3 steps to conquer cyber-attacks through a data-driven defence

By following a three-step defence strategy, companies can implement a more effective and efficient cyber defence plan.

By following a three-step defence strategy, companies can implement a more effective and efficient cyber defence plan. Image: Jake Walter/Unsplash

Roger A. Grimes
Data-Driven Defense Evangelist, KnowBe4
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


Listen to the article

  • Despite decades of studies that expose the most common cyber threat attack methods, defenders still concentrate too many of their resources on the less likely, and more benign threats.
  • A data-driven defence framework allows defenders to identify and rank the most dangerous threats.
  • By following a three-step defence strategy, companies can implement a more effective and efficient cyber defence plan.

Imagine two great armies fighting in a long and arduous, multi-battle war. In the right flank of the battle, the opponent is having continual success. Our protagonists are aware of this but respond by pouring additional resources into defending the bloodless left flank instead. In fact, as the battle progresses, they continue to pour resources everywhere but into the embattled, vulnerable right, even going so far as to start stacking resources vertically because they’ve heard that the opponents might one day attack from the air.

Finally, a new leader is appointed to lead the army out of their chaos. He assesses the situation, takes heed of the right flank’s battered state, and, after much contemplation, orders yet more resources to be sent to the left flank.

Does this scenario sound insane?

Unfortunately, this is how most defenders shield against cybersecurity threats. Despite a decades-long accumulation of evidence that exposes the most common cyber threat attack methods, distracted defenders relentlessly concentrate their resources on less likely threats and then wonder why their cyber defence strategies aren't working.

A data-driven cyber defence principle

Conversely, a data-driven defence framework uses a defender's local experience to determine the most likely threats and align appropriate defences against these first before counterposing less risky hazards.

a data-driven defence framework uses a defender's local experience to determine the most likely cyber threats.
a data-driven defence framework uses a defender's local experience to determine the most likely cyber threats. Image: KnowBe4

In this defence strategy, a few core tenants support the defenders as they create a superior and more responsive cyber shield and effectively reduce cybersecurity risks. These tenants include:

  • Focusing on mitigating the root cause threats (also known as initial exploitation methods) that allow hackers and malware initial access into victim environments
  • Ranking these root cause threats by using local experience and data as to identify the riskiest causes first
  • Mitigating the highest risks first
  • Measuring the mitigation effectiveness against the predicted effectiveness
  • Constantly re-evaluating threats to ensure that mitigations are appropriately risk-ranked
Have you read?

In short, to safeguard virtual resources more effectively, it is essential for cybersecurity defenders to list the possible ways cyber attackers could exploit their resources. The likelihood of the attack method should then be ranked, and the mitigation strategy should be implemented against the most likely and dangerous threats first. Here are three steps to a data-driven defence:

Step 1 – Make an inclusive list of potential root cause exploits

Based on 22 years of research, I have assembled a basic list of the various potential initial root cause exploit procedures employed today. Every hacker and malware attacker, regardless of motivation, uses one of these exploit methods to gain initial access:

  • Social Engineering
  • Programming Bugs (patch available or unavailable)
  • Malicious Instructions/Scripting
  • Human Error/Misconfiguration
  • Eavesdropping/MitMSide
  • Channel/Information leak
  • Brute Force/Computational
  • Data Malformation
  • Network Traffic Malformation
  • Insider Attack
  • 3rd Party Reliance Issue (supply chain/vendor/partner/etc.)
  • Physical Attack

This list is by no means exhaustive, and defenders are welcome to develop their inclusive lists of root cause exploit methods or apply another model, such as the MITRE ATT&CK root access list, as long as the list is inclusive and doesn’t overlap.

It’s also important to note that, compared to the malware's initial access point, the actual outcomes of attacks - such as ransomware – are less crucial for planning purposes. If you want to stop thieves from breaking into your home, your focus needs to shift to how they would break into it instead of what they would steal once inside.


How is the Forum tackling global cybersecurity challenges?

Step 2 – Rank initial root causes

Next, all the root causes that have just been identified should be evaluated according to their likelihood of involvement in compromising the organization’s environment. Looking at the list generated in Step 1, determine which attack methods are most frequently or likely to be used to gain an initial foothold into the environment, based on experience and near-term future risk analysis. How has the organization been broken into in the recent past, and how is security likely to be compromised in the near future?

Historically, social engineering and unpatched software have been the two most common ways hackers and malware have gained initial foothold access in most compromised environments for decades. However, risks and rankings may vary greatly, and it’s up to each organization to determine their distinctive threat risk ranking based on their own experiences, current defences, and projections.

Step 3 – Apply mitigations to highest-ranking cyber threats

Once the initial root causes have been ranked according to the defender's unique risk analysis, the first and best mitigations can be applied to the highest ranked root cause exploit methods.

Each company needs to create and apply a layered, defence-in-depth combination of policies, technical defences (antivirus software, secure configurations, content filtering software, etc.), and education on the top-ranked threats. Moreover, all company stakeholders should stay informed about what the greatest threats are and how they will be alleviated. In addition, each applied mitigation should be evaluated as to how well it accomplishes its specific role in reducing the threat.

As the outcomes change over time, it should be an ongoing evaluation of both the dangers, as well as the mitigations used to determine the overall effectiveness. The mitigation strategy should change as necessary but should always focus on the biggest root threats and whether they are effectively being addressed and managed.

Each defender should constantly ask themselves

“Are we focusing on the right threats?”

“Are we deploying the most effective mitigations?" and

"Do we need to change anything?”

Following these core data-driven defence principles and steps, if practised successfully, will lead to an enhanced and more economical cyber defence that reduces risk more efficiently.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

3 things CEOs must prepare to unlock the power of generative AI

Patrick Tsang

June 25, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum