Blog
11.06.2025
min read

Critical thinking in security analysis: Reducing subjective interpretation

 Learn how critical thinking in security analysis reduces false conclusions and cognitive bias, by evaluating competing hypotheses instead of focusing on first impressions 
<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Critical thinking in security analysis: Reducing subjective interpretation</span>

When you face your next security incident, what do you do?

Most people quickly form a theory about what happened and then start looking for evidence that supports this theory. This is human nature - and that's exactly why it can lead to erroneous conclusions that can be costly.

The problem isn't that we lack competence or tools. The problem is that our brains work against us when we need to analyze complex problems. We take mental shortcuts that can lead us astray, and we see what we expect to see.

Why traditional analysis is no longer sufficient

In today's security environment, SOC analysts encounter incidents that can have multiple possible explanations. Suspicious network activity could be either a targeted attack, an internal threat, system failure, or a combination of factors. When we analyze based on first impressions and confirmation bias, we risk overlooking critical aspects and making hasty decisions.

Traditional incident analysis often follows this pattern: find the most obvious explanation, gather evidence that supports it, and conclude. But this approach has several weaknesses that become critical when handling high-critical security incidents.

We often fall into these three pitfalls:

  • Confirmation bias makes us search for information that confirms our assumptions while ignoring contradictory evidence
  • Anchoring bias causes us to be overly influenced by the first information we receive
  • Availability heuristic leads us to base assessments on what we easily remember from similar incidents

fawrjuzdiefvqkczxouy

We need to use the brain’s ability to make quick and sound decisions. So I am not saying we should stop using our experienced minds. However, we should be aware of the shortcuts we take when it comes to reasoning.

ACH methodology: A systematic approach

Analysis of Competing Hypotheses (ACH) was developed by CIA analyst Richard Heuer in the 1970s to combat exactly these challenges. The methodology has since been adopted in security environments because it forces critical thinking and reduces unconscious subjective interpretation.

ACH works by turning traditional incident analysis on its head. Instead of focusing on one hypothesis, we try to examine multiple possible hypotheses against evidence that is either contradictory or supportive.

ach_matrix_steps_english_transparent

Practical implementation in SOC environments

Understanding ACH methodology in theory is one thing, but implementing it is another.

SOC environments operate very differently. In some environments, SOC analysts must handle hundreds of alarms per day, while in other more optimized environments, a SOC analyst handles a maximum of 10 incidents.

It's very difficult to overload the poor SOC analyst who handles hundreds of alarms with a process that will require even more effort. It also won't be possible to handle all alarms with this method before they overflow.

Also read: SOC-as-a-Service: Dilemma

In an environment with well-implemented "noise"-filters and automation, it is possible to raise the standard of analysis with. And Team collaboration is crucial for an effective ACH implementation. Different perspectives - technical, business, and security - contribute to better and more diverse hypotheses. An analyst with a network background will see different possibilities and viewpoints than one with malware expertise.

You can start with a simple 15-minute brainstorming session to identify hypotheses. This short investment can reveal alternative explanations you would otherwise overlook. As you become more comfortable with this, the process goes faster.

ACH matrix in practice

To illustrate how ACH methodology works in practice, we can look at the following example that demonstrates the fundamental principle of trying to disprove hypotheses.

ach_matrix_english

The matrix here is an example that demonstrates how ACH can reveal that what initially appears to be a cyberattack may actually be a poorly documented but legitimate operation.

These principles are maintained with the ACH matrix:

Transparent methodology: The evaluation systematically tells about contradictory and supportive evidence for each hypothesis. This makes the analysis verifiable and clearly shows how the conclusion was produced.

Focus on disproof: Instead of looking for evidence supporting the first theory, the matrix evaluates how strongly each piece of evidence contradicts each hypothesis. The hypothesis with the fewest and weakest contradictory evidence becomes most likely.

Practical application: The matrix demonstrates how ACH prevents "confirmation bias" that could make analysts focus on data exfiltration and file encryption, thus concluding with an APT attack. They would then overlook the lack of ransom demands and spend much time proving their own theory and possibly responding on wrong grounds.

The matrix shows that ransomware infection actually has the most contradictory evidence.

Conclusion: Investment in better decisions

Start by asking yourself one simple question when the next security incident appears: "What other explanations could there be?"
The brief pause it takes to identify alternative hypotheses can be the difference between correct response and costly misinterpretation.

In a world where cyber threats are constantly changing and becoming more sophisticated, we can no longer rely on intuition and mental autopilot when analyzing security incidents. ACH methodology gives us a framework for thinking systematically and critically, even under pressure.

ACH methodology isn't about complicating analysis work - it's about making it more precise. It helps build a more robust security culture where decisions are made based on evidence, not assumptions.

Yes, it requires investment in training and a change in the work processes. But the costs of erroneous security analyses - in resources, reputation, and actual security - make this investment worthwhile.

The future of cybersecurity requires not just smarter and better technology, but smarter and adjusted thinking.


Sources:

Discovering Cognitive Biases in Cyber Attackers’ Network Exploitation Activities: A Case Study

Analysis of Competing Hypotheses using Subjective Logic

The Tricky Mind Games of Cognitive Biases in Information Security

 

Need Assistance?

We are happy to have a non-binding conversation.
Contact us

Explore more

Cybersecurity as a competitive advantage – trust as a strategic investment
Blog

Cybersecurity as a competitive advantage – trust as a strategic investment

Security training for employees: Building real awareness
Blog

Security training for employees: Building real awareness

When is the right time to hire a CISO?
Blog

When is the right time to hire a CISO?

Tech blog
Cybersecurity
10 security measures your business should have in place before the holidays
Blog

10 security measures your business should have in place before the holidays

Tech blog
Cybersecurity

Tailored cybersecurity for institutions and enterprises that allows for innovation, growth, and fearless performance.

Get in touchCall us +47 648 08 488