Interview Questions for Threat Analysis and Mitigation

Think of it like this: a threat is a bad guy with bad intentions (e.g., a malicious hacker), a vulnerability is an unlocked door in your house (e.g., a software bug), and risk is the potential for that bad guy to get into your house and steal your stuff (e.g., data breach).

More formally:

• Threat: Any potential danger that could exploit vulnerabilities to breach security and cause harm. This can be a natural event (like a hurricane), a human actor (like a disgruntled employee), or a malicious entity (like a cyber attacker).
• Vulnerability: A weakness in a system, application, or process that could be exploited by a threat. This could be a software bug, a misconfiguration, a lack of security controls, or even human error.
• Risk: The likelihood and impact of a threat exploiting a vulnerability. It’s the combination of threat and vulnerability, expressed as the potential for loss or damage.

Example: A threat (a hacker) finds a vulnerability (a SQL injection flaw in a web application). The risk is the potential for the hacker to steal sensitive data from the database.

A threat assessment is a systematic process to identify and analyze potential threats to an organization’s assets. It involves several key steps:

1. Identify Assets: Determine what needs protecting (e.g., data, systems, infrastructure, reputation).
2. Identify Threats: Brainstorm potential threats – internal (employees, disgruntled partners) and external (hackers, natural disasters, competitors). Consider using threat intelligence feeds to understand current trends.
3. Identify Vulnerabilities: Assess weaknesses in systems, applications, and processes that could be exploited by identified threats. This may involve vulnerability scanning, penetration testing, and code reviews.
4. Analyze Risk: Determine the likelihood and impact of each threat exploiting a vulnerability. Consider using a risk matrix to visually represent this.
5. Document Findings: Create a comprehensive report detailing identified threats, vulnerabilities, risks, and recommended mitigations.

Example: A bank conducting a threat assessment might identify phishing attacks (threat) targeting employees (vulnerability) which could lead to unauthorized access to customer data (risk). The assessment would then outline strategies to mitigate that risk (e.g., employee security awareness training).

A robust vulnerability management program is crucial for minimizing risks. Key components include:

• Vulnerability Scanning & Assessment: Regular automated scans using tools to identify vulnerabilities in systems and applications.
• Penetration Testing: Simulated attacks to identify vulnerabilities that automated scans might miss.
• Vulnerability Prioritization: Determining which vulnerabilities to address first based on risk (likelihood and impact).
• Remediation: Fixing identified vulnerabilities, whether through patching, configuration changes, or other solutions.
• Reporting & Monitoring: Tracking remediation progress, identifying new vulnerabilities, and reporting on overall security posture.
• Policy & Procedures: Formal guidelines for managing vulnerabilities, including timelines for remediation and escalation processes.
• Vulnerability Database & Knowledge Base: A central repository of information on identified vulnerabilities, their severity, and remediation steps.

Think of it as a continuous cycle of identifying, prioritizing, fixing, and monitoring vulnerabilities to ensure your systems remain secure.

Prioritization is key to efficiently managing threats and vulnerabilities. This is often done using a risk matrix that considers both likelihood and impact. For example:

• Likelihood: How likely is the threat to exploit the vulnerability? (e.g., low, medium, high)
• Impact: What is the potential damage if the threat is successful? (e.g., low, medium, high, catastrophic – data breach, financial loss, reputational damage)

A common approach is to use a risk score, often calculated by multiplying likelihood and impact scores. High-risk vulnerabilities (high likelihood and high impact) should be addressed first. Qualitative factors, like regulatory compliance requirements, can also influence prioritization.

Example: A vulnerability with a high likelihood of exploitation and a high impact (like a critical web application vulnerability) would be prioritized over a vulnerability with a low likelihood and low impact (like an outdated library with no known exploits).

Risk mitigation is about reducing the likelihood or impact of a risk event. It’s not about eliminating all risks (that’s often impossible), but about making them manageable and acceptable. It involves identifying effective controls to reduce the risk to an acceptable level. The goal is to find the balance between cost and effectiveness – you don’t want to spend a fortune to mitigate a low-risk threat.

This process often involves a cost-benefit analysis, weighing the cost of implementing a mitigation strategy against the potential cost of the risk event.

