Journey through Enterprise IT Services
In Journey through Enterprise IT Services, Nadhan, HP Distinguished Technologist, explores the IT Services industry, and discusses technology trends in simplified terms.

Inception of OODA loop into the security hacker’s mind

The OODA loop (recurring cycle of observe-orient-decide-act) has become an important concept in both business and military strategy. Individuals and organizations who process this cycle quickly, observing and reacting to unfolding events more rapidly than an opponent, can thereby "get inside" the opponent's decision cycle and gain the advantage. This is not too different from the plot of the movie Inception where a thief commits corporate espionage by infiltrating the subconscious of his targets. Such concepts lead me to conclude that it would be possible to think ahead of the security hackers and be prepared for the next virus so that we have the measures in place even before the virus sees the light of day.


Security Two.png

Or, so I thought until I saw the video interview of Bruce Schneier, renowned security guru and author of several books including LIARS & Outliers. In this interview, Paul Muller, VP Marketing and Chief Evangelist, HP Software poses this very question to Schneier on how we can stay ahead of the next security threat especially given the continued emergence of a wide variety of technological paradigms. New technologies. New opportunities for security violations. New frontiers.


Schneier’s response. I found Schneier's response to be very practical and down-to-earth in nature. Schneier asserts that we really cannot do anything about new security violations with emerging technologies because such risks are inherent. In his words, "Bad guys are going to invent new stuff -- whether we want them to or not. Prevention is not preventing the next thing. It is about preventing the current thing -- or taking a more reactive approach." The focus should be on reducing the reaction time when a new violation breaks out. There is no magic bullet here. No-one is predicting the next virus.


My reaction. I have a slightly different perspective. While I do agree that our immediate focus should be to have the right mechanisms in place to effectively and expeditiously react to current security threats, we should also plan to analyze and project future threats that are likely to happen. When we review new code being generated for security vulnerabilities, we are in a way preventing yet another virus from taking advantage of this vulnerability. Predictive techniques are not a new phenomenon. We should be able to do some pattern analysis on the types of violations we have had to date and determine the probability of the genre of violations that are likely to happen. A canary in the coal mine on steroids of sorts – shall we say – for detecting and disclosing security vulnerabilities.


If OODA loop can be applied in business and military strategy, we should be able to apply such techniques to penetrate the minds of our opponents (security hackers) as well. Kind of like a game of chess.


We need to think differently. For example, I wonder what would happen if we worked with a focus group of movie buffs from your IT department coming out of a screening of movies like the Inception or Minority Report. Have them weigh in on the types of security violations that are likely to happen in the future. If they were a hacker, what are they likely to do next?


Schneier says that that someone invented SPAM and Phishing in our lifetime. Could we have predicted it years before they became real? Perhaps not. But, the person who invented SPAM and Phishing was human as well. Not science fiction. They may not even have been aware of science fiction movies like Inception or Minority Report.


Why not let the good guys think like the bad guys for a change and motivate them to think about the next Big Virus to hit the world of IT? I say that we should go for it. What say you?



Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.



Nadhan | ‎09-28-2012 02:57 PM

Interested in knowing more about the details of OODA?  Feel free to check out the series of posts on OODA by fellow blogger, Rafael Los.  Great detailed insight from Raf on this subject.


Connect with Nadhan on: Twitter, Facebook, Linkedin 

Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.