INT-01 Analysis of Competing Hypotheses Lesson 1

Intelligence Analysis · Lesson 1 of 4

INT-01-01

The Three Core Principles

Disconfirmation, row-reading, and building a hypothesis set that does not already have a blind spot built into it

Bottom Line Up Front

ACH is built on three principles that work together. If you understand all three, you understand the method. If you only understand one or two, you will build matrices that look rigorous and still produce biased conclusions. This lesson covers each principle in full: why it is true, what it prevents, and what it looks like when an analyst violates it. The eight-step process in Lesson 2 is the procedure. These principles are the reasoning behind that procedure.

Principle 1: Hunt for Contradictions, Not Confirmations


Disconfirmation

This is the heart of ACH and the hardest principle to actually apply, because it runs directly against the way humans naturally reason. When we form an explanation for something, we instinctively look for more evidence that supports it. Finding that supporting evidence feels like progress. It feels like we are building toward a reliable conclusion. The problem is that this feeling is frequently wrong.

The logical reason it is wrong is not complicated. A piece of evidence that is consistent with your favored hypothesis is often also consistent with several other hypotheses. If a candidate for MAG membership is friendly, participates in community activities, and demonstrates genuine preparedness knowledge, those observations are consistent with the hypothesis that they are a sincere community member. They are also consistent with the hypothesis that they are a skilled infiltrator building cover. The evidence does not distinguish between the two hypotheses. It is consistent with both. Finding more evidence of the same kind — more friendliness, more participation, more apparent competence — does not resolve the ambiguity. It just makes you more confident in the wrong direction.

Evidence that is inconsistent with a hypothesis, however, does something different. If a hypothesis is true, certain things should be observable. If those things are not observable when they should be — or if things are observable that cannot plausibly coexist with the hypothesis being true — the hypothesis is weakened. Finding that kind of evidence is analytically decisive in a way that confirming evidence is not.

Heuer’s formulation is precise: ACH does not ask which hypothesis has the most evidence supporting it. It asks which hypothesis has the fewest serious inconsistencies against it. The hypothesis that survives is the one that remains after aggressive testing against the evidence, not the one that felt most plausible before the testing began.

The Logical Asymmetry in Practice

Why one inconsistency outweighs ten confirmations

Consider a simple example. You have formed the hypothesis that a truck that parks near your community’s regular meeting location is there for innocent reasons — a nearby business, a resident’s vehicle, routine. You find ten observations that are consistent with this hypothesis: the truck is present during normal business hours, it varies its parking position slightly, it has commercial markings. All consistent. None decisive.

Now you observe something inconsistent: the truck has no commercial registration visible and has been parked at three different locations where your MAG regularly operates on three consecutive occasions with different membership present each time. That single pattern of inconsistency — one thing that cannot plausibly coexist with the innocent explanation — carries more analytical weight than all ten confirming observations combined.

This is the asymmetry. Confirmation accumulates without resolving ambiguity. Disconfirmation is decisive. ACH is built to force you to look for the second type of evidence rather than stopping when you have enough of the first type to feel comfortable.

Principle 2: Read Across the Rows, Never Down the Columns


The Direction of Analysis

The ACH matrix places hypotheses across the top and evidence items down the side. When you work through it, the natural temptation is to pick a hypothesis — your favorite, the most likely one, the one that was identified first — and read down its column, asking: does this evidence support it? Does that evidence support it? You are building a case. The column reading feels thorough because you are examining every item of evidence. It is not thorough. It is confirmation bias with a structured format wrapped around it.

The correct procedure is to take one item of evidence at a time and read across the entire row, asking the same question for every hypothesis: is this item of evidence consistent, inconsistent, or not applicable to this hypothesis? You are not asking whether it supports your favored explanation. You are asking what it means for each possible explanation simultaneously.

The difference is not procedural detail. It is the entire point of the method. Reading across the row forces you to ask a discriminating question: does this evidence behave differently across the hypotheses, or does it look the same for all of them? Evidence that is consistent with every hypothesis is non-diagnostic. It cannot help you choose between explanations and it should be deprioritized or removed from the matrix. Evidence that is consistent with some hypotheses and inconsistent with others is diagnostic — it does real analytical work. Row-reading is the only procedure that reveals which evidence is which.

Column-reading also has a specific failure mode in team settings. When a group reads down the column of a preferred hypothesis together, they are effectively conducting a group confirmation exercise. Each person contributes evidence that supports the preferred explanation, the column fills up, and the assessment feels collectively validated. No one has asked whether any of that evidence is equally consistent with the competing explanations that were never seriously examined. ACH’s row-reading requirement is a direct structural countermeasure to this failure mode.

The Most Common ACH Error

Experienced analysts who know ACH still fall into column-reading. It happens most often under time pressure or when a conclusion feels obvious. If you find yourself asking “does this support H1?” rather than “how does this fit H1 compared to H2, H3, and H4?”, you are column-reading. Stop and reorient to the row.

Principle 3: Build a Hypothesis Set That Does Not Already Have the Answer Missing


MECE — Mutually Exclusive and Collectively Exhaustive

The matrix can only find the correct explanation if that explanation is one of the hypotheses in the matrix. This sounds obvious, but it is the source of the most consequential ACH failures. An analyst who generates a list of three hypotheses and applies the full eight-step process with rigor has still produced a useless result if the correct explanation is a fourth hypothesis that was never considered.