Common risk mitigation strategies include:

• Avoidance: Eliminating the risk entirely by not engaging in the activity that poses the risk.
• Mitigation: Reducing the likelihood or impact of a risk event. This might involve implementing security controls, patching vulnerabilities, or improving processes.
• Transfer: Shifting the risk to another party, often through insurance or outsourcing.
• Acceptance: Accepting the risk and its potential consequences. This is usually only suitable for low-risk scenarios.

Examples:

• Mitigation: Implementing multi-factor authentication (MFA) to reduce the risk of unauthorized access.
• Transfer: Purchasing cyber insurance to cover potential losses from a data breach.
• Acceptance: Accepting the risk of a minor system outage with minimal impact.

I have extensive experience with various threat modeling methodologies, including STRIDE and PASTA. Both are valuable tools for proactively identifying security risks in software systems.

STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is a threat classification scheme that helps identify common security threats. It’s a simple and effective way to brainstorm potential vulnerabilities in a system. I often use STRIDE during design reviews or in early stages of software development.

PASTA (Process for Attack Simulation and Threat Analysis) is a more structured and iterative approach, involving detailed analysis of data flows and system components to identify attack paths. It’s useful for complex systems and allows for more in-depth analysis compared to STRIDE. I’ve used PASTA in projects requiring a comprehensive threat model, specifically where the focus was on a data-centric approach.

My experience includes applying these methods to various applications, from web applications and APIs to mobile apps and cloud-based infrastructure. In my past role, I led threat modeling workshops using STRIDE and PASTA, engaging developers and security engineers in collaboratively identifying and mitigating potential risks.

Identifying and assessing emerging threats requires a multi-faceted approach. It’s not just about reacting to the latest headline; it’s about proactively understanding the threat landscape and anticipating future attacks. Think of it like a detective investigating a crime – you gather clues, analyze patterns, and build a profile of the potential culprit.

• Threat Intelligence Feeds: I leverage various threat intelligence feeds from reputable sources (e.g., government agencies, security vendors) to stay informed about newly discovered vulnerabilities, malware campaigns, and attack techniques. These feeds often provide early warnings of emerging threats, allowing for proactive mitigation.

• Vulnerability Scanning and Penetration Testing: Regularly scanning our systems and networks for vulnerabilities helps identify potential entry points for attackers. Penetration testing simulates real-world attacks to pinpoint weaknesses and assess the effectiveness of existing security controls. This is like regularly checking your home’s locks and windows to make sure they’re secure.

• Dark Web Monitoring: Monitoring the dark web and underground forums reveals discussions among malicious actors about new exploits, malware, and planned attacks. This offers invaluable insights into emerging threats before they become widely known.

• Trend Analysis: I carefully analyze trends in attack vectors, malware families, and attack targets. Identifying patterns helps predict future attacks and prioritize mitigation efforts. For example, if we see a rise in ransomware attacks targeting specific industries, we’ll focus on strengthening defenses in those sectors.

• Open Source Intelligence (OSINT): OSINT gathers information from publicly available sources like news articles, social media, and research papers. It helps understand the broader context of emerging threats and anticipate potential impact.

Staying current with threat intelligence is an ongoing process, demanding constant vigilance. It’s like staying updated on the latest medical research to ensure you’re providing the best possible care to your patients.

• Subscription to Threat Intelligence Platforms: I subscribe to several reputable threat intelligence platforms that provide curated feeds, reports, and alerts on the latest threats. These platforms often offer detailed analysis and context, going beyond simple alerts.

• Security Conferences and Webinars: Attending industry conferences and webinars provides valuable insights from experts and allows for networking with other security professionals. These events offer a chance to learn about the latest research and best practices directly from the source.

• Following Security Researchers and Blogs: I actively follow reputable security researchers and blogs to stay informed about their discoveries and analysis of emerging threats. This provides a more granular view of the evolving threat landscape.

• Participating in Security Communities: Engaging in online security communities and forums allows for collaboration and knowledge sharing. Participating in these communities fosters a collaborative approach to threat analysis and strengthens our collective understanding.

My experience with SIEM (Security Information and Event Management) systems is extensive. I’ve implemented, configured, and managed several SIEM solutions, including Splunk, QRadar, and ELK stack. A SIEM system is like a central nervous system for your organization’s security, collecting and analyzing logs from various sources to provide a comprehensive view of security events.

