You\u2019ll never reduce your security risk if you can\u2019t identify and mitigate the root causes of those vulnerabilities. It isn\u2019t enough to have a list of malware programs that your antimalware has detected. You need to to determine how viruses and hackers have penetrated your environment in the past.In the vast majority of organizations, two root causes are responsible for successful exploits: unpatched software and social engineering. All other root causes generally account for less than a few percentage points of the risk. The key to reducing computer security risk is that every organization needs to determine its own, most prevalent root causes.Hackers and malware can break in about a dozen different ways, including the following:Unpatched softwareSocial engineeringZero-day exploitsPassword crackingEavesdropping\/main-in-the-middle attacksPrivilege escalationMisconfiguration\/user errorDenial of serviceInsider malfeasance (including partners, consultants, and vendors)Physically accessing systemsIf even a relatively benign program has exploited your environment, it\u2019s important to understand how it broke in. Whether if the malware program was only adware, the effort it took to break in amounts to exactly the same effort that a more malevolent culprit, like ransomware, would undertake to carry off far worse.For an effective defense, you have to learn which root causes are the most relevant to your environment, then work on minimizing them. Often, this isn\u2019t easy; in some cases it\u2019s impossible. But with these approaches you can give it your best shot.Forensic investigationIt may be resource intensive, but nothing beats a complete forensics investigation for determining how a breach happened. In a perfect world with no resource constraints, every exploited device would have its memory and storage snapshotted and its contents analyzed. Many forensic investigation programs show you what changed on a timeline to ease the job of determining what happened. A thorough forensic investigation can\u2019t always tell you how an action was executed on a computer, but it\u2019s still the most effective option to get a complete and accurate picture of the origins of a successful attack.Identify malware by attack methodMany malware programs are hard-coded to take advantage of particular root causes. When you encounter them, you\u2019ll find it easier to determine how something happened. For instance, some types of malware programs only spread via USB devices. Malware spreads when someone executes a program, whereupon it spreads and self-replicates by infecting other programs and documents. Email worms spread \u2026 well, via email. Most malware programs use a single mechanism to propagate themselves. With a minimum of research, you can figure out a root cause.Of course, many malware programs spread using multiple methods. For example, the Conficker worm spread through unpatched vulnerabilities, by guessing simple passwords on drive shares, by using a desktop.ini autorun vulnerability, or via USB key. These types of programs may take more research, but root-cause analysis can still be done. For a program like Conficker, you could check to see if the involved vulnerability is patched, look for a rogue desktop.ini file, or scan USB keys for infection.Victim interviewsAmid today\u2019s social engineering pandemic, it\u2019s almost impossible to determine how a malicious program was executed without talking to users. Even then, users may have no clue how they were exploited. Nonetheless, under direct questioning, you\u2019d be surprised how often users suddenly remember a funky email or a website that told them to download a file before their computer started to slow down or act weird. Interviewing people on a large scale is unwieldy and expensive, but it may be the only way to get at the truth.Inventory analysisThis method is frequently overlooked. If you\u2019re trying to determine how your computers were infected and have absolutely no other way to figure it out, consider analyzing your software and hardware inventory. If you see a huge spike associated with a particular configuration\u2014say, a computer running a particular version of an operating system, browser, and browser plugin\u2014then that configuration may be part of the problem.External threat intelligenceAll the previous methods help determine your own local threat intelligence, which is the most valuable information any organization can have. Beyond that, research what happens within your industry, to your competitors, to your country and region, and more broadly across the world. A lot of malware research, such as Microsoft\u2019s Security Intelligence Reports, shows geographic distributions of hacking and malware. They offer a great way to get insight into what may be attacking your company. But keep in mind that any popular, successful exploit may be a top suspect.What now?Once you determine the leading root causes of your organization\u2019s exploitation, focus your energy and resources into mitigating them. That extends to the measures you take, the products you buy, and the user education you give. Your focus on those root causes should continue over time until they are no longer leading causes.This approach is how you reduce risk. Yes, you still need broad, across-the-board, defense-in-depth mitigations (credential hygiene, stronger authentication, and so on). But if you can tackle the biggest problems and deploy commodity defenses in tandem, you\u2019ll be one of the most efficient organizations around at reducing security risk.