Using the OODA Loop to Improve Decision Making in the Chaotic and Uncertain Cyberwar Environment
“War will be reborn in another form and in another arena, becoming an instrument of enormous power in the hands of all those who harbor intentions of controlling other countries or regions.”[1]
Data weaponization has become a tactic, in this rebirth, of attackers seeking to establish control of a conflict situation. The data weaponization may be used in a political conflict, the economic war we have been participating in for years, or as a compliment to traditional physical war tactics as we have recently witnessed in the Ukraine.
Regardless of the situation, time is not on the side of the defender. Any conflict is a series of moves and counter moves in which decision-making must be executed at a Tempo[1] that enables the organization to control the event and force the adversary to respond to their tactics. A strategy model that capitalizes on innovation, maneuverability, and creativity is a must if such a tempo is to be achieved.?
The competitor who is able to act faster than the opponent will identify opportunities and make decisions that force the opponent into a constant state of reaction. Currently, the cyber adversary you are competing with is more skilled in all facets of strategy and tactics and is setting the tempo.
A perfect decision, which is often the goal of analytical decision-making models, isn’t possible in cybersecurity. The continuous evolution of the threat environment results in multiple variants of the original problem each requiring a decision on the appropriate action necessary to remediate the risk it presents to the critical assets.
Bruce T. Blythe, Chairman of R3 Continuum once said that decision making in a crisis is “located somewhere between analysis and intuition.” It is, therefore, a combination of science and art. The science is the information available at a given time. The art is determining if that information falls within an acceptable percentage of required information to make a decision, regarding an action to be taken, with an acceptable probability of success.
Lt. Colonel John Boyd, U.S. Air Force, designed a decision-making model to improve the art and increase the tempo of decision making in order to improve the probability of success and cause the opponent to have to respond to your actions.
The model, known as the "OODA Loop" has four steps: Observe, Orient, Decide, & Act. Over the years, this mental process has been adopted by businesses to help them thrive in a volatile and highly competitive economic environment and more recently in the asymmetric cyberthreat landscape. It encourages decision-makers to think quickly and fast, anticipate threats, and neutralize them before they become critical.
Observe
The first "O" in OODA is "Observe". Observe means more than just “See”. It’s something more like “actively absorb the entire situation”, both internally and externally. In order to absorb the entire situation, information channels that include your situation, your opponent’s situation, and all the dimensions of the operating environment (i.e., physical, mental, and moral) must be mined for the purpose of gaining an overall awareness of the Condition[2]. The data gathered in this mining effort encompasses not only numbers on a screen, but include the observation of the emotional context, industry trends, and the cybercriminal moves.
The objective in this step, as a decision maker, is to ingest all the information possible with the aim of using the increased awareness to build and develop as complete of an understanding of the vulnerabilities and related risk as possible.
The pursuit of this knowledge, to be done appropriately, includes the mindsets (perspective) of multiple disciplines (i.e., academics, other industries, intellectuals, peers, trusted partners). In this information collection phase, the perspective observation of these differing mindsets, both the internal and external environments causing the character or nature of the abstract complex operating environment to be determined with greater consistency.
When used properly, the "Observe" step allows an organization to avoid the entropy that results when a closed system is the source of all information considered in the development of a security plan. Entropy is a concept that represents the potential for doing work, the capacity for taking action, or the degree of confusion and disorder associated with any physical or information activity. Viewed in the context of the 2nd Law of Thermodynamics, all observed natural processes generate entropy resulting in a low potential for taking action or a high degree of confusion and disorder as the level of entropy increases.
Entropy, in regards to the capacity for taking action or the increase in confusion and disorder, is relevant to cybersecurity defense as organizations remain predominantly mired in a closed system of defense-in-depth perimeter security. A steady state continuous analysis in a closed perimeter defense is a weakness in any system that cannot communicate in an ordered fashion with other systems or environments external to itself. In this type of environment, we should anticipate an increase in entropy leading to an increase in confusion and disorder when there is an attempt to do work or take action such as matching a concept with the reality of a situation. In general, as the system moves toward a higher, yet unknown, state of confusion and disorder brought about by the continuously increasing complexity of the operating environment, the character or nature of the abstract system cannot be determined with consistency.
