First Principle Thinking
For first principles must not be derived from one another nor from anything else, while everything has to be derived from them.
—Aristotle, philosopher
…in order to study the acquisition of [knowledge], we must commence with the investigation of those first causes which are called Principles.
—Rene Descartes, philosopher
I think it’s important to reason from first principles rather than by analogy…. [With first principles] you boil things down to the most fundamental truths…and then reason up from there.
—Elon Musk, SpaceX founder
How Do People Solve Problems?
Most people don’t start from first principles. They start with derivative thinking. When I have a problem to solve, I generally look around to see if anybody else has solved it already and steal their work (Hey - don’t judge me. The goal is to get the job done, not produce original work.) If there are no available solutions, then I look around for solutions to problems that are related to mine, not exactly identical but in the same ballpark, and then I steal that solution. Sometimes, the community has produced standards or the government has passed compliance laws that dictate what I should do. If that’s the case, then that’s an easy steal. And sometimes, I’m not looking for a new solution at all. I’m just interested in improving the existing system a little bit.
To simplify, for known solutions to common problems or, if you like, derivative thinking, you generally have four choices.
Precedent (How has this been done before?)
Analogy (This looks like X, so I’ll do something similar.)
Authority (What do experts / standards / competitors do?)
Incrementalism (Take the current system and improve it slightly.)
If I’m trying to learn how to scramble an egg, it’s easy enough to find a YouTube video of Gordon Ramsey showing how he does it (Precedent). If I’m trying to scramble an ostrich egg, Ramsey’s video will probably be good enough (Analogy). If I’m scrambling an egg for a new diner I’m opening in my home state of Virginia, then the Virginia Administrative Code (12VAC5‑421: Food Regulations, Chapter 421) probably has something to say in the matter (Authority). And if I just want to make my scrambled egg more fluffy in the morning, Ramsey’s advanced class on breakfast meals can help me there (Incrementalism).
No Workable Solution for Cybersecurity
For cybersecurity though, from the very beginning, vendors and governments have provided a recommended solution set since the late 1970s. I’ve been in the industry for over 30 years and, for all the advances made in that period (1990s until today), cyber bad guys are still remarkably successful. Here’s what I mean.
Even though it’s tough to calculate real numbers between the good old days of the 1990s (since we didn’t keep track of them that well) and today, we can do some back-of-the-envelope calculations about the estimated annual monetary loss attributable to cyber attacks on public companies. Adjusting for inflation, I estimate that in the 1990s, the loss was between $80m and $150m dollars (USD) worldwide. In the 2020s, I estimate the range to be between $15 billion and $20 billion. That’s at least a 100X increase depending on how you count it.
When viewed through that lens, the solutions pursued by the infosec community do not appear to be effective. My peers and I have relied on precedent, analogy, authority, and incremental improvement, yet none of these approaches has eliminated the problem.
If there is no known solution set that stops cyber bad guys from being successful, maybe we haven’t identified the correct problem that we are all trying to solve. Maybe, we’ve simply tackled symptoms of the problem, like
Vulnerability management to patch buggy software.
Red teaming to find unknown design flaws in our networks.
Incident response to formalize how to react to crisis moments.
and lots of other things.
But as I said, cyber bad guys still have amazing success. I have to say, after a full career in cybersecurity, that’s disconcerting.
First Principle Thinking
First-principle thinking is a different way to solve problems. Rather than looking at what’s been done before and taking the next step, you first reduce the problem to irreducible truths and build up from there. Contrary to accepting assumptions, conventions, analogies, or best practices, you ask what must be true at the lowest possible level and what can be logically derived from that foundation. It’s problem solving 101. While you’re breaking the problem into smaller bits, ignore any previous assumptions or best practices that have constrained past solutions. The difference between the two approaches then is that derivative reasoning optimizes within existing frameworks and first-principle thinking questions whether those frameworks are valid at all. And that’s what I’m proposing here. I’m pretty sure our cybersecurity derivative thinking over the last 30 years isn’t valid.
