Using the OODA Loop to Improve Decision Making in the Uncertain Cyberwar Environment: Part 2

This week, we are proud to present part 2 of a two-part thought leadership paper on the OODA Loop and how it may be successfully applied to cybersecurity. Cliff Kittle, a retired Marine Corps Captain who knows a thing or two about war-time decision making, does a great job of simplifying the ideas behind OODA and why each component is important and must work with the others to be effective.

Part 2

Mental Models can be general and abstract or specific and concrete. It behooves an organization to have both types in their inventory. Both types are built on a war mindset that enables a strategy framework for high tempo decision making relative to any security event. The foundation of a war mindset is built with the understanding that there will be operating environment events beyond the organization’s control. What can be controlled is the organization’s security position relative to the uncontrolled event. The decisions made to change a security position have the greatest opportunity for success if the correct mental model is used in the execution of the chosen strategy. In that context, then, the ability to identify elements of previous mental models that can be extracted and implemented in the mental model created for responding to this new threat is vital.

Building a robust toolbox of mental models to add to the current latticework of the existing mindset is valuable in enabling the security team to overcome the “Man with a Hammer” syndrome that is so common in human behavior. Cybersecurity efforts as a result of the long-standing focus on industry regulatory compliance requirements.

The ability to perform the destruction of previous mental models and subsequently create a new model can be improved through experiments. These experiments can be part of the scenario testing of the “Target Critical Vulnerabilities” principle of the Doctrine of Maneuver Warfare.

An element of the principle of Decentralized Decision Making in the Doctrine of Maneuver Warfare is maintaining a journal of decisions made in order to improve future decisions and/or correct errors in judgment. The same behavior of maintaining a journal of experiments related to destruction and creation of mental models can improve the Orient process as well as potentially improve the decision making process. As the security team reviews the results of the experiments to suss out new mental concepts, a product of this effort will be improving the effectiveness and efficiency of orienting.

The Orient process is never ending. The continuously evolving threat environment demands that an organization’s orientation to that evolution be a continuous process. The same destruction of the most recent concept will occur in the next instance of the loop. The process of structure, un-structure, restructure, un-structure, restructure is an endless cycle of repetition.

This deductive/inductive activity of the Orient phase is a dialectic engine that permits the construction of decision models to be used by individuals and organizations in determining and monitoring actions in order to improve their capacity for individual and organizational action.

Orientation provides the opportunity to create new techniques, tactics, processes and procedures to decide on and take action to execute. One of the most important tasks of command is, “to effect timely and proper change of tactics according to the conditions of the unit and the terrain, both on the enemy’s side and your own.”[1]

Setting a goal, during the time when there is no active threat, of atomizing existing models and fashioning new ones substantially improves an organization’s state of preparation for when a real threat event occurs. By testing and validating mental models before it becomes necessary to use them, a security team can improve their ability to quickly orient and act.

The product of the Observe and the Orient step is Situational Awareness. The combination of these processes creates a situational awareness of the cybersecurity implications for the current strategy and identifies adjustments necessary to the strategy for evaluation in the Decide phase.

Decide

Decide is the third process of the OODA Loop. During the Observe and Orient process, we have created several mental models that may be used to mitigate the risk(s) in our current situation relative to the condition being presented by the adversary.

This phase may require a series of meetings or discussions to adjust the strategy and roadmap to a new orientation. The security team may need to explain the reasoning for the reorientation in order to make a decision.

The OODA Loop encourages decision makers to think quickly with a tempo that enables them to anticipate threats and neutralize them before they become critical. The business environment can be described as volatile, uncertain, complex and ambiguous (VUCA). Making good decisions and taking the right actions is the essence of surviving and thriving. Success in cyberwarfare depends on the ability to make fast decisions under chaotic environmental conditions that elicit human emotions such as denial, primal reactions (i.e., anger, fear), tunnel vision and decision fatigue. These emotions can slow decision making and increase the perception of a need for more information, more data, more statistics, more inputs or figures. Delaying any decision so that it can be made with more than eighty percent of the information is hesitation and normally results in the adversary seizing the tempo of the event.

Because we often have imperfect information regarding our environment, a perfect match-up between the situation and a mental model is unlikely. Consequently, any decision made on the action to take is a hypothesis. In the final process in the current Loop, we will test the mental model chosen in the Decide process.

The best decision makers are confident in the choice made but are flexible and adaptive to change based on new mental models developed through additional knowledge, experience gained from executing the previous action and the evolution of the environment as a result of the previous action.

It is worth noting that mental models can be tested in Wargaming scenarios developed in the “Target Critical Vulnerabilities” principle of the Doctrine of Maneuver Warfare. By testing the models during the execution of this principle, the model chosen will be based on additional knowledge gathered in the scenario testing and the practical experience gained through the execution of the scenario.

