Hanlon’s Razor

“Never attribute to malice that which is adequately explained by stupidity.” — Robert J. Hanlon (1980)

An older, softer version (often attributed to Goethe): “Misunderstandings and lethargy perhaps produce more wrong in the world than deceit and malice do.”

The Claim

When someone does something that harms you or contradicts your expectations, the probability that they are incompetent, careless, tired, confused, or uninformed is much higher than the probability that they are deliberately acting against you. In the absence of strong evidence of malice, assume the simpler, more common explanation.

This is not a claim that malice doesn’t exist — it does. It is a claim about base rates. Most people do most things badly most of the time; most bad outcomes are under-specified, rushed, or misinformed, not adversarial.

Why It Holds

Three base-rate arguments:

1. Competence is rare. Being good at anything requires effort most people don’t invest. The pool of “people who could pull off a deliberate plan against you” is much smaller than the pool of “people who could accidentally harm you.”
2. Coordination is expensive. Genuine malice requires planning, coverups, and resources. Stupidity requires none of that.
3. Information is asymmetric. The person you think is attacking you probably doesn’t have enough information about your situation to target you. They are optimising something local (their quarter, their ego, their project) and your harm is incidental.

In This Wiki

• Companion to Occam’s Razor. Occam chooses the simpler of two explanations; Hanlon is a special case — when the two explanations are “malicious” vs. “careless,” prefer careless. The compound advice of the two razors (Munger uses them together) clears most organisational mysteries.
• Munger’s latticework. Munger explicitly uses Hanlon’s Razor in his “psychology of misjudgment” framework. Paranoid interpretation is a System-1 trap.
• Corrects wysiati. WYSIATI fills in missing context with narrative. The most accessible narrative for “someone harmed me” is often “they meant to.” Hanlon is the structural correction: expand the hypothesis space to include incompetence.
• Corrects confirmation-bias. Once you suspect malice, every ambiguous signal becomes confirmation. Hanlon forces the charitable prior that stops the spiral.
• Corrects the fundamental attribution error. In social psychology: we explain our own mistakes by situation (“I was tired”) and others’ mistakes by character (“they’re hostile”). Hanlon demands symmetry — apply the situational explanation to others too.
• A high-agency posture. Low-agency thinking treats adversity as personal malice and gets stuck in grievance. High-agency thinking asks “what’s the most likely actual cause?” and responds to that.
• Complements Postel’s Law. Postel says be liberal in what you accept; Hanlon says be liberal in how you interpret intent. Both are robustness strategies.

Applications

• Email / Slack / PR reviews. The terse reply is not a snub; they were in a meeting. The missed deadline is not sabotage; they underestimated (see hofstadters-law). The aggressive-sounding comment was written at 11pm on a Friday. Assume the boring explanation first.
• Production incidents. The dropped packet is not an attack; it’s a bad cable. The mysterious slowdown is not a zero-day; it’s a missing index. The data loss is not a disgruntled employee; it’s a typo in a cron job.
• Organisational politics. The team that “stole” your project probably didn’t realise you were working on it. The manager who “undermined” your promotion probably didn’t have the context. Before assuming coordinated opposition, check whether anyone even knew.

The Important Caveat

Hanlon fails at scale and over time. When a pattern of “stupidity” repeatedly benefits a specific party, the Bayesian update shifts toward deliberate strategy. Individual mistakes are stupidity; systematic mistakes that always go one way are incentives. This is the cynical reading of goodharts-law: “they are gaming the metric” is not malice, but it’s not stupidity either — it is rational optimisation of the wrong objective.

The right application of Hanlon: use it as your prior, but update on evidence. One incident of “they must have done it on purpose” — almost always wrong. Twenty incidents that all benefit the same party — stop using Hanlon.

In Security Contexts

Security practitioners invert Hanlon: in security, always attribute to malice what could be adequately explained by stupidity. The cost of missing a real attack is too high, and attackers deliberately mimic stupidity (accidental typos in phishing, “misconfigured” servers that are actually backdoors). This is consistent with Hanlon at the base-rate level — stupidity is still more common — but in security you care about the tail risk, not the base rate.

Sources

• source—laws-of-software-engineering — in the Decisions cluster.
• Robert J. Hanlon, Murphy’s Law Book Two (1980) — attributed origin.
• source—poor-charlies-almanack — Munger applies similar logic throughout the Psychology of Human Misjudgment.