Origin of First Principle Thinking
The idea of first principles goes all the way back to the great philosopher Aristotle (384–322 BCE) in his published work Physics (about 340 BCE), where he established his initial concepts of natural philosophy, the study of nature (physis). Before he starts his main thesis, though, he establishes that we can’t really understand a concept completely until we understand its essence:
For we do not think that we know a thing,
until we are acquainted with its primary conditions or first principles,
and have carried our analysis as far as its simplest elements.
He describes his method for finding these primary conditions by taking what we think we know from casual observation and working our way back to the core of it. He says,
The natural way of doing this
is to start from the things which are more knowable and obvious to us
and proceed towards those which are clearer and more knowable by nature.
He makes it clear, though, that these indivisible explanatory causes, we would call them atomic ideas today, are unique building blocks, and all study starts there.
For first principles must not be derived from one another
nor from anything else,
while everything has to be derived from them.
Once you find these essential concepts, they are the “big bang” to the overall hypothesis.
First principles are eternal and have no ulterior cause.
A Sampling of First Principle Thinkers in History
Euclid, the ancient Greek mathematician, never mentions “first principles” in his foundational math book Elements (~300 BCE). But, his sparse presentation of 23 definitions, five assumptions (postulates or axioms), and five common notions has been the underlying bedrock of geometry and other math disciplines for more than 23 centuries. His book is a clear demonstration of how first-principle reasoning can produce long lasting coherent systems with extraordinary explanatory power. As President Lincoln said about Euclid in the 2012 movie,
“[They are rules] of mathematical reasoning. [They’re] true because [they] work. Has done and always will do. In his book, Euclid says that this is self-evident.”
In 1644, René Descartes, the greatest philosophical doubter of all time, and the father of modern philosophy, published Principles of Philosophy. He begins by outlining the essence of philosophical thinking:
… the word PHILOSOPHY signifies the study of wisdom,
and that by wisdom is to be understood,
not merely prudence in the management of affairs,
but a perfect knowledge of all that man can know,
as well for the conduct of his life,
as for the preservation of his health,
and the discovery of all the arts.
Now that’s a gigantic research goal. How would you ever pursue it? He says, to procure that understanding, we must infer it from initial sources.
To subserve these ends, must necessarily be deduced from first causes;
so that in order to study the acquisition of it (which is properly called philosophizing),
we must commence with the investigation of those first causes,
which are called PRINCIPLES.
He then says that these first principles must meet two requirements.
In the first place, they must be so clear and evident
that the human mind,
when it attentively considers them,
cannot doubt of their truth;
in the second place, the knowledge of other things
must be so dependent on them
as that though the principles themselves
may indeed be known apart from
what depends on them.
What he means is that all knowledge about the subject comes from these first principles.
It will accordingly be necessary thereafter to endeavor so
to deduce from those principles
the knowledge of the things that depend on them,
as that there may be nothing in the whole series of deductions
which is not perfectly manifest.
One thing to note here is that finding first principles for any subject is hard. It requires us to willingly discard accepted best practices and think deeply about what is fundamental. It means we are questioning the status quo and have to be willing, in public, to be considered crazy for long periods. First Principle thinking challenges authority, invalidates sunk costs, and threatens professional identity. It breaks standards and frameworks and requires saying “everyone before us was wrong.”
With his book, Descartes completely upended the current philosophical thinking of the day saying that Aristotle and his contemporaries (Plato and Socrates) never found the first principle of philosophy. Ouch! Descartes’ approach, by doubting everything, established the ultimate first principle of philosophy:
“I think, therefore I am (Cogito, ergo sum).