Heuer describes the goal as a hypothesis set that is mutually exclusive and collectively exhaustive. Mutually exclusive means the hypotheses do not significantly overlap — each describes a genuinely different explanation rather than minor variations of the same explanation. Collectively exhaustive means the set covers the realistic range of explanations, including the ones that are uncomfortable or that the analyst considers unlikely.

In practice, perfect mutual exclusivity is rarely achievable. Hypotheses about human behavior often have partial overlaps — a nation-state operation can use criminal cover, an insider can be a recruited asset, a candidate can be both a sincere community member and someone whose judgment about information security is poor enough to make them a functional risk. The existence of overlap is acceptable as long as the analyst is aware of where the overlap lies and accounts for it in the sensitivity testing step.

What is not acceptable is a hypothesis set with a missing explanation. Two categories of missing hypothesis are particularly damaging and easy to overlook:

The deception hypothesis. In any situation where an adversary or unknown actor has the capability and motivation to deliberately mislead your analysis, the hypothesis “this situation is constructed to lead me to a specific conclusion” belongs in the matrix. This hypothesis is almost never added instinctively. The analyst who fails to add it will build a matrix that, if the deception hypothesis is true, is being operated exactly as the deceiver intended.

The null hypothesis. In vetting and threat assessment, this is the hypothesis that nothing adversarial is occurring — the situation has an innocent explanation. Experienced analysts can omit this one in the opposite direction from beginners: so focused on identifying the threat that the possibility of a false positive never receives formal consideration. A complete hypothesis set includes the innocent explanation, tested with the same rigor as every other.

Building the Hypothesis Set

What a good set looks like and what a bad one costs you

Suppose your MAG is evaluating an anomalous situation: a new acquaintance has been asking members progressively more specific questions about group resources and meeting locations across several interactions. A poorly constructed hypothesis set might include: (H1) the person is an infiltrator with hostile intent, (H2) the person is an infiltrator with law enforcement connections. These two hypotheses are not meaningfully different. Distinguishing between them requires information you likely cannot access at the stage you are in, and the operational response to both is the same. You have used two hypothesis slots for what is functionally one hypothesis.

A better set: (H1) the person is a genuine community member whose curiosity is socially normal for someone trying to integrate, (H2) the person is gathering information for personal use without hostile intent but with poor information security judgment, (H3) the person is a directed collector for an external party, (H4) the specific question pattern is coincidental and the pattern you perceive is an artifact of your own attention rather than the person’s behavior. H4 is uncomfortable. It questions your own analytical process. It belongs in the matrix.

Principle Integration Exercise

Take a current security question or vetting situation in your community. Write down the hypothesis set you would currently use to evaluate it. Then apply the three principles as a checklist: Are you prepared to look for evidence against each hypothesis, not just for it? Can you commit to evaluating each piece of evidence against all hypotheses before deciding what it means? Does your hypothesis set include the deception hypothesis and the null hypothesis?

If any answer is no, revise before proceeding.

Knowledge Check — The Three Principles

A piece of evidence is consistent with your favored hypothesis and also consistent with two competing hypotheses. What is the correct analytical conclusion about this evidence?



A vetting team is working through an ACH matrix on a candidate. One analyst takes the column for H1 (genuine community member) and works through every evidence item asking whether it supports H1. A second analyst then does the same for H2. What is wrong with this procedure?



Your MAG is evaluating a situation and has identified three hypotheses. One team member suggests adding a fourth: that the pattern you are observing is the result of deliberate deception designed to lead you toward H1. A second team member objects, saying that deception hypothesis is too speculative and would distract from the real analysis. Who is correct, and why?



You are assessing a potential threat to your MAG. Your three hypotheses all describe variations of hostile intent by the same actor. A colleague suggests adding a hypothesis that the actor has no hostile intent and the situation has an innocent explanation. Why is this addition analytically necessary?



Lesson 1 Checkpoints

ACH hunts for contradictions, not confirmations — evidence consistent with a hypothesis is often also consistent with competing hypotheses and cannot resolve ambiguity on its own

Evidence inconsistent with a hypothesis is analytically decisive in a way that confirming evidence is not

Read across the rows: evaluate each evidence item against all hypotheses simultaneously, asking how it discriminates between them

Column-reading — building a case for one hypothesis at a time — is confirmation bias with a structured format wrapped around it

Non-diagnostic evidence (consistent with all hypotheses) should be identified and deprioritized in the refinement step

The hypothesis set must be mutually exclusive and collectively exhaustive; perfect exclusivity is rarely achievable but the set must be wide enough to include the correct explanation

The deception hypothesis belongs in the matrix whenever an actor has capability and motivation to deceive — do not wait for evidence of deception before adding it

The null hypothesis (innocent explanation) is a structural requirement, not a courtesy addition

← Previous LessonINT-01-00 — Course Introduction: Why ACH Exists
Next Lesson →INT-01-02 — Building the Matrix (Steps 1–4)

↑ Back to Intelligence Analysis

Fortune Favors the Prepared · INT-01-01 · For Member Use Only