If the organization is to counter the rapid changes in both the digital transformation of the business operating environment and the evolving threat environment a holistic view, that includes multiple sources of knowledge, enables the organization to remain in a “relaxed”, but constant alert security status with respect to any anomalous activity within the operational environment.
In the "Observe" step, the organization is closely monitoring activity such as:
?????? Unfolding circumstances
?????? Gathering outside information such as up-to-date threat intelligence
?????? The unfolding interaction with the environment related to laws and regulations
?????? Potential new or increased exposure to risk brought to light by the most current risk analysis.
There are two problems frequently encountered in the "Observe" phase:
?????? The organization observes imperfect or incomplete information. This is common in any environment that involves data. There will always be a limit to the precision with which values can be known. This can cause hesitation during the "Decide" step of the "Loop".
?????? The organization can be inundated with so much information that separating the signal from the noise becomes difficult. In the case of cybersecurity, this becomes an even larger issue due to the shortage in skilled security personnel and is considered one of the two major factors in the volume of successful breaches that continue to occur across all industries.
Perhaps the greatest value in executing the Observe phase of the OODA Loop can be found in the ability to perform “danger management”.?Based on observation of the external operating environment and adversary Tactics, Techniques, Procedures (TTPS), a determination of the attack surface (i.e., data, applications, assets, services) where the greatest current danger might exist can be made. With this knowledge, the organization would be better prepared to orient the focus of their defensive effort. The current defense-in-depth philosophy often does not achieve such focus and, as a result, falls victim to the organizational situation, “Preparedness everywhere means lack everywhere.”[3] ?In other words, a strategy that of preparing and reacting, no matter how comforting it may seem to the organization, contains inherent vulnerabilities.
Orient
The second “O” in OODA Loop is for Orient and has become known as “the main emphasis phase”. It is the most important step in the learning/strategy model because Orientation shapes the way the security team positions its security resources within its operational environment, provides alternatives to consider in the Decide phase, and subsequently determines the way the organization “Acts”.
The goal you are striving to achieve in this phase is to prove your previous beliefs (perspective[4]) wrong by finding mismatches. The greater your understanding of the mismatches and the vulnerabilities they create, the sooner you are able to re-orient controls in order to strengthen the organization’s security posture. Orienting can provide the security team with an edge over the adversary and can help overcome a disadvantage in terms of fewer resources and less information than the adversary may have. The creation of a more accurate model of the reality of the condition enables better decision-making regarding actions necessary to mitigate the risk of a breach and, be better prepared to respond should an event occur.
The asymmetric operational threat environment of the cyber criminal requires the defender to employ a maneuver warfare strategy supported by the insights of the orientation phase of the OODA Loop. It should be noted here that the cybercriminal is using the Observe stage in this asymmetric environment to gain information through IoT devices, guaranteed to have some level vulnerability from the day the roll off the manufacturing floor. These devices are often designed, and built, in nations that are known to have adversarial ties to government hacking organizations. From these observations, the cybercriminal orients their attack vector(s) against the devices, applications, services, and data.
The information collected in the Observe step, is used in the Orient step to create mental models for consideration and are tactics in support of the strategies for achieving the objectives of the Cybersecurity Action Plan. They shape how everything in the OODA Loop works.
Orientation shapes the character of the current loops and the current loops shape the character of future orientation efforts. These “stored” mental models[5] can be broken apart and elements of them used to create a new mental model for a new situation created by the continuously evolving threat environment. The security team must have, at their disposal, as many potential mental models in the lattice work of their collective mindset as possible. In order to expand the latticework, examining current models and breaking them down to components that could be used in the creation of new models, to consider in the decision phase of the OODA Loop, the process of “Destruction and Creation” must be implemented.