Two British mathematicians, Alfred Whitehead and Bertrand Russell, published a book, Principia Mathematica, in 1910, that attempted to rebuild the language of math from the ground up using a small set of first principles. They recognized some inconsistencies in the current set of rules used by the math community at the time. You could use the same rules to get two different and absolutely correct results, something called the Russell paradox. In a precision engineering world, that was a recipe for disaster. So, they went back to the drawing board, threw everything out, and started from scratch. It took them 80 pages to mathematically prove that 1 + 1 = 2. In a footnote, Whitehead and Russell famously wrote this line:
The above proposition is occasionally useful.
And you all thought that math nerds weren’t funny. Shame on you.
Modern Day First Principle Thinkers
In our modern day, when asked about how he approached the concepts of economic space flights, Elon Musk didn’t say that he looked at what NASA and Boeing had done during the Apollo and Space Shuttle missions in the 1960s and 1970s and took the next step. Instead, he threw all of that out and started over with first principles; a gutsy move for sure but that’s probably why he is a gazillionaire, and I’m not.
In the last 30 years, there are many other examples where upstart businesses or new cybersecurity strategy thought leaders completely changed the world by identifying the atomic first principle in their associated problem domains. Here are just a few:
1995: Jeff Bezos (Amazon Store): Real time logistics vs real estate ownership.
1999: Marc Benioff (Salesforce): Software as a Service (leased) vs software ownership.
2006: Jeff Bezos (Amazon Cloud): Infrastructure (compute and storage) as a service vs ownership.
2007: Steve Jobs (Apple iPhone): Handheld devices are computers that make phone calls vs mobile phones that have some computer capability.
2010: Reed Hastings (Netflix): On-demand movie viewing flexibility vs appointment TV.
2010: John Kindervag (Zero Trust): Continuously verify entities and access permissions vs trusting everybody and everything inside the perimeter.
2010: Eric Hutchins, Michael Cloppert, and Rohan Amin (Intrusion Kill Chain Prevention): Deploy prevention and detection controls for specific known adversaries vs generic controls that might apply to any adversary.
2012: Elon Musk (Tesla): Electric cars need ubiquitous power stations vs longer battery life.
Note the two cybersecurity entries in that list, the white papers from Kindervag on Zero Trust and from Hutchins, Cloppert, and Amin on Intrusion Kill Chains. Yes, even cybersecurity nerds can be first principle thinkers. I will note however, that even these game changer ideas (Zero Trust and Intrusion Kill Chain Prevention) didn’t solve the problem. The monetary cost still skyrocketed.
Take Away
If we accept monetary loss as a rough but meaningful signal, the conclusion is uncomfortable: despite decades of investment, frameworks, standards, tools, and expertise, cybersecurity outcomes have worsened, not improved. Adjusted for inflation, losses have increased by orders of magnitude. That alone should force us to question whether we are solving the right problem at all.
For thirty years, the infosec community, including me, has relied almost exclusively on derivative thinking. We borrowed what worked elsewhere, followed authority, complied with standards, optimized existing systems, and incrementally improved controls. That approach works well when the underlying model is sound. But when the model itself is wrong, incremental improvement simply entrenches failure more efficiently.
First-principle thinkers throughout history did not accept persistent failure as inevitable. When outcomes contradicted expectations, they assumed the assumptions were wrong. They discarded precedent, challenged authority, and rebuilt their understanding from irreducible truths. That process was slow, uncomfortable, professionally risky, and often ridiculed, but it was also how durable progress was made.
Cybersecurity now sits at that same inflection point. If attackers remain consistently successful, then prevention, detection, response, and compliance, while necessary, are almost certainly symptoms, not causes. Until we identify the true first principles of cybersecurity, we will continue to optimize the wrong system and wonder why the results never change.
The next step, then, is not another framework, maturity model, or control catalog. It is the harder task: to clearly define the atomic first principles of cybersecurity itself. I wrote a book about that and I will look at that next week.
Source
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL: https://amzn.to/4mI7QMU
References
Alfred North Whitehead and Bertrand Russel, 1910. Principia Mathematica, Vol 1., Vol 2. Vol 3. [Books] URL: https://www.goodreads.com/book/show/6482515-principia-mathematica-vol-1
Aristotle, 350 BCE. Physics. [Book] MIT Classics. URL: https://classics.mit.edu/Aristotle/physics.mb.txt
Ashlee Vance, 2015. Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future [Book]. URL: https://www.goodreads.com/book/show/25541028-elon-musk
Colby Hopkins, 2023. The History of Amazon and its Rise to Success [History]. Michigan Journal of Economics. URL: https://sites.lsa.umich.edu/mje/2023/05/01/the-history-of-amazon-and-its-rise-to-success/
Drake Baer, 2015. Elon Musk Uses This Ancient Critical-Thinking Strategy To Outsmart Everybody Else [Analysis] Business Insider. URL: https://www.businessinsider.com/elon-musk-first-principles-2015-1
Eric Hutchins, Michael Cloppert, Rohan Amin, 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [White Paper]. Lockheed Martin Corporation. URL https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
Euclid, 300 BCE. Euclid’s Elements of Geometry [Book] Richard Fitzpatrick Collection, The University of Texas at Austin. Translated from the The Greek text of J.L. Heiberg (1883–1885). URL: https://farside.ph.utexas.edu/Books/Euclid/
Harry Deutsch, Oliver Marshall, and Andrew David Irvine, 1995 (First published); 2024 (substantive revision). Russell’s Paradox [Explainer]. Stanford Encyclopedia of Philosophy. URL: https://plato.stanford.edu/archives/win2025/entries/russell-paradox
Jeff Barr, 2014. Eight Years (And Counting) of Cloud Computing [History]. Amazon Web Services. URL https://aws.amazon.com/blogs/aws/eight-years-and-counting-of-cloud-computing/
John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Palo Alto Networks. URL https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
Kevin Rose, 2012.Elon Musk and Kevin Rose [Interview]. Kevin Rose Show - YouTube. URL:
Rene Descartes, 1644. The Principles of Philosophy [Book] Translated by John Veitch, Late Professor of Logic and Rhetoric in the University of Glasgow. URL: https://www.fulltextarchive.com/book/The-Principles-of-Philosophy/
Rick Howard, 2025. Part I: Is the CIA Triad Dead?: Why has the CIA Triad Endured? [Essay] First Principles Consulting Newsletter - Substack. URL: https://diffuser.substack.com/p/is-the-cia-triad-dead
Staff, 2007. Apple Reinvents the Phone with iPhone [Announcement]. Apple. URL https://www.apple.com/newsroom/2007/01/09Apple-Reinvents-the-Phone-with-iPhone/
Staff, 2012. Tesla Motors Launches Revolutionary Supercharger Enabling Convenient Long Distance Driving [Announcement]. Tesla Investor Relations. URL https://ir.tesla.com/press-release/tesla-motors-launches-revolutionary-supercharger-enabling
Staff, 2016. Marc Benioff [Profile]. MIT Initiative on the Digital Economy. URL https://ide.mit.edu/people/marc-benioff/
Steven Spielberg (Director), Sir Daniel Michael Blake Day-Lewis (Actor), 2012. Lincoln [Movie] URL: https://letterboxd.com/film/lincoln/
Steven Spielberg (Director), Sir Daniel Michael Blake Day-Lewis (Actor), 2012. Euclids’ Statement of Equality [Movie] Gentle WorldOrg - YouTube. URL:
William L. Hosch, Nancy Ashburn, n.d. Netflix [History]. Encyclopedia Britannica. URL https://www.britannica.com/money/Netflix-Inc
Willis H. Ware et al, 11 February 1970. The Ware Report: SECURITY CONTROLS FOR COMPUTER SYSTEMS (U): Report of Defense Science Board [Study] Defense Science Board - Task Force on Computer System Security - The Rand Corporation - Computer Security Resource Center - NIST. URL https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ware70.pdf