
In the discipline of Threat Intelligence Analysis, analysts rely on logical reasoning to transform information into actionable intelligence. There are four primary types of reason which guide us during this process: Inductive, Deductive, Analogical, and Abductive (also referred to as Intuitive).
Intuitive reasoning describes the logical thought process that accompanies the insight, intuition, or experience of the analyst conducting the research. It is the most common form of reasoning used by most analysts in the profession of cybersecurity. Although it is valuable for making quick judgments and decisions, it also poses the potential for errors and incorrect assessments.
To shift from intuitive reasoning “on demand” to a higher form of logical reasoning to correct unintended errors in assessments requires discipline and training. When available information does not lead to expected outcomes, and when given evidence does not result in a familiar explanation, analysts must shift their thinking quickly to solve these issues. Consider the following issue listed below.
Available Information:
A tennis racket and a tennis ball cost a total of one dollar and ten cents. The tennis racket costs one dollar more than the tennis ball.

Question:
How much does the tennis ball cost?
Given the provided information, we know intuitively – using intuitive reasoning – the tennis ball costs ten cents. If your answer to this “obvious” question was ten cents:
1. Are you surprised you arrived at the answer so quickly?
2. Are you surprised most people arrived at the same conclusion?
3. Are you surprised to find out your answer – ten cents – is incorrect?
The answer is five cents. How can that be? This is where untrained individuals freeze with a “deer in the headlights” look of confusion, while the trained intelligence analyst shifts immediately into another form of logical reasoning to solve the problem. This is accomplished using the following three steps:
1. Disassociate: step away from the problem. Something went wrong, we don’t know what caused it, and diving in deeper will only compound the confusion.
2. Reorder: identify the variables under consideration and reorder them for further analysis. This is arguably the most important step in the process.
3. Reengage: reassess the intelligence issue, generate a new hypothesis, and test the new explanation for validity. If the reasoning is sound, the root cause of the problem has been determined.
In this case, the root cause of an incorrect answer (ten cents) is overlooking the word “more” in the available information and considering the cost of the tennis racket first. Given the total cost, determining the cost of the ball would lead to the cost of the racket.
If the ball costs five cents, the racket must cost one dollar and five cents. That meets the test of “one dollar more” and a total of “one dollar and ten cents.” Reordering inputs solves the problem.
As cybersecurity professionals, we can witness the challenges of intuitive reasoning in several areas. We face it when interpreting data “on the fly” without fully decomposing the issue at hand. We see it when crafting indicators of compromise (IOCs) without validating edits and modifications. We see it when creating security rules for our network devices without conducting incremental “sanity checks” during the process. The challenges associated with intuitive reasoning surround us.
The next time you are faced with unexpected outcomes and unfamiliar explanations to what should have been a relatively simply simple solution, remember the process: Disassociate, Reorder, and Reengage.
It is an easy shift in logical reasoning that can bring a sense of order into the hectic and chaotic world trained intelligence analysts call “cybersecurity.”