Analysis of Competing Hypothesis
ACH Steps
The "Analysis of Competing Hypothesis" (ACH) is a technique used to evaluate multiple possible explanations for an event and determine which one is most likely based on the available evidence.
- Enumerate Hypotheses: List all possible explanations without considering their feasibility. 
- Support Hypotheses: Gather evidence that supports or refutes each hypothesis. 
- Compare Evidence: Use a matrix to compare evidence for each hypothesis. 
- Refine Matrix: Remove non-diagnostic evidence and add any overlooked evidence. 
- Prioritize Hypotheses: Rank hypotheses by their likelihood based on the evidence. 
- Determine Evidentiary Dependence: Assess the confidence in the evidence and its impact if it were invalid. 
- Report Conclusions: Summarize the findings, including all considered hypotheses and key evidence. 
- Qualify Needs: Note that evidence may change over time and how these changes could affect conclusions. 
The Wannacry ransomware incident is used as an example. Four hypotheses were considered:
- H1: Sophisticated financially-motivated cyber criminal actor 
- H2: Unsophisticated financially-motivated cyber criminal actor 
- H3: Nation-state actor conducting a disruptive operation 
- H4: Nation-state actor aiming to discredit the NSA 
After comparing the evidence, H2 (unsophisticated financially-motivated cyber criminal actor) was found to be the strongest hypothesis.
Last updated
Was this helpful?