Debug like a doctor by Connor Mendenhall.
The crux of Connor’s post, which he then explains very well is:
Differential diagnosis is a systematic method used by doctors to match sets of symptoms with their likely causes. A good differential diagnosis consists of four distinct steps:
- List all the observed symptoms.
- List possible causes for the observed symptoms.
- Rank the list of causes in order of urgency.
- Conduct test to rule out causes in priority order.
You can contrast that with the FBI method of investigating data breaches:
- Get incomplete/incoherent account of data loss, requiring data loss updates after months of investigation.
- Leak to news media anonymous accusations that China is responsible for the data breach.
A lack of cybersecurity talent requires a coarsening of some steps of investigation but I think it has been taken too far. Take the Office of Personnel Management breach, where the estimate of data lose worsens day by day.
Take a tip from the big data people, start with the data and not with the result you want.