• Log Management and Correlation: I’ve utilized SIEMs to collect, analyze, and correlate security logs from various sources (firewalls, servers, endpoints) to identify patterns, anomalies, and potential threats. This allows for early detection of security incidents.

• Alerting and Response: I’ve configured SIEM systems to generate alerts based on predefined rules and thresholds. These alerts trigger immediate investigation and response to security events, minimizing their impact.

• Reporting and Compliance: I’ve leveraged SIEMs to generate reports for compliance audits and security assessments. The comprehensive data collected by a SIEM simplifies the process of demonstrating compliance with relevant regulations (like GDPR or HIPAA).

• Threat Hunting: SIEM systems are invaluable for threat hunting. By analyzing historical data and looking for unusual patterns, we can discover threats that might have otherwise gone unnoticed.

Intrusion Detection/Prevention Systems (IDS/IPS) are critical components of a robust security architecture. I’ve worked with both network-based and host-based IDS/IPS solutions from vendors like Snort, Suricata, and Cisco. An IDS/IPS acts like a security guard at the network’s gate, monitoring traffic for malicious activity and either alerting you (IDS) or blocking the traffic (IPS).

• Signature-Based Detection: I’ve utilized signature-based detection to identify known malicious patterns in network traffic or system events. Think of this as a library of known malware fingerprints.

• Anomaly Detection: I’ve configured IDS/IPS systems to detect unusual network behavior or system activity that deviates from established baselines. This is crucial for catching zero-day exploits and novel attack techniques that haven’t been documented yet.

• False Positive Management: A key skill is managing false positives. Improperly configured IDS/IPS can generate a flood of alerts, hindering effective security monitoring. I’ve developed strategies to fine-tune detection rules and reduce false positives.

• Integration with SIEM: I’ve integrated IDS/IPS with SIEM systems to enhance security monitoring and correlation. This allows for a more comprehensive view of security events, enabling quicker response to threats.

Responding to a security incident requires a structured and methodical approach. It’s like dealing with a medical emergency – you need a clear plan of action to minimize damage and ensure a swift recovery. My response follows a standard incident response lifecycle:

1. Preparation: This involves developing incident response plans, establishing communication protocols, and defining roles and responsibilities. It’s like preparing a fire drill before any actual incident.

2. Identification: This is where we discover the security incident, often through alerts from SIEM, IDS/IPS, or user reports. It’s like discovering the symptoms of the medical emergency.

3. Containment: This crucial step involves isolating the affected systems or networks to prevent further damage or spread of the threat. This is like isolating the patient to prevent further contagion.

4. Eradication: This involves removing the threat and restoring the affected systems to a secure state. This is like treating the underlying cause of the medical emergency.

5. Recovery: This involves restoring systems to full functionality and ensuring business continuity. This is the recovery phase of the medical emergency.

6. Post-Incident Activity: This includes conducting a post-incident review to identify lessons learned and improve future security posture. This is like carrying out a post-mortem analysis in the medical field.

I’m proficient in several incident response frameworks, most notably NIST Cybersecurity Framework and its specific incident response guidance. These frameworks provide a structured approach to incident handling, ensuring consistency and efficiency. Think of these frameworks as well-defined recipes for handling security incidents.

• NIST CSF: I utilize the NIST Cybersecurity Framework’s Identify, Protect, Detect, Respond, and Recover functions to guide the incident response process. Each function offers specific guidelines and best practices for handling various aspects of an incident.

• Incident Response Planning: Based on NIST and other frameworks, I’ve helped develop and maintain incident response plans, defining roles, responsibilities, escalation procedures, and communication strategies. This is crucial for effective and timely response.

• Forensics: I’m experienced in forensic analysis techniques to collect and analyze evidence from compromised systems, tracing the attacker’s actions, and gathering insights for future threat mitigation.

• Root Cause Analysis: I’m skilled in performing root cause analysis to identify the underlying causes of security incidents and implement effective remediation strategies to prevent recurrence. This involves analyzing logs, network traffic, and system configurations.

My experience with penetration testing methodologies is comprehensive. I’ve conducted both black-box (no prior knowledge of the target system) and white-box (with complete knowledge of the target system) penetration tests, adhering to ethical and legal guidelines. Penetration testing is like performing a simulated medical procedure on a simulated patient to assess a surgical team’s readiness.