Scenarios rehearsed during daily operations and minimal stress prepare the security team to execute when the stress of an actual attack is introduced to the decision-making process. In Marine vernacular, “The more you sweat in time of peace, the less you bleed in combat.”

Act

Act is the final process of the OODA Loop. Once a concept has been decided upon, the organization must initiate execution. The ability to think and act rapidly, Tempo is the essence of war.

Tempo, while always important, takes on greater importance as the mindset of the cybercriminal continues to evolve to one whose operations, instead of attrition and the conduct of set pace battles along a continuous front, give way to ‘non-linear’ operations involving high-tempo attacks conducted simultaneously against key tactical, operational and strategic targets throughout the length, depth and breadth of the internet battlefield.

Tempo is not a frenetic movement. By varying it, in what has been referred to as fast transient, the change between maneuvers in an abrupt, unexpected, disorienting manner creates confusion on the part of the adversary and leads to getting inside the adversary’s loop. Once this has been achieved, you are able to create mismatches between what they expect your response to be and what you actually do.

This results in your placing the adversary in a situation where they feel trapped in an unpredictable environment. As a result, you have placed them in the very environment of doubt, mistrust, confusion, disorder and chaos they had hoped to create for you.

Behavior is a learned skill. Therefore, preparation, training and testing to develop the behavior necessary to execute fast transient, in the execution of the strategy, must be continuous. Experience gained from the execution of previous loops builds on the learning of the skill and improves performance in the effort to increase the “tempo” in the execution of the chosen action.

However, this process should also be seen as a test of the concept selected in the Decide step. Ideally, the organization will have multiple actions/tests going at the same time so that the best model is quickly identified. A perfect time for these tests is in the “Target Critical Vulnerabilities” principle of the Doctrine of Maneuver Warfare.

Through this testing exercise, the best model for the particular situation is discovered. When the strategist identifies the best model, they are able to implement the Doctrine of Maneuver Warfare principle of FOCUS and exploit the opportunity to the fullest benefit of the organization.

Execution in this manner is what makes the OODA Loop both a decision process and a learning system.

A consideration when deciding on the right mental model concept is that by taking the least expected action the adversary will be disoriented, causing him/her to pause, to wonder, to question. This hesitation results in the organization compressing its own time and the adversary stretching theirs.

It is incumbent upon the executive committee of the organization to share the orientation of the security leader if their security position is to be agile enough to work inside an adversary’s OODA Loop. Such harmony plays an important role in any Act executed within the operating environment of the organization.

Pulling in the same direction strategically can be complicated by a tactically motivated business unit such as compliance. This highlights the importance of a dialectic engine (i.e., the process of arriving at truth through a process of comparing and contrasting various mental model solutions) that enables a single overarching focus of effort. 

This single overarching focus of effort provides the way to interact with the environment and shapes the way to act is defined. It enables all members of the organization to act on their own initiative, thereby generating the rapidity and variety of action and thought necessary to create momentum and ensure that everyone is acting in accordance with the intended behavior.

The success or failure of a given decision will depend not only on the quality of the decision itself but also on the commitment component of mental toughness to persevere in times of uncertainty and doubt.

The continuous execution of the loop helps the security team to read, analyze and react to evolving threats much quicker and act at a tempo exceeding the adversary’s execution of a threat against a vulnerability.

Conclusion

The OODA Loop educates us on how to write instructions and trains us to learn to manage and benefit from uncertainty. “To be prepared against surprise is to be trained. To be prepared for surprise is to be educated.”[2]

The OODA Loop Learning and Strategy Model is a tool for improving education. The training experience will lead to the development of a changed mindset perspective, leading to an ability to more efficiently and effectively operate in an environment of uncertainty and execute tactics that serve to more quickly break the will of the adversary to continue the attack.

In almost all aspects of life, especially relevant in cyber war, success is measured by our ability to identify problems and issues quickly, orient the resources accordingly, decide on the course of action and ultimately execute the decision effectively. A real strategist doesn’t like words such as “respond” or “anticipate” because these are passive behaviors. In such a mindset, the reaction often becomes the goal of strategy and if we don’t see anything we don’t do anything (i.e., the complacency so common in cyber defense plans today).

It is important to maintain a proactive security plan flexible enough to allow modifications to be made to accommodate the latest available data collected through each iteration of the OODA Loop. The focus must always be on using initiative and creativity to regain or maintain control.

Employing the OODA Loop is not for the faint of heart. It requires commitment, the courage to stay the course and acceptance of the reality that “doing the right thing” often involves personal and organizational risk.

Read more: