OODA Loop – The Philosophers’ Code: Enhancing Cybersecurity Strategy with Timeless Wisdom

It might seem surprising at first, but the teachings of ancient philosophers can provide actionable insights in the rapidly evolving field of cybersecurity. It is really amazing how the wisdom of history’s great thinkers, including the ancients, offers perspectives that are profoundly relevant to today’s digital security challenges.

Below, you’ll find a list of philosophers whose ideas I’ve found particularly applicable to cybersecurity. I will delve into the context of their teachings and wrap up with practical recommendations to enhance your cybersecurity strategy.

Name: Heraclitus
Dates: c. 535 – c. 475 BCE
Bio: Heraclitus was an ancient Greek philosopher known for his doctrine that change is central to the universe.
Key Teachings/Conclusions: Heraclitus believed in the constant flow and change of life, emphasizing that reality is defined by a state of perpetual becoming. Everything is a ceaseless flux, he said. He is credited with other famous sayings including “You cannot step into the same river twice” and “Nature loves to hide her secrets.” Not bad for such an early philosopher. His approach informed the work of Ludwig von Mises who based his economic theories on this observation of constant change.
Relevance to Cybersecurity today: Heraclitus’s emphasis on perpetual change and ceaseless flux is a crucial mindset for cybersecurity professionals, who must constantly adapt to changes in their own IT, changes in adversary methods, new vulnerabilities and changing attack vectors. The observation that none of us can step into the same river twice underscores that actions we took before might not lead to the same results when taken the next time, which leads to a need to stay agile in all thing related to cybersecurity.

Name: Plato
Dates: c. 428 – c. 348 BCE
Bio: Plato might be the most recognizable of the philosophers on this list. He is still taught in schools and is pretty much a part of our collective conscious at this point due to his role as a foundational figure in Western philosophy.
Key Teachings/Conclusions: In “The Republic” Plato explored justice, individual rights, and the role of the state, and deals with the question of how to ensure that the rulers or guardians of the state remain virtuous and do not abuse their power (“Who guards the guardians?”). Plato also asked us “Have you questioned the nature of your reality?” Plato was a great philosopher on his own, but was also a student of Socrates. Plato’s “Apology” recounts Socrates as saying he is only wise because he recognizes his own ignorance.
Relevance to Cybersecurity today: Plato’s question of who guards the guardians has been relevant to cybersecurity since the beginning of the digital age. In context of government, how do we ensure government agencies seeking to help in the cyber domain both enforce the law and protect privacy? In terms of IT management and system administration, how do we ensure the professionals with the keys to the kingdom do not become tempted to do bad things? In cybersecurity, insider threats are among the greatest. The cyber defenders I trust the most are the ones who are very aware of their own limitations. Every experienced professional has been surprised by crafty adversaries, and every one has had to defend complex systems that no single human can comprehend. We all have to be aware of our own ignorance.

Name: Ludwig Wittgenstein
Dates: 1889 – 1951
Bio: Ludwig Wittgenstein was an Austrian-British philosopher who worked primarily in logic, the philosophy of mathematics, the philosophy of mind, and the philosophy of language.
Key Teachings/Conclusions: His first major work, the “Tractacus Logico-Philosophicus” argues that the limits of language mean the limits of thought. He uses a compelling logic to lead the thoughtful to understand that most philosophy is not really anchored in reality. Most philosophy is based on continuing assumptions and propositions and even if they help people believe they see the world better really do not. So most philosophy, according to this philosopher, is pointless. He concludes that philosophers and any other thinkers should not speak about what they do not know and since they know nothing most of them should shut up and stop bullshitting. This last point reflects back on Plato and Socrates, we should all recognize we have very little wisdom here.
Relevance to Cybersecurity today: Wittgenstein’s ideas about the limits of language and thought highlight the challenges of defining and defending against cyber threats within the confines of existing knowledge and linguistic constructs. His examination of gaps in communication calls out for solutions like the MITRE ATT&CK framework. Perhaps more importantly, he makes it clear that fools who claim they are wise by building upon previous assumptions should really not inject themselves into decisions.

Name: Ludwig von Mises
Dates: 1881 – 1973
Bio: Ludwig von Mises was an Austrian School economist known for his work on real human behaviors. He studied what makes people make decisions and worked on a theory of human action that emphasizes the role of choice and preference.
Key Teachings/Conclusions: Mises argued that the real economy is the one driven by individual choices and actions, where subjective values and aims drive decisions. Like Heraclitus he taught that our decisions take place in dynamic environments and we must take that into account. Mises also discussed the limitations of central planning and the importance of distributed decisions. Mises’ arguments that decision-making must be done in environments where things change quickly mean that decision-makers must be used to making decisions based on subjective values with info available at the time.
Relevance to Cybersecurity today: His emphasis on individual decision-making highlights the importance of user behavior in cybersecurity, stressing the need for security frameworks that account for human factors. Consider the training you provide your users. Is it based on the realities of human nature? Or is it something that will be ignored and unhelpful? Are your users part of your line of defense? What role do you want for them in your security decision-making?

Name: Karl Popper
Dates: 1902 – 1994
Bio: Sir Karl Popper was an Austrian-British philosopher of science known for his rejection of scientific methods that simply draws conclusions from experiments. He built strong cases for a new method called empirical falsification.
Key Teachings/Conclusions: Popper was not afraid to discard previous philosophic work if it was built on assumptions or specious reasoning. He preferred to observe and to talk about reality. He researched many well known scientists and their experiments, including Newton, Schrodinger, Bohr, Dirac, Boltzmann, Plank and Einstein. And he reviewed the works of philosophers and people who claimed to bring knowledge but really did not, like Freud and Marx. Popper argued that for a theory to be considered scientific, it must be testable and refutable. This idea of empirical falsification is a significant departure from the traditional view that science progresses by accumulating verifications of hypotheses. In short, he believes things can never be proven true, they can only be proven false.
Relevance to Cybersecurity today: In cybersecurity, no system can be proven to be secure, it can only be proven to be insecure. This philosophy underpins the importance of constantly testing systems against potential breaches, not assuming they are secure until proven otherwise. Also consider this philosophy when contemplating high end concerns like quantum computing and the need for post quantum encryption. NIST has provided several algorithms thought by the community to be resistant to attack by quantum computers. All we can really say, however, is that they are thought to be resistant. They can never be proven to be secure.

Name: Kurt Gödel
Dates: 1906 – 1978
Bio: Kurt Gödel was an Austro-Hungarian-born logician and mathematician, most noted for his incompleteness theorems.
Key Teachings/Conclusions: Gödel’s incompleteness theorems reveal fundamental limitations within formal systems, showing that some mathematical truths cannot be proven using mathematical methods alone. These theorems establish that mathematics, as a discipline, is inherently incomplete and that there are inherent boundaries to what can be definitively known through formal proofs.
Relevance to Cybersecurity today: Gödel’s work on formal systems underscores the inherent limitations of any cybersecurity system, suggesting that complete security is an ideal rather than a practical reality. There will always be vulnerabilities in systems. There is no way a system can be known to be completely secure. Additionally, there are limits on what can be known of an adversary based only on what you see of them from network traffic or internal systems logs. It will be far too incomplete.

Name: John Boyd
Dates: 1927 – 1997
Bio: John Boyd was a United States Air Force fighter pilot and military strategist, whose theories transformed modern warfare and are widely influential in multiple domains.
Key Teachings/Conclusions: Early in his career Boyd distinguished himself as a great pilot. He was also a great engineer and developed models of aircraft maneuverability and power that would revolutionize fighter design. He published very little, but what he wrote was incredibly influential. His 1976 paper “Destruction and Creation” draws on the work of Gödel to make it clear any logical model of reality is going to be incomplete and must be refined based on new observations. Like Heraclitus and Mises he describes the decision-making environment as continuously changing. He uses Heisenberg’s uncertainty principle and the second law of thermodynamics to underscore the nature of the reality we operate in and provides a strong underpinning to the nature of optimal decisions in competitive environments where our objective is to survive on our own terms. He would later build on the concepts in Destruction and Creation to build an evolving briefing called “Patterns of Conflict” which by the early 1990’s had expressed the concept of the OODA Loop (Observe, Orient, Decide, Act). This is a model designed to improve reaction times and decision-making in combat scenarios that has been applied to many competitive environments.
Relevance to Cybersecurity today: The OODA Loop is applicable to any competitive environment, including cybersecurity, where multiple actors compete to achieve their objectives. Think of the simple example of an adversary who gains unauthorized access into a network. They will not just come in and have a checklist. They will observe, assess what is going on, make their next decisions and act and will do so rapidly. The good defenders recognize this and will seek to out OODA them. The OODA Loop approach applies to far more than incident response. It also applies to strategic level cyber conflict.

Name: James Carse
Dates: 1932 – 2020
Bio: James P. Carse was an American author and professor emeritus of history and literature of religion at New York University. As a philosopher, Carse is best known for his work that explained an interesting aspect of game theory and its impact on conflict and human behavior.
Key Teachings/Conclusions: One of his most influential works, “Finite and Infinite Games,” distinguishes between two types of games: finite games, which are played with the purpose of winning, and infinite games, which are played with the purpose of continuing the play. This framework explores how these concepts apply across various aspects of human life, including ethics, politics, personal relationships, business and war.
Relevance to Cybersecurity today: In the realm of cybersecurity, Carse’s distinction between finite and infinite games is particularly relevant. Security professionals must understand that they are engaged in an infinite game, where the goal is not to “win” in a traditional sense but to perpetuate security and adapt continuously. This mindset is crucial in developing strategies that anticipate and mitigate evolving cyber threats and vulnerabilities, emphasizing resilience and ongoing adaptation over achieving a singular, definitive victory.

Concluding Comments

The age-old discipline of philosophy is not just about highbrow contemplation. When philosophers focus on reality they can help inform action. The overview above leads to recommendations for your cybersecurity policy:

• Embrace the Constant Flux: Acknowledge that the nature of cyberspace is ever-evolving. Expect continued change in technologies, adversaries, tactics, system vulnerabilities, and architectures. Design your cybersecurity strategies with agility and implement continuous automated monitoring. And prepare for incident response.
• Adopt Adaptive Decision-Making Models: Utilize frameworks like the OODA Loop to improve your personal decision-making and to enhance teamwork and responsiveness. This will help you adapt and excel in this competitive realm.
• Redefine Winning: Understand that in cybersecurity, victories are temporary. Adversaries persistently adapt and evolve, making cybersecurity an infinite game where the goal is sustained security rather than definitive wins.
• Commit to Continuous Learning: Cybersecurity is complex and ever-changing, so recognize the limits of your knowledge and continually strive to expand your understanding. Implement that approach for your extended team as well.
• Evaluate Trust Carefully: Be skeptical of those who claim complete knowledge or those vendors who assert they have the perfect solution. Always question assumptions and verify facts.
• Acknowledge System Vulnerabilities: Accept that no system can be definitively secured. Focus on reducing your attack surface through robust patching programs, bug bounties, and external testing to mitigate potential vulnerabilities. Consider the high probability of vulnerabilities in your partners and suppliers as well.
• Learn from Experts: Cybersecurity combines technical expertise with creative problem-solving. Engage with seasoned professionals to learn the engineering aspects that can be mastered and apply creative strategies to enhance your cybersecurity practices.
• Recognize the Human Element: Cybersecurity involves everyone, not just the IT department. Train every leader and user within your organization on their specific roles in maintaining security. Effective communication and decision-making skills are crucial for those in cybersecurity roles.

Have you encountered other philosophers that have captured human nature so well that they belong on this list? Reach out if so, would love to get your comments.

Already a subscriber? Sign In.

Subscribe to read all other premium research and analysis and discuss this article via Slack.

Subscribers receive: 

• Exclusive Content Access: Research and expert driven analysis to inform your decision-making.  Over ten thousand articles on disruptive technologies, cybersecurity, geo-political risk, and national security technology issues available only to subscribers.  Our Daily Global Pulse will let you know what premium content has been recently published as well as hand-curate the top stories of the day with executive level summaries.
• The OODA Network Dispatch: Our weekly newsletter keeps you apprised of emerging trends and upcoming events so you can stay informed and aware of issues that could impact you or your organization.
• Community Engagement: Engage in our dynamic Slack Workspace which serves as a hub for professionals and experts to exchange ideas, strategies, insights, and opportunities.