• Planning and Scoping: Before commencing a penetration test, I carefully plan and scope the engagement, defining the objectives, targets, and methodologies to be used. This is like planning a surgery and ensuring all necessary equipment and personnel are available.

• Reconnaissance: I utilize various techniques (e.g., port scanning, vulnerability scanning, social engineering) to gather information about the target system and identify potential vulnerabilities. This is similar to pre-operative assessments of the patient.

• Vulnerability Analysis: I analyze identified vulnerabilities, determining their severity and potential impact on the target system. This is like assessing the criticality of different elements that need to be treated during the surgery.

• Exploitation: I attempt to exploit identified vulnerabilities, demonstrating the potential for successful attacks. This is similar to executing the simulated medical procedure.

• Reporting: I provide comprehensive reports detailing findings, including identified vulnerabilities, exploitation techniques, and recommendations for remediation. This is like writing a post-operative report summarizing the simulated surgery.

Malware encompasses various malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Common types include viruses, worms, trojans, ransomware, spyware, and adware. Detection relies on a multi-layered approach.

• Signature-based detection: This traditional method involves comparing malware code against a known database of malware signatures (unique code patterns). Antivirus software primarily uses this.

• Heuristic analysis: This method analyzes the behavior of a program to identify suspicious activities, even if the code isn’t in the signature database. For instance, if a program attempts to write to system files without authorization, it’s flagged.

• Sandboxing: This involves executing the suspected malware in an isolated environment to observe its behavior without risking the main system. Analysts can then analyze the effects of this execution.

• Machine learning: Advanced techniques leverage machine learning algorithms to identify patterns and anomalies in code or system behavior, detecting previously unknown malware (zero-day threats).

For example, ransomware typically encrypts user files and demands a ransom for decryption. Detecting it involves monitoring for unusual file encryption activity and unusual network traffic to ransom payment sites.

Malware analysis is a critical process to understand how malware operates and create mitigations. This involves a combination of static and dynamic analysis.

• Static Analysis: This examines the malware without executing it. Techniques include disassembling the code (breaking it down into assembly language) to identify functions, strings, and suspicious code patterns. Tools like IDA Pro and Ghidra are commonly used.

• Dynamic Analysis: This involves running the malware in a controlled environment (sandbox) to observe its behavior. This helps identify network connections, registry modifications, file system changes, and other actions. Tools like Cuckoo Sandbox facilitate this.

Imagine investigating a suspicious executable. Static analysis might reveal calls to known encryption libraries suggesting ransomware. Dynamic analysis in a sandbox could confirm file encryption and communication with a command-and-control server. The results inform the creation of detection signatures, incident response plans, and vulnerability patching.

The kill chain is a model depicting the stages an attacker goes through to compromise a target. Understanding this framework is crucial for effective threat prevention and response. The stages are often adapted to different contexts, but a common model includes:

1. Reconnaissance: Attacker gathers information about the target.
2. Weaponization: Attacker develops a malicious payload (e.g., malware).
3. Delivery: Attacker delivers the payload (e.g., phishing email, exploit kit).
4. Exploitation: Attacker exploits a vulnerability to gain access.
5. Installation: Attacker installs malware on the target system.
6. Command and Control: Attacker communicates with the compromised system.
7. Actions on Objectives: Attacker achieves their goals (data theft, system disruption).

For example, a phishing email (delivery) containing a malicious attachment (weaponization) might exploit a vulnerability in the target’s email client (exploitation) to install ransomware (installation), which then encrypts files (actions on objectives) and communicates with a command-and-control server (command and control). Understanding the kill chain allows for the implementation of security controls at each stage, disrupting the attack.

Threat intelligence is crucial for proactive security. It’s the collection, analysis, and dissemination of information on threats to improve security posture. Using threat intelligence involves:

• Identifying relevant threats: Understanding the specific threats targeting your organization (industry-specific threats, emerging malware families).

• Prioritizing threats: Assessing the likelihood and impact of various threats to focus resources effectively.

• Implementing preventative measures: Using threat intelligence to configure security controls, such as firewalls, intrusion detection systems, and web application firewalls, to block known malicious traffic and exploit attempts.

• Improving incident response: Having pre-defined incident response plans informed by threat intelligence can speed up investigation and mitigation efforts.

• Vulnerability management: Threat intelligence identifies vulnerabilities actively being exploited, allowing for rapid patching.

For example, if threat intelligence indicates a rise in phishing attacks using a specific type of exploit, you can implement additional security awareness training for employees and update your email filters to block such attacks.

I have extensive experience with various security controls. My experience includes:

• Firewalls: Experience configuring and managing both network firewalls (e.g., Cisco ASA, Palo Alto Networks) and host-based firewalls (Windows Firewall). I understand the importance of properly configured rules to allow legitimate traffic while blocking malicious traffic.

• Intrusion Detection/Prevention Systems (IDS/IPS): I’ve worked with both signature-based and anomaly-based IDS/IPS systems, analyzing alerts, tuning rules, and integrating them with SIEM (Security Information and Event Management) systems. Understanding false positive reduction is crucial.

• Encryption: Experience with various encryption technologies, including TLS/SSL for web traffic, IPsec for VPNs, and disk encryption (BitLocker, FileVault). I understand the importance of key management and strong cryptographic practices.

In a previous role, I helped implement a new IPS system, reducing the number of successful intrusions by 70% within six months. This involved careful rule tuning, integration with SIEM, and regular monitoring of system logs.

Cloud security best practices are crucial in today’s environment. My experience includes:

• Identity and Access Management (IAM): Implementing strong IAM policies, utilizing multi-factor authentication (MFA), and adhering to the principle of least privilege to control access to cloud resources.

• Data Security: Implementing data encryption both in transit and at rest, utilizing data loss prevention (DLP) tools, and ensuring compliance with relevant regulations (e.g., GDPR, HIPAA).

• Network Security: Utilizing virtual private clouds (VPCs), configuring network firewalls, and implementing intrusion detection/prevention systems within the cloud environment.

• Security Monitoring and Logging: Leveraging cloud-based security monitoring tools and integrating them with SIEM systems for comprehensive threat detection and incident response.

In a recent project, I helped a company migrate to a cloud-based infrastructure, ensuring that all security best practices were implemented throughout the migration process. This minimized the risks associated with cloud migration.

Assessing third-party vendor security is critical for mitigating supply chain risks. My approach involves:

• Due diligence: Reviewing the vendor’s security policies, certifications (e.g., ISO 27001, SOC 2), and incident response plans.

• Security questionnaires: Using standardized questionnaires to assess the vendor’s security controls and practices.

• Penetration testing: Conducting penetration tests or vulnerability assessments to identify security weaknesses in the vendor’s systems.

• Ongoing monitoring: Continuously monitoring the vendor’s security posture through regular updates and communication.

• Contractual agreements: Ensuring that security requirements are clearly defined and enforced through contractual agreements.

For example, before engaging a new cloud provider, I would meticulously review their security documentation, conduct a penetration test of their infrastructure, and incorporate strong security requirements into the service level agreement.

My experience encompasses a deep understanding and practical application of several prominent security frameworks. I’ve extensively worked with NIST Cybersecurity Framework (CSF), particularly its five functions: Identify, Protect, Detect, Respond, and Recover. I’ve used the CSF to guide risk assessments, develop security architectures, and implement security controls in various organizational contexts. For example, in a recent project for a financial institution, we leveraged the CSF to align their security posture with regulatory requirements, focusing on the Protect function by implementing multi-factor authentication and data encryption.

Furthermore, I possess significant familiarity with ISO 27001, the international standard for information security management systems (ISMS). I’ve assisted organizations in achieving ISO 27001 certification by helping them establish, implement, maintain, and continually improve their ISMS. This includes conducting gap analyses, developing policies and procedures, implementing controls, and performing internal audits to ensure compliance. A notable project involved guiding a healthcare provider through the certification process, ensuring the confidentiality, integrity, and availability of sensitive patient data.

Communicating security risks effectively requires tailoring the message to the audience. For technical audiences, I use precise terminology, detailed technical explanations, and demonstrate the impact through vulnerability scoring systems like CVSS. I might present a detailed vulnerability report outlining specific exploits and remediation steps, including code examples where appropriate.

