Intelligence Analysis 101: The Challenges of Intuitive Reasoning

The Challenges of Abductive Reasoning

In the discipline of Threat Intelligence Analysis, analysts rely on logical reasoning to transform information into actionable intelligence. There are four primary types of reason which guide us during this process: Inductive, Deductive, Analogical, and Abductive (also referred to as Intuitive).

Intuitive reasoning describes the logical thought process that accompanies the insight, intuition, or experience of the analyst conducting the research. It is the most common form of reasoning used by most analysts in the profession of cybersecurity. Although it is valuable for making quick judgments and decisions, it also poses the potential for errors and incorrect assessments.

To shift from intuitive reasoning “on demand” to a higher form of logical reasoning to correct unintended errors in assessments requires discipline and training. When available information does not lead to expected outcomes, and when given evidence does not result in a familiar explanation, analysts must shift their thinking quickly to solve these issues. Consider the following issue listed below.

Available Information:

A tennis racket and a tennis ball cost a total of one dollar and ten cents. The tennis racket costs one dollar more than the tennis ball.

The Challenges of Abductive Reasoning


How much does the tennis ball cost?

Given the provided information, we know intuitively – using intuitive reasoning – the tennis ball costs ten cents. If your answer to this “obvious” question was ten cents:

1. Are you surprised you arrived at the answer so quickly?

2. Are you surprised most people arrived at the same conclusion?

3. Are you surprised to find out your answer – ten cents – is incorrect?

The answer is five cents. How can that be? This is where untrained individuals freeze with a “deer in the headlights” look of confusion, while the trained intelligence analyst shifts immediately into another form of logical reasoning to solve the problem. This is accomplished using the following three steps:

1. Disassociate: step away from the problem. Something went wrong, we don’t know what caused it, and diving in deeper will only compound the confusion.

2. Reorder: identify the variables under consideration and reorder them for further analysis. This is arguably the most important step in the process.

3. Reengage: reassess the intelligence issue, generate a new hypothesis, and test the new explanation for validity. If the reasoning is sound, the root cause of the problem has been determined.

In this case, the root cause of an incorrect answer (ten cents) is overlooking the word “more” in the available information and considering the cost of the tennis racket first. Given the total cost, determining the cost of the ball would lead to the cost of the racket.

If the ball costs five cents, the racket must cost one dollar and five cents. That meets the test of “one dollar more” and a total of “one dollar and ten cents.” Reordering inputs solves the problem.

As cybersecurity professionals, we can witness the challenges of intuitive reasoning in several areas. We face it when interpreting data “on the fly” without fully decomposing the issue at hand. We see it when crafting indicators of compromise (IOCs) without validating edits and modifications. We see it when creating security rules for our network devices without conducting incremental “sanity checks” during the process. The challenges associated with intuitive reasoning surround us.

The next time you are faced with unexpected outcomes and unfamiliar explanations to what should have been a relatively simply simple solution, remember the process: Disassociate, Reorder, and Reengage.

It is an easy shift in logical reasoning that can bring a sense of order into the hectic and chaotic world trained intelligence analysts call “cybersecurity.”

Michael I. Kaplan is the founder and CEO of Phase2 Advantage, and currently manages the Defensive Security initiatives of the company. He is a military veteran and a national advocate for the military affiliate community. After attending the U.S. Army’s Intelligence Center of Excellence at Fort Huachuca in Arizona in 1983, he attended the Defense Language Institute, Airborne School, several specialized Schools at FT. Bragg in North Carolina, and was assigned to the 11th Special Forces Group (AGR).

Michael was recruited in 1989 to Special Projects Group and served as an instructor and operator on a Federal International Fugitive Task Force (his FBI letters of reference can be viewed on his LinkedIn profile). He was responsible for supervising and training 325 agents who were responsible for more than 3,000 UFAP apprehensions in seven years. Michael left government service in 1994 to pursue a career in High-Threat Executive Protection as an instructor and operator, then founded Phase2 Advantage in 2014. His numerous Instructor firearm certifications are listed on the Phase2 Advantage website and LinkedIn.

Feel free to contact Michael at