The ability to destroy previous patterns, break them into components, and create new patterns that permit the organization to both shape and be shaped by the changing environment is critical to surviving on your terms and not the adversary’s terms.
The Destruction and Creation activity is dialectic in nature[6] generating both disorder to what is being done and order that emerges as a changing and expanding universe of mental concepts matched to the changing and expanding universe of observed reality. It is a reality that our biases have failed to accept.
Through dialectic mental operations we must first shatter the rigid conceptual pattern or patterns of the existing mindset. We then find some common qualities, perceptions, ideas, impressions, interactions, observations together as possible concepts to represent the situation caused by the condition we are facing. A new concept is forged by applying the destructive deduction and creation induction mental operations.
Human behavior is the product of the mindset that has set patterns developed through education, experiences, and the environment in which the individual is currently operating. That mindset is frequently the source of, “We have always done it this way!”, response to suggested change. The ability to destroy existing patterns, break them into components, and create new patterns that permit individuals and organizations to both shape and be shaped by the changing environment is critical to survival on our terms.
In order to develop a strategy for the current threat event, the strategist must have a familiarity with numerous disciplines and use them as sources for the knowledge needed to form a winning cybersecurity defense strategy. Disciplines from which to draw knowledge for the creation of mental models are many.?For creativity and innovation to occur, as a purposeful process to maximize the benefits gained, the perspectives of multiple disciplines of the highly creative and innovative people involved in the situation must be included in the orientation phase. By using information from multiple disciplines, the security team's mindset is broadened and opened by the addition of new "mental models" to both support the business objectives and the strategies being implemented in the cybersecurity action plan. The cognitive biases that cause a person to make bad decisions must be considered. All conflict distills to a battle of wills. It must be understood that the battle of wills in information security will most often exist between the security team and the business units and can create friction which leads to a mental state of indecision relative to the operational procedure needed to affect the necessary orientation change.
Mental Models can be general and abstract or specific and concrete. It behooves an organization to have both types in their inventory. Both types are built on a war mindset that enables a strategy framework for high tempo decision making relative to any security event. The foundation of a war mindset is built with the understanding that there will be operating environment events beyond the organization’s control. What can be controlled is the organization’s security position relative to the uncontrolled event. The decisions made to change a security position has the greatest opportunity for success if the correct mental model is used in the execution of the chosen strategy. In that context, then, the ability to identify elements of previous mental models that can be extracted and implemented in the mental model created for responding to this new threat is vital.
Building a robust tool box of mental models to add to the current latticework of the existing mindset is valuable in enabling the security team to overcome the “Man with a Hammer” syndrome that is so common in human behavior. ?cybersecurity efforts as a result of the long-standing focus on industry regulatory compliance requirements.
The ability to perform the destruction of previous mental models and subsequently create a new model can be improved through experiments. These experiments can be part of the scenario testing of the “Target Critical Vulnerabilities” principle of the Doctrine of Maneuver Warfare.
An element of the principle of Decentralized Decision-Making in the Doctrine of Maneuver Warfare is maintaining a journal of decisions made in order to improve future decisions and/or correct errors in judgment. The same behavior of maintaining a journal of experiments related to destruction and creation of mental models can improve the Orient process as well as potentially improving the decision-making process. As the security team reviews the results of the experiments to suss out new mental concepts, a product of this effort will be improving the effectiveness and efficiency at orienting.
The Orient process is never ending. The continuously evolving threat environment demands that an organization’s orientation to that evolution be a continuous process. The same destruction of the most recent concept will occur in the next instance of the loop. The process of structure, un-structure, restructure, un-structure, restructure, is an endless cycle if repetition.
This deductive/inductive activity of the orient phase is a dialectic engine that permits the construction of decision models to be used by individuals and organizations in determining and monitoring actions in order to improve their capacity for individual and organizational action.
