Analytical Methodology (Live Stream Companion)

This short, resource-filled blog post is a companion to a SANS Institute live stream from 2 June 2021.

About the speakers:


Whether you are an analyst in a Security Operations Center (SOC) or an Open Source Intelligence (OSINT) investigator, your ability to logically and objectively analyze can make your final output invaluable to your stakeholders or, if done poorly, just another report that may never get read. Join SANS Senior Instructors Chris Crowley and Micah Hoffman as they help you understand sound data analysis and apply it in your daily activities.

Resources and Talking Points

Inductive versus Deductive Reasoning

Deductive versus Inductive Reasoning (Image from SANS SEC487 OSINT Class

Deductive reasoning is used more in scientific situations and has the following steps From:

  1. Ask a question
  2. Perform research
  3. Establish a hypothesis
  4. Test the hypothesis by conducting an experiment
  5. Make an observation
  6. Analyze the results and draw a conclusion
  7. Present the findings

Most OSINT investigations use inductive reasoning as the investigator moves through the steps of:

  1. Acquiring data
  2. Examining for patterns
  3. Creating tentative hypotheses based on identified patterns
  4. Creating a theory from the hypotheses

Morphological Analysis


“As a problem-structuring and problem-solving technique, morphological analysis was designed for multi-dimensional, non-quantifiable problems where causal modeling and simulation do not function well or at all. Zwicky developed this approach to address seemingly non-reducible complexity. Using the technique of cross consistency assessment (CCA) (Ritchey, 1998), the system however does allow for reduction, not by reducing the number of variables involved, but by reducing the number of possible solutions through the elimination of the illogical solution combinations in a grid box.”

Logical Fallacy and Biases

Unsound thinking based upon illogical processing and analysis of data.

Professor Geert Hofstede’s Cultural Dimensions

Hofstede Organizational Cultural Dimensions (Image from

Richards Heuer’s Works

Analysis of Competing Hypotheses

  • Works to refute/disprove hypotheses instead of confirming them
  • Brainstorm alternative hypotheses or explanations for the data

The ACH example below is for an incident that may have occurred within a SOC.

ACH example highlight individual analyst contribution (Image from )  
Sensitivity Analysis (Image from

Comments are closed.

Up ↑

%d bloggers like this: