Structured Decision – Making In IT Security

By Kim Khor.

IT security requires refined decision-making skills and decision-making is a dynamic and potentially-complex activity.

Generally, we need to make efficient decisions. This means that we must balance our priorities quickly. We can’t afford to think about things forever.

Systemising decision-making allows us to standardise and improve performance. Removing the clumsiness of unsophisticated decision techniques leaves us free to concentrate on the increasing quality and consistency of our decisions. The clumsiness can include over-analysis, thoughtless rushing, fear, anger, checklist-blindness and indecision over competing priorities (one cannot serve two masters).

Some people have good, gut-instinct decision skills and will understandably find this discussion boring and unnecessary. However, they may have trouble if their gut instinct fails to kick in with an answer, or the coroner asks them to explain a decision.

There are three scenarios where decision systemisation provides value:

  1. Making decisions with appropriate speed, consistency and effectiveness.
  2. Regaining balance and alignment when decision-making goes out-of-tune.
  3. Reviewing and substantiating decisions.

Decision systemisation in IT security is a lot like athletic preparation or artistic rigour:

  1. We must practise the elemental, dynamic skills involved. Making dynamic activities conscious and sequenced allows us to improve and refine them. Then they can be set back to automatic.
  2. We must gain and retain match practice. This is a heightened state of awareness and muscle-memory when performing the activity.
  3. We need methods for steady improvement and performance review.

The method used by the writer is called ‘Decision Sequencing’. This provides a framework within which to practise and sharpen, to the point that the skills become subconscious, muscle memory. The process can be used in broad strokes or in fine detail, depending on your need.

The Decision Process

Generally, a decision process comprises three stages:

  1. Reasoning (logic)
  2. Judgement (probability) and
  3. Final decision (utility)

Reasoning identifies, and assigns relevance to, elements of the decision.

Judgement assesses probabilities and estimates outcomes, efforts, obstacles and so on. Here, we might run hypothetical scenarios to perform mental experiments.

The final decision is weighing up the information obtained from the previous stages and making a selection, not necessarily knowing it to be right or wrong, but simply as a step in the overall constructive process.


We must first identify relevant priorities and decision criteria in our mind. For example:

  • The doctrine of my profession (such as, do no harm)
  • The mission of my organisation or team (achieve this outcome)
  • The welfare of my teammates/subordinates/stakeholders (do they suffer harm? Has their position improved?)
  • Our preparedness for the next likely few steps after this (like a footballer making a good pass)
  • An appropriate budget for solving this problem.

The Decision Sequencing Compass. Use this image as a guide for shifting your perspective as you move through the problem at hand. Look left/right, and then look up/down. Just briefly, then move on. Repeat as necessary.

Secondly, assess the available options and rough out some descriptive numbers or proportions that are meaningful to you. For example:

  • My appointment is in 20 minutes.
  • If I continue this way, I should be there in 10 minutes.
  • There’s a railway crossing on the way. I could be stopped there for 10 minutes.
  • There’s another route with no crossing but that’s 20km long.
  • I will either be late, or I won’t be. There’s no grey area.
  • If I know 10 minutes prior, that I’m going to be late, I can manage that situation for an acceptable outcome.

If you don’t know something important, just note it, insert a tentative answer and move on.

Thirdly, consider change. There are many ways to effect change. When configuring performance improvements, we do them gradually, one at a time. Otherwise, we can’t keep track of what changes when. On the other hand, if we change a password, we change abruptly. What style of change is appropriate for the current situation?


Before assessing things, we must first get organised. We need to arrange the decision information we’ve collected into a useable configuration. Consider the minutes of a meeting. They provide context and familiarity with brief and efficient information. They provide a digestible snapshot and prepare us well for a subsequent meeting. Similarly, we need a method of arranging our decision information in our minds.

The military of last century provides the customisable five paragraph order (also known in other forms as SMEACS, or similar). This gives relevant and structured information to efficiently describe a task or problem. I use this framework because it is so versatile when used for problems large or small, simple or complex.

The concise and efficient arrangement of decision information facilitates rapid and accurate sequencing of the decision process is the essence of this system.

Assessing Options

The basic maths of proportions and probabilities allow us to scope outcomes and flow-on effects and their costs. More modern systems, such as Bayesian probability, provide alternative perspectives. For example, how does knowing about one outcome alter our consideration of an alternative outcome? (Coincidentally, this is also a classic question seeking to expose error-causing psychological bias.)

Sufficient familiarity with the concepts can be gained without studying the details – start with Wikipedia. Ignore the equations and just read the executive summaries. You’ll find that a lot of this maths just describes how gut instinct might work.

Developing the ability to perceive proportions gives most of the value anyway. We want awareness of relative sizes, rates and probabilities, and the perspective from which we judge those. Look for a way to see proportions that is comfortable for you.

For example, what does a 10% versus 60% likelihood really mean? In what situations can I afford to ignore the 10% probability?

  • When it won’t be hard to fix?
  • When it won’t be my problem?
  • When the cost of simply suffering the adversity can be absorbed without too much pain?

Considering questions like these provides a refinement in our knowledge that will allow us to more confidently make reflex decisions.

The Decision-Sequencing Technique

  1. Note the decision inputs (e.g. there are these streets, these obstacles, and these forces in effect…)
  2. Note the possible choices and outcomes
  3. Note your criteria — priorities, principles, doctrine, the law, etc.
  • For each potential final choice, assess the possible outcomes against your criteria and exclude any unacceptable options
  • Score the remaining few options, combining both likelihood of success and criteria compliance
  • Highest score option wins.

The structure may be varied to match the problem at hand as long as the spirit remains. We can pause, rewind and repeat as necessary.

As your structure becomes refined, and as practice turns into muscle-memory, you will find the process increasingly easy, tending to leisurely. Don’t be put off by the apparent complexity. Just do one bit at a time. You already do this kind of thinking when you make gut-feeling decisions. That’s why they’re often so good.


Gradually practise making decisions more quickly. It’s possible to make a fully-featured decision in less than half a second. This is like encountering an unexpected punch or a car crash.

We probably don’t need sub-second responsiveness, but everyone can be a little better and it’s interesting to see how many decisions are procrastinated out-of-existence, never to be actually made. This kind of awareness is just as valuable as the increase in speed we get from the practice.

Practice Makes Perfect

It’s just a matter of finding efficient ways to practise. Like the way many of us learned the phonetic alphabet by reading out car licence plates. Such methods cost no extra time and provide great results, quickly.

Practise assessing decisions in common activities, such as your morning routine. What should I do first? Why? What could be the benefit of changing this habit?

You will be surprised at how many decisions are based on skewed subconscious programmes, and you will have a lot of laughs getting to know yourself in this way.  n


Kim Khor is a computer forensics expert. Kim consults on network security, incident response, risk & compliance, investigations and electronic evidence management in the Asia Pacific region and can be contacted at