Orientation provides the opportunity to create new techniques, tactics, processes, and procedures to decide on and take action to execute. One of the most important tasks of command is, “to effect timely and proper change of tactics according to the conditions of the unit and the terrain, both on the enemy’s side and your own.”[7]
Setting a goal, during the time when there is no active threat, of atomizing existing models and fashioning new ones substantially improves an organization’s state of preparation for when a real threat event occurs.?By testing and validating mental models before it becomes necessary to use them, a security team can improve their ability to quickly orient and act.
The product of the "Observe" and the "Orient" step is "Situational Awareness". The combination of these processes creates a situational awareness of the cybersecurity implications for the current strategy and identifies adjustments necessary to the strategy for evaluation in the Decide phase.
领英推荐
Decide
Decide is the third process of the OODA Loop. During the Observe and Orient process we have created several mental models that may be used to mitigate the risk(s) in our current situation relative to the condition being presented by the adversary.
This phase may require a series of meetings or discussions to adjust the strategy and roadmap to a new orientation. The security team may need to explain the reasoning for the reorientation in order to make a decision.
The OODA Loop encourages decision-makers to think quickly and tempo that enables them to anticipate threats and neutralize them before they become critical. The business environment can be described as volatile, uncertain, complex, and ambiguous (VUCA). Making good decisions and taking the right actions is the essence to survive and thrive. Success in cyberwarfare depends on the ability to make fast decisions under chaotic environmental conditions that elicit human emotions such as denial, primal reactions (i.e., anger, fear), tunnel vision, and decision fatigue. These emotions can slow decision-making and increase the perception of a need for more information, more data, more statistics, more inputs, or figures. Delaying any decision so that it can be made with more than eighty percent of the information is hesitation and normally results in the adversary seizing the tempo of the event.
Because we often have imperfect information regarding our environment, a perfect match-up between the situation and a mental model is unlikely. Consequently, any decision made on the action to take is a hypothesis. In the final process in the current Loop, we will test the mental model chosen in the Decide process.
The best decision-makers are confident in the choice made but are flexible and adaptive to change based on new mental models developed through additional knowledge, experience gained from executing the previous action and the evolution of the environment as a result of the previous action.
It is worth noting that mental models can be tested in Wargaming scenarios developed in the “Target Critical Vulnerabilities” principle of the Doctrine of Maneuver Warfare. By testing the models during the execution of this principle, the model chosen will be based on additional knowledge gathered in the scenario testing and the practical experience gained through the execution of the scenario.
Scenarios rehearsed during daily operations and minimal stress prepare the security team to execute when the stress of an actual attack is introduced to the decision-making process. In Marine vernacular, “The more you sweat in time of peace, the less you bleed in combat”.
Act
Act is the final process of the OODA Loop. Once a concept has been decided upon, the organization must initiate execution. The ability to think and act rapidly, Tempo, is the essence of war.
Tempo, while always important, takes on greater importance as the mindset of the of the cybercriminal continues to evolve to one whose operations, instead of attrition and the conduct of set pace battles along a continuous front, give way to ‘non-linear’ operations involving high-tempo attacks conducted simultaneously against key tactical, operational, and strategic targets throughout the length, depth, and breadth of the internet battle field.
Tempo is not frenetic movement. By varying it, in what has been referred to as “fast transient”, the change between maneuvers in an abrupt, unexpected, disorienting manner creates confusion on the part of the adversary and leads to getting inside the adversary’s loop. Once this has been achieved, you are able to create mismatches between what they expect your response to be and what you actually do.
This results in your placing the adversary in a situation where they feel trapped in an unpredictable environment. As a result, you have placed them in the very environment of doubt, mistrust, confusion, disorder, and chaos they had hoped to create for you.
Behavior is a learned skill. Therefore, preparation, training, and testing to develop the behavior to necessary to execute “fast transient”, in the execution of the strategy, must be continuous. Experience gained from the execution of previous loops builds on the learning of the skill, and improves performance in the effort to increase the “tempo” in the execution of the chosen action.
