Analysis of Competing Hypotheses (ACH) in CTI
Analysis of Competing Hypotheses (ACH) is, as its name indicates, used to determine the most likely hypothesis among several. It’s a structured analytic technique developed by Richards (Dick) J. Heuer, Jr. at the CIA, and commonly used in cyber threat intelligence.
ACH is useful for simultaneously comparing multiple hypotheses to choose the best. It can be used by a single analyst, but it works best when used by several collaborating analysts.
Analysis of Competing Hypotheses Process
- Identify hypotheses to consider.
- Make a list of evidence for and against each hypothesis.
- Create a matrix to evaluate whether each piece of evidence supports or refutes each hypothesis (or is not applicable).
- Conduct initial analysis to refine the matrix. Add new hypotheses as needed.
- Draw initial conclusions about the likelihood of each hypothesis, focusing on disproving hypotheses.
- Analyze how much of your conclusion depends on a few pieces of evidence.
- Assuming the conclusion is true, ask what evidence is expected but not present. Consider whether denial or deception are taking place.
- Establish the relative likelihood of all the hypotheses, and report all conclusions.
- Identify situations in which analysis would need to be reevaluated.
Analysis of Competing Hypotheses in CTI
ACH was developed for use in traditional (government) intelligence, so it doesn’t perfectly fit the unique needs of CTI. However, it can be effectively used in the Analysis phase of the cyber threat intelligence cycle. ACH is particularly suited to these types of situations:
- Attribution-related: ACH can reveal when attribution is based on the word of a single source, which isn’t ideal
- Subjective: ACH can bring the clarity of objectivity to subjective situations
- Complex: ACH can separate evidence, making it easier to analyze complex situations
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
