker network depicted in Figure 4.8a. It has been marked to identify the different types of clusters and nodes discussed under Network Analysis.
Cells are seen as stars or pentagons, potential cells are circled, and the large diamond surrounds the cluster of cells. Brokers are shown as nodes surrounded by small pentagons. Note the broker in the center. This node has connections to all of the other brokers. This is a senior leader: AlQaeda’s former head of operations in Europe, Imad Eddin Barakat Yarkas.
Figure 4.8b Social Network Analysis: September 11 Hijacker Key Nodes
Source: Based on Vladis Krebs, Figure 3, “Connecting the Dots: Tracking Two Identified Terrorists,” Orgnet.com.
www.orgnet.com/tnet.html. Reproduced with permission of the author. With changes by Cynthia Storer.
Figure 4.8c Social Network Analysis
Source: 2009 Pherson Associates, LLC.
Social Network Analysis requires a specialized software application. It is important, however, for analysts to familiarize themselves with the basic process and measures and the specialized
vocabulary used to describe position and function within the network. The following three types of centrality are illustrated in Figure 4.8c:
* Degree centrality: This is measured by the number of direct connections that a node has with other nodes. In the network depicted in Figure 4.8c, Deborah has the most direct connections. She is a
“connector” or a “hub” in this network.
* Betweenness centrality: Helen has fewer direct connections than does Deborah, but she plays a vital role as a “broker” in the network. Without her, Ira and Janice would be cut off from the rest of the network. A node with high betweenness has great influence over what flows—or does not flow—
through the network.
* Closeness centrality: Frank and Gary have fewer connections than does Deborah, yet the pattern of their direct and indirect ties allows them to access all the nodes in the network more quickly than anyone else. They are in the best position to monitor all the information that flows through the network.
Origins of This Technique
This is an old technique that has been transformed by the development of sophisticated software programs for organizing and analyzing large databases. Each of the following sources has made
significant contributions to the description of this technique: Valdis E. Krebs, “Social Network
Analysis, A Brief Introduction,” www.orgnet.com/sna.html; Krebs, “Uncloaking Terrorist Networks,”
First Monday, 7, no. 4 (April 1, 2002),
http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/941/863; Robert A.
Hanneman, “Introduction to Social Network Methods,” Department of Sociology, University of California Riverside,
http://faculty.ucr.edu/~hanneman/nettext/C1_Social_Network_Data.html#Populations; Marilyn B.
Peterson, Defense Intelligence Agency, “Association Analysis,” undated draft, used with permission of the author; Cynthia Storer and Averill Farrelly, Pherson Associates, LLC; Pherson Associates training materials.