For non-technical audiences, I avoid jargon and focus on the business impact of security risks. I use analogies and real-world examples to illustrate potential consequences. For instance, instead of discussing ‘SQL injection,’ I might explain that a data breach could lead to customer data theft and financial losses, affecting reputation and potentially leading to legal action. Visual aids like charts and graphs help summarize complex information concisely, emphasizing the risk likelihood and impact.

My experience with Data Loss Prevention (DLP) tools is extensive. I’ve deployed and managed various DLP solutions, including both network-based and endpoint-based systems. I’ve worked with tools like McAfee DLP, Symantec DLP, and Forcepoint DLP, configuring them to monitor sensitive data, such as Personally Identifiable Information (PII) and intellectual property, across various channels including email, web traffic, and cloud storage services.

A key aspect of my work is not just deploying these tools but also fine-tuning them to minimize false positives. Overly aggressive DLP rules can disrupt productivity. I’ve developed strategies to create efficient rules based on data classification and context, ensuring accurate detection and minimizing disruptions. For instance, in a recent project, we used machine learning capabilities within our DLP solution to adapt to evolving data patterns and improve detection accuracy while reducing the number of false positives.

A security audit is a systematic and independent examination of an organization’s security controls and practices. My approach follows a structured methodology:

• Planning & Scoping: Defining the scope, objectives, and timeline of the audit, identifying critical systems and assets.
• Information Gathering: Collecting evidence through interviews, document reviews (policies, procedures, configurations), and system analysis.
• Testing & Evaluation: Performing various tests, including vulnerability scans, penetration testing, and configuration reviews, to assess the effectiveness of security controls.
• Reporting & Remediation: Documenting findings, categorizing vulnerabilities based on their severity and risk, and providing recommendations for remediation.
• Follow-up & Monitoring: Tracking the implementation of recommendations and ensuring that identified vulnerabilities are addressed.

Throughout the audit, I adhere to relevant standards and best practices, documenting all findings thoroughly and objectively. I focus on providing actionable recommendations that are practical and aligned with the organization’s business objectives.

I have extensive experience with various security testing methodologies. Vulnerability scanning involves automated tools that identify potential weaknesses in systems and applications. I use tools like Nessus, OpenVAS, and QualysGuard to scan networks and applications for known vulnerabilities. This provides a broad overview of potential risks.

Penetration testing, on the other hand, goes beyond vulnerability scanning. It simulates real-world attacks to assess the effectiveness of security controls. I utilize both black-box (no prior knowledge of the system) and white-box (with full system knowledge) testing approaches, depending on the objectives. Tools such as Metasploit and Burp Suite are frequently used. I always ensure that penetration tests are conducted ethically and with the organization’s explicit consent.

Beyond these, I’m experienced with other types of testing, such as code reviews, security awareness training effectiveness testing, and social engineering assessments. The selection of testing methods depends on the specific context and risks.

In a previous role, we faced a situation where a critical system was experiencing performance degradation due to a recently implemented security patch. The patch was intended to address a high-severity vulnerability, but the side effect impacted business operations significantly. The decision was whether to roll back the patch, leaving the vulnerability exposed, or to work through the performance issue, potentially causing significant downtime and revenue loss.

After careful consideration of the risks involved – including the potential for a successful exploit of the vulnerability versus the impact of the system outage – we chose to temporarily revert the patch while immediately engaging a development team to address the performance issue. We communicated transparently with stakeholders about the risks and the mitigation plan. We worked collaboratively to identify the root cause of the performance problem and implemented a solution that addressed both the vulnerability and the performance issue within 48 hours. The outcome was successful, demonstrating the importance of both rapid response and transparent communication in managing high-pressure security situations.

Handling conflicting priorities in a security project requires a structured approach that prioritizes based on risk. I use a risk-based prioritization framework, considering factors like the likelihood and impact of potential threats. This involves creating a risk matrix that visualizes the vulnerabilities based on their severity and the likelihood of exploitation.

Once the risk matrix is established, I work collaboratively with stakeholders to discuss and prioritize projects based on the potential impact. This might involve using weighted scoring systems to objectively quantify risks and weigh them against business objectives. For instance, a high-impact vulnerability with a high likelihood of exploitation might take precedence over a lower-impact, low-likelihood vulnerability, even if the latter is more urgent from a project timeline perspective. Open communication and transparency are crucial to ensure everyone understands the reasoning behind the chosen priorities.