However, this process should also be seen as a “test” of the concept selected in the Decide step. Ideally, the organization will have multiple actions/tests going at the same time so that the best model is quickly identified. A perfect time for these tests is in the “Target Critical Vulnerabilities” principle of the Doctrine of Maneuver Warfare.
Through this testing exercise, the best model for the particular situation is discovered. When the strategist identifies the best model, they are able to implement the Doctrine of Maneuver Warfare principle of FOCUS and exploit the opportunity to the fullest benefit of the organization.
Execution in this manner is what makes the OODA Loop both a decision process and a learning system.
A consideration when deciding on the right mental model concept is that by taking the least expected action the adversary will be disoriented, causing him/her to pause, to wonder, to question. This hesitation results in the organization compressing their own time and the adversary to stretch theirs.
It is incumbent upon the executive committee of the organization to share the orientation of the security leader if their security position is to be agile enough to work inside an adversary’s OODA Loop. Such harmony plays an important role in any Act executed within the operating environment of the organization.
Pulling in the same direction strategically can be complicated by a tactically motivated business unit such as compliance. This highlights the importance of a dialectic engine (i.e., the process of arriving at truth through a process of comparing and contrasting various mental model solutions) that enables a single overarching focus of effort.?
This single overarching focus of effort provides the way to interact with the environment and shapes the way to act is defined. It enables all members of the organization to act on their own initiative, thereby generating the rapidity and variety of action and thought necessary to create momentum and ensure that everyone is acting in accordance with the intended behavior.
The success or failure of a given decision will depend not only on the quality of the decision itself, but also on the commitment component of mental toughness to persevere in the time of uncertainty and doubt.
The continuous execution of the loop helps the security team to read, analyze, and react to evolving threats much quicker and act at a tempo exceeding the adversary’s execution of a threat against a vulnerability.
Conclusion
The OODA Loop educates us on how to write instructions and trains us to learn to manage and benefit from uncertainty. “To be prepared against surprise is to be trained. To be prepared for surprise is to be educated.”[8]
The OODA Loop Learning and Strategy Model is a tool for improving education. The training experience will lead to the development of a changed mindset perspective, leading to an ability to more efficiently and effectively operate in an environment of uncertainty and execute tactics that serve to more quickly break the will of the adversary to continue the attack.
In almost all aspects of life, especially relevant in cyber war, success is measured by our ability to identify problems and issues quickly, orient the resources accordingly, decide on the course of action, and ultimately execute the decision effectively. A real strategist doesn’t like words such as “respond” or “anticipate” because these are passive behaviors. In such a mindset, reaction often becomes the goal of strategy and if we don’t see anything we don’t do anything (i.e., the complacency so common in cyber defense plans today).
It is important to maintain a proactive security plan flexible enough to allow modifications to be made to accommodate the latest available data collected through each iteration of the OODA Loop. The focus must always be on using initiative and creativity to regain or maintain control.
Employing the OODA Loop is not for the faint of heart. It requires commitment, the courage to stay the course, and acceptance of the reality that “Doing the right thing” often involves personal and organizational risk.
[1] Tempo is relative speed in time
[2] A condition is something beyond the control of the individual, team, or organization
[3] Sun Tzu, The Art of War
[4] “When you change the way you look at things, you look at change.”, Max Planck, German quantum theorist and Nobel Prize winner
[5] Mental models are a combination of one or more of cyber framework, security controls (tactics), processes, procedures, and human capital (analysts/employees)
[6] The art of investigating or discussing the truth of opinions
[7] John Rodin, former Head of the Rockefeller Foundation
[8] James Carse American academic, author of Finite and Infinite Games
#executives #leadership #CISOs #CIOs #coaching #cisoseries #executivesuite #strategyexecution #cybersecuritystrategy #informationsecurity #leadershipstrategy #informationsecuritycommunity #cybersecurityforuminitiative #cybersecurity #strategy
[1] Unrestricted Warfare, Col. Qiao Liang & Col. Wang Xiangsui; Echo Point Books & Media,1999; Page XXI Preface