Four-Step Intelligence Model for Decision Making
Mars Groves explains the four steps of the OODA Loop model used in intelligence for decision-making, which is very useful for difficult and time-sensitive situations.
The OODA loop is a four-step model used in intelligence for decision making that involves analyzing information and acting on it. In this article, I explain the roots of its history, its applications in combat operations, and how it can be utilized for time-sensitive decision making processes in cybersecurity, including other areas of our lives.
History
OODA is an acronym for observe, orient, decide, and act. It was developed in the 1960s by a man named John Boyd who was a Colonel in the United States Air Force as a fighter pilot, military researcher, and strategist. He came up with the concept after his experiences in the Korean War, realizing that a fighter pilot is at a disadvantage when dealing with an adversary who is more equipped and advanced than they are. The OODA loop model became developed as a result.
Model of Choice
Inevitably, the OODA loop became a model of choice for combat operations, which required a decision making process that can be effectively executed during critical and time-sensitive events. Indeed, the OODA loop model was proven as effective for decision-making with its recurring cycle of observe–orient–decide–act. In fact, the model can be used for any problem or issue that requires strategic decision-making. Not limited to areas such as business, medical, management, litigation, marketing, and especially cybersecurity.
The four stages of the OODA Loop Model
1. Observe:
The Observe stage is the information gathering process. This is the stage when you gather as much information that you possibly can regarding something. For example, a doctor first needs to gather all the information they need about a patient’s body in order to determine if anything is not functioning properly. They will observe a patient’s body and will notice if there is abnormal swelling or pain in a particular area and take a look at their lab results to determine if further testing or treatment needs to be done. In the event that a company or organization’s network becomes attacked, an information security or cybersecurity analyst on their technical security team is often the first to observe the network attacker, and will try to capture them by gathering logs, monitoring systems, and collecting any further information that will help them identify the attacker.
2. Orient:
The Orient stage puts the information gathered from the Observe stage into context. This is when everything is taken into account ranging from past experiences of dealing with a situation at hand or particular thing, preconceived notions, outcomes, expectations, and models. Let’s say a doctor notices a patient has an abnormal lump in their throat about the size of a golf ball. That doctor will take into account all the past experiences he had with patients that had the same problem in order to help themselves determine what could possibly be happening, to help them determine what direction to take for treating their patient. As far as dealing with a network attacker in the prior example, orientation takes the telemetry pulled from logs and combines it with knowledge about the network, APT groups who may target networks of those particular companies and organizations, and previously identified information such as specific IP addresses, devices used, and more.
3. Decide:
The Decide stage is when the final course of action is determined after considering a variety of options, but it is NOT the stage when you officially execute an action. In the case of a doctor who sees a patient with a lump in their throat that is the size of a golf ball, they can decide if the patient has cancer and needs chemotherapy or other alternative therapies based on their observational findings and analysis. Let’s say that the doctor decided the patient needs chemotherapy for this example. As far as dealing with the network attacker goes, this is the stage when a decision is made on whether the network attacker should continue to be observed to wait and see what their next move should be, to decide if they should be ignored instead, or if an incident-response action should be initiated. Regardless of the situation, a final course of action is decided in this stage.
4. Act:
The Act stage is when you execute the final course of action that was already decided. This is when you DO the action. It’s the point of no return where there is no turning back. What’s done is done. And it doesn’t necessarily mean what is done will be a 100% guaranteed success. Just like the doctor who decided their patient needs chemotherapy, it doesn’t mean that form of treatment will be 100% successful. The same applies to the network attacker (let’s say it was finally decided to ignore them which turned out to be a terrible idea). If the course of action acted upon doesn’t work, then we return to the whiteboard back to the OODA loop and start with the first stage of observation all over again. Observe–orient–decide–act becomes the loop that we rinse and repeat. Otherwise, the Act stage is final when successful.
The importance of OODA loop
The OODA loop is a simple four step process that is effective for decision-making, especially when time-sensitive situations are at hand, which is an important intelligence strategy that is useful in information security. OODA reveals how important it is to gather as much information as possible before filtering out what’s unnecessary when the context of information is considered in the orientation stage. The first two stages are critical in helping to decide what course of action needs to be acted on.
You can clearly recognize how prioritization in the decision-making process is crucial. For example, during the decision-making process in dealing with a particular situation at hand, it must be determined if it would be extremely destructive to ignore the situation, if it even requires an immediate or time-based response, or if it is a minor dealing that happens all the time and doesn’t require an intense response, etc. In intelligence analysis, energy must be focused on areas that demand our attention rather than being wasted on areas that are irrelevant or out of context based on the information we gathered. We can agree that this is an important intelligence model that we can apply not just to cybersecurity, but also to everything else outside of it in our daily lives.
When in doubt, use the OODA loop.