Screening, Selection, and the 3-bit Framework

Written By Sean Eyre

When selecting a tool, plan, or course of action, you generally have two sets of criteria. First, screening criteria establishes what you’re willing to consider. Second, selection criteria helps you rank your options.

Screening criteria set the table for what options you’re willing to compare to each other. Typically, screening criteria are based on the business or mission requirements for a tool or solution. They can also be based on your constraints and your willingness to use certain features or qualities.

Screening criteria can vary widely, so here are a few examples:

  • Must allow simultaneous editing and collaboration

  • Must provide instant messaging

  • Must not cost more than $1000

  • Must work with MacOS

  • Must provide end-to-end encryption

Note the use of the word “must.” Screening criteria lay out the non-negotiables that your options must meet.

Selection criteria, however, are used to qualify your options and rank them against each other. If all  solutions get the job done, selection criteria determine which one gets it done best or most cost effectively.  Some examples:

  • Cost

  • Ease of Use

  • Setup speed

Selection criteria typically take the form of qualitative scales, and those scales can be subjective. When criteria are subjective, you’d normally just rank all options against each other. The best solution is scored 1, the second best is scored 2, etc. (Though you can use an inverse ranking system if you want high scores to win—the world is your oyster.)

You can also weight selection criteria, so if cost is your most important factor, you can 2x the scores given to each option regarding costs to make options shake out most distinctly based on that criterion.

To borrow US Army language from FM 6-0 Commander and Staff Organization and Operations from 2022, all options must be suitable, feasible, acceptable, distinguishable, and complete. Screening criteria are used to narrow your options down to what’s suitable, feasible, and acceptable. Selection criteria help evaluate the degree to which an option is distinguished from other options and a complete solution.

Significant bits and Screening and Selection Criteria

The 3-bit Framework (ref: https://www.ericiussecurity.org/blog/3-bit-ip-planning) can be used for both types of criteria. Remember, the 3-bit framework is specifically built for evaluating your PACE plan: ranking options in order that they will be used. Which means:

  • Screening Criteria – What options are eligible for inclusion in the PACE plan?

  • Selection Criteria – Where does the option go in the PACE plan, if anywhere?

First, we’re going to determine if there are any of the three categories that must be answered a particular way:

  • Is it fast?

  • Is it quiet?

  • Is it protected?

If your options must be protected, then we’re going to force that bit to be “yes” (1) and throw out any option that doesn’t qualify.

In the language of bits and bytes, we can then select our most significant bits. In this case, we’re going to put our most important or significant bits all the way to the left in order of importance. For our screening criteria, we can choose to either make them most significant, or we can choose to drop that bit altogether going forward—that bit no longer helps us distinguish our options.

By ranking bits in order of importance from left to right, we can keep our yes/no options and develop a natural scoring framework atop it using a natural representation of numbers.

Let’s assume that we’ve screened options by some criteria not listed in the 3-bit framework. We then look at our 3 bits and rank them in order of importance. For a contrived example let’s say we choose:

  1. Protected

  2. Speed

  3. Quiet

We assign each option a yes/no score. Using Signal and AOL Instant Messenger as examples:

Signal

  • Protected? Yes (1)

  • Speed? Yes (1)

  • Quiet? No (0)

AIM

  • Protected? No (0)

  • Speed? Yes (1)

  • Quiet? No (0)

Since we have 3 bits, re-write those scores from left to right:

  • Signal: 110

  • AIM: 010

Now you get to choose how much of a math nerd you’re going to be. It’s the 3-bit framework, so you can use binary (base 2) if you really want to. But time is valuable and 110 is bigger than 010 in both binary and in decimal (base 10, aka “normal numbers”).

So, in our contrived example, Signal scores higher than AIM because 110 is greater than 10 (I dropped the zero from 010).

Assuming you’ve put your criteria in order from most important to least important left to right, you will have a natural scoring system that can be used for PACE planning.

  • Primary – Highest score

  • Alternate – Second place

  • Contingency – Third place

  • Emergency – Fourth place

Unfortunately, this doesn’t solve tiebreakers for you. You probably then add additional criteria like cost and ease of use to differentiate the tie. If there’s still a tie and you’re a battalion commander, send the operations officer back to the dungeon to develop more distinct options. Otherwise, celebrate having two truly interchangeable options to build resiliency for your team.

Sean Eyre
Previous

Secure Messengers, what are they?
Next

NIST Cybersecurity Framework Profiles and Tiers