Analysis of Competing Hypothesis

ACH Steps

The "Analysis of Competing Hypothesis" (ACH) is a technique used to evaluate multiple possible explanations for an event and determine which one is most likely based on the available evidence.

1. Enumerate Hypotheses: List all possible explanations without considering their feasibility.

2. Support Hypotheses: Gather evidence that supports or refutes each hypothesis.

3. Compare Evidence: Use a matrix to compare evidence for each hypothesis.

4. Refine Matrix: Remove non-diagnostic evidence and add any overlooked evidence.

5. Prioritize Hypotheses: Rank hypotheses by their likelihood based on the evidence.

6. Determine Evidentiary Dependence: Assess the confidence in the evidence and its impact if it were invalid.

7. Report Conclusions: Summarize the findings, including all considered hypotheses and key evidence.

8. Qualify Needs: Note that evidence may change over time and how these changes could affect conclusions.

The Wannacry ransomware incident is used as an example. Four hypotheses were considered:

• H1: Sophisticated financially-motivated cyber criminal actor

• H2: Unsophisticated financially-motivated cyber criminal actor

• H3: Nation-state actor conducting a disruptive operation

• H4: Nation-state actor aiming to discredit the NSA

After comparing the evidence, H2 (unsophisticated financially-motivated cyber criminal actor) was found to be the strongest hypothesis.