Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

The Sometimes Forgotten Foundation for the OODA Loop – the Human

Applying the OODA Loop to Cybersecurity Will Help Accelerate the Process of Translating Threat Data Into Action

Applying the OODA Loop to Cybersecurity Will Help Accelerate the Process of Translating Threat Data Into Action

The security industry borrows a lot of concepts from the military and applies them to cyber defense. For example, Sun Tzu’s teachings in The Art of War or the application of ‘situational awareness’ to enhance tactical response. One common reference is to Colonel John Boyd’s OODA loop which he devised to explain the decision-making cycle that, when mastered, allows us to process information and react faster to outwit adversaries. The acronym stands for Observe, Orient, Decide and Act.

Using the OODA loop, Boyd trained American pilots to make better decisions and act swiftly to defeat an enemy equipped with superior aircraft. As we work to combat relentless and increasingly well-armed adversaries, it’s easy to see why the OODA loop resonates in the cybersecurity industry. We continuously go through the process of gathering threat and event data (Observe), analyzing it (Orient), determining what it means for our organization at that particular moment in time (Decide), and then using it to strengthen defenses (Act). Faced with a dearth of skilled security professionals, the more aspects of this often highly-manual process that we can automate, the more effective we can be at accelerating decision making and reaction times to thwart attacks. So let’s automate the OODA loop and we’ll be set, right?

Automation vs. HumansNot so fast. Since Colonel John Boyd was a legendary U.S. Air Force fighter pilot, I thought I’d use another legendary pilot to show why we can’t ignore the human element. Captain Chelsey “Sully” Sullenberg became a hero when he made an emergency landing of US Airways Flight 1549 on the Hudson River. All 155 souls survived. How did Sully do this? 

If you’ve seen the movie Sully then you remember the cockpit scene. He was in a situation never faced before, responding to unknown stimuli – a huge flock of geese, a bang in both engines, and a rapid loss of power just minutes after takeoff. Automated systems were telling him to pull up. Air traffic control was directing him to various airports. He had to observe, orient, decide and act with precision in a life and death situation. As he looped through the process, instinctively repeating it continuously, it was his intelligence, intuition and experience that told him he wouldn’t make it to any of the airports in time and would likely put even more lives at risk if he tried. Amidst all the unknowns, Sully’s 29 years as a commercial pilot gave him enough familiarity to know how to respond.  It was the human element that turned unknown stimuli into known and landed the plane safely…in the river.

Applying the OODA loop to cybersecurity will help us accelerate the process of translating threat data into action. But we can’t turn the entire process over to machines and try to automate everything. There is no OODA loop “system.” The OODA loop is based on the assumption that there is a human behind it bringing human intelligence – intuition, memory, learning and experience – into the process so that we can continuously refine and move faster through the loop to better mitigate risk.

Sure there are some processes that can be automated. Automation is great for aggregating millions of threat-focused data points into a central repository and translating it into a uniform format. It can also help overlay context by correlating external and internal threat data. You can apply automation to help filter out some of the noise and get the right intelligence to the right tools at the right time. It can even help with learning as long as the system can retain and analyze data.

But full automation ignores the key inputs from human intelligence. When it comes to “orient” and “decide,” the human element needs to be involved.  After all, who understands your environment better than you to define risk and customize scoring and prioritization? And who has the experience to determine the right action to take in your environment? Automation can accelerate and simplify processes across your threat operations program, but humans are an essential component. Continuous threat assessment, automating what makes sense and keeping humans in the loop to draw on memory and learnings to turn unknown stimuli into known, helps you move through the process faster for better decisions and accelerated action.

When machines were telling Sully to pull up and try to reach an airport, the results would have been disastrous had he simply listened. Instead, informed by the data he was receiving from the systems around him, and guided by instinct, intelligence and experience he was able to make the right series of decisions at the time. If that’s not evidence enough that there is no OODA loop “system” I don’t know what is. Humans are at the heart of the OODA loop and what makes it work.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption