You are here: Home Contents V17 N1 V17N1_White.html
Personal tools

Root Cause Analysis Quality Model for Corporate Security Breaches



Full text

Journal of Information System Security
Volume 17, Number 1 (2021)
Pages 330
ISSN 1551-0123
Garry L. White — Texas State University, USA
Jaymeen Shah — Texas State University, USA
Information Institute Publishing, Washington DC, USA




In this paper, we explore issues that dilute the effectiveness of Root Cause Analysis (RCA) within an organization and propose a model for RCA quality. Using the socio-organizational perspective, we grouped the issues that potentially affect the RCA quality into three factors: Environment, Person, and Process. This grouping leads to a quality RCA model for an integrated RCA thinking to identify the root cause(s) of information security incidents. This lays the foundation for further theoretical development research to address these issues and to test the RCA framework with regards to corporate information security breaches.




Root Cause Analysis, Failure Analysis Learning, Quality Model, RCA Process, Environment, Person.




Bauer, J. and Harteis, C., (Eds) (2012), Human Fallibility: The Ambiguity of Errors for Work and Learning, Springer, Dordrecht.

Baumgartner, A. and Seifried, J., (2014), "Error climate and how individuals deal with errors in the workplace", in Harteis, C., Rausch, A. and Seifried, J., (Eds.), Discourses on Professional Learning: On the Boundary between Learning and Working, Springer, Dordrecht, pp. 95-11.

Beeler, J. (1987). Shell sleuths solve error mystery, save millions. Computerworld, 21(12), 89. Retrieved from

Bjørnson, F. O., Wang, A. I., and Arisholm, E. (2009). Improving the effectiveness of root cause analysis in post mortem analysis: A controlled experiment. Information and Software Technology, 51(1), 150. Retrieved on June 20, 2018, from

Black, N. H., and Vernetti, B. J. (2015). Root-cause analysis: Creating & utilizing a functional database. Professional Safety, 60(2), 60-62. Retrieved from

Blanchette, W. and Hildebrandt A. (2017). Root Cause Analysis: from Root to Stem. Graduate Research Paper, course CIS 5368, Texas State University.

Bowie, P., Skinner, J., and de Wet, C. (2013). Training health care professionals in root cause analysis: A cross-sectional study of post-training experiences, benefits and attitudes. BMC Health Services Research, 13, 50. doi:

Card, A.J., Ward, J.R., and Clarkson, P.J. (2012). Successful risk assessment may not always lead to successful risk control: A systematic literature review of risk control after Root Cause Analysis. Journal of Healthcare Risk Management, 31(3), 6-12.

Chadha, R. (2016). Why ask why? Quality Progress, 49(1), 49. Retrieved from

Chang, S.E., and Lin, C.S. (2007). Exploring organizational culture for information security management. Industrial Management & Data Systems, 107(3), 438-458.

Dalai Lama, (2013). A Biased Mind Cannot Grasp Reality. The BeZine, The Bardo Group Beguines. Accessed on July 22, 2018 from:

Dew, J. R. (2002). Using root cause analysis to make the patient care system safe. Quality Congress. ASQ's ...Annual Quality Congress Proceedings, , 651-655. Retrieved from

Dhillon, G. and Backhouse, J. (2001). Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127-153.

Dhillon, G., Samonas, S., and Etudo, U. (2016). “Developing a human activity model for insider IS security breading using Action Design Research” in Hoepman, J. and Katzenbeisser, S., (Eds.), International Federation for Information Processing AICT 471, pp. 49-61.

D'Innocenzio, A. (May 23, 2017). Target Corp. reaches $18.5 million settlement over data breach. Journal Sentinel, part of USA Today Network. Retrieved from:

Dixon-Woods, M., Yeung, K., and Bosk, C. L. (2011). Why is UK medicine no longer a self-regulating profession? The role of scandals involving “bad apple” doctors. Soc Sci Med, 73, 1452–1459.

Doggett, A. (2004). A statistical comparison of three root cause analysis tools. Journal of Industrial Technology, 20(2), 2-9.

Edmondson, A. and Cannon, M (2005). “The Hard Work of Failure Analysis.” Harvard Business School Working Knowledge, available at: (accessed 6/30/2018).

Fortes, S., Barco, R., Aguilar-García, A., and Muñoz, P. (2015). Contextualized indicators for online failure diagnosis in cellular networks. Computer Networks, 82, 96. Retrieved from

Furnell, S. and Clarke, N. (2012). Power to the people? The evolving recognition of human aspects of security. Computers & Security, 31(8), 983-988.

Garavaglia, B., P.H.D. (2008). The problem with root cause analysis. Nursing Homes, 57(2), 38-39. Retrieved from

Giardina, T. D., King, B. J., Ignaczak, A. P., Paull, D. E., Hoeksema, L., Mills, P. D., . . . Singh, H. (2013). Root cause analysis reports help identify common factors in delayed diagnosis and treatment of outpatients. Health Affairs, 32(8), 1368-75. Retrieved from

Goldratt, E. M. (1994). It’s Not Luck. North River Press: Great Barrington, MA.

Gordon, A. (2015). Official (ISC)2 Guide to the CISSP, 4th Ed. (ISC)2, pp. 841.

Gregg, B. (2016). The flame graph. Association for Computing Machinery.Communications of the ACM, 59(6), 48. Retrieved from url=

Guhr, N., Lebek, B., and Breitner, M.H. (2019). The impact of leadership on employees’ intended information security behaviour: An examination of the full-range leadership theory. Information Systems Journal, 29(2), 340-362.

Hollway, J.F. (Feb. 2014). “Guidelines for the Use of Root Cause Analysis (RCA) to Reduce Error and Improve Quality in Forensic Science Laboratories.” The Quattrone Center. _improve_quality_in_forensic_science_labs.hollway.labmgmt.pdf (Accessed on June 30, 2018).

Hood C, Rothstein H, Baldwin R. The government of risk: understanding risk regulation regimes. USA: Oxford University Press, 2001.

Hu, Q., Dinev, T., Hart, P., and Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615-660.

IBM Corporation (2019). IBM X-force threat intelligence index 2019. IBM Security, Armonk, NY.

IS/ISO/IEC 17025: General Requirements for the Competence of Testing and Calibration Laboratories (2005). Bureau of Indian Standards. The Internet Archive. (Accessed 12/10/2018) Retrieved from

Ishikawa, K. (1982). Guide to Quality Control. Asian Productivity Organization: Tokyo, Japan.

Keith, N. and Frese, M., (2008), "Effectiveness of error management training: a meta-analysis", Journal of Applied Psychology, Vol. 93 no. 1, pp. 59-69.

Latino, R. J. (2000). Getting to the root of chronic failures. Chemical Engineering, 107(4), 84-86,88,90,92. Retrieved from

Lee, V. H. and Robinson, C. (2005). How many causes should you pursue? The Journal for Quality and Participation, 28(2), 22-23. Retrieved from

Lehtinen, T. O. A., Mäntylä, M.,V., and Vanhanen, J. (2011). Development and evaluation of a lightweight root cause analysis method (ARCA method) - field studies at four software companies. Information and Software Technology, 53(10), 1045. Retrieved from

Loughnane, J. G. (2017). Mediating cybersecurity disputes in distressed circumstances. American Bankruptcy Institute Journal, 36(7), 26-27,47. Retrieved from

Macrae C. (2014). Close calls: managing risk and resilience in airline flight safety. Basingstoke: Palgrave Macmillan.

Maghbooli, B., Bakhtiari, A., and Najafi, H. (2013). Correcting improper performance of direct fired heaters. Chemical Engineering, 120(5), 39-49. Retrieved from

Malhotra, S. (2018). Behavioral assumptions in root-cause analysis. Professional Safety, 63(1), 43-44. Retrieved from

Malik, Z. (2015). Target Data Breach. Graduate Project Presentation for CIS 5368, Texas State University, San Marcos, TX.

Mappigau, P., Amar, Y., Hastang, Siregar, A. R., and Kadir, S. (2017). Root problem of supply chain collaborative practices and strategies to improve competitive advantage of smallholders beef cattle farming in rural areas. Kuwait Chapter of the Arabian Journal of Business and Management Review, 6(11), 10-18. doi:

Markus, M. L. (1983). Power, politics, and mis implementation. Communications of the ACM, 26(6), 430-444.

Mead, N. (2013). The Common Criteria. US-CERT, Department of Homeland Security. (Accessed 12/10/2018).

MindTools, Editorial Team (2017). “Root Cause Analysis – Tracing a problem to its origins.” Accessed from htpps:// on March 29, 2017.

Mizuno, S. (1988). Management for Quality Improvement: The Seven New QC Tools. Productivity Press: Cambridge, MA.

NIST SP 800 series. Computer Security Resource Center. (Accessed 12/10/2018).

Okes, D. (2005). Improve your Root Cause Analysis. Manufacturing Engineering, 134(3), 171-178.

Okes, D. (2008). The human side of root cause analysis. The Journal for Quality and Participation, 31(3), 20-22,29. Retrieved from

Oster, G. (2017). Using Failure Analysis Learning in Business School Instruction. Review of International Comparative Management, 18(5), 458-496.

Peerally MF, Carr S, Waring J, et al. (2017). The problem with root cause analysis. BMJ Qual Saf 26, 417-422.

Percarpio, K.B., Watts, B.V., and Weeks, W.B (2008). The effectiveness of root cause analysis: what does the literature tell us? Jt Comm J Qual Patient Saf. 34(7), 391-8. PubMed PMID: 18677870.

Perry, P. M. (1998). Manage your problem employees with emotional intelligence. Rural Telecommunications, 17(4), 49-52. Retrieved from

Plachkinova, M. and Maurer, C. (2018). Teaching Case: Security Breach at Target. Journal of Information Systems Education, 29(1), 11-19.

Rasmussen, J. (1997). Risk management in a dynamic society: A modeling problem. Safety Science, 27, 183-213.

Rausch, A., Seifried, J., and Harteis, C. (2017). Emotions, coping and learning in error situations in the workplace. Journal of Workplace Learning, 29(5), 374-393. Retrieved from

Riley, M., Elgin, B., Lawrence, D., and Matlack, C. (2014). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Bloomberg Businessweek, 13.

Schniepp, S. J. (2013). The human error behind human error. Pharmaceutical Technology, 37(2), 24. Retrieved from

Security Standards Council (2018). PCI-DSS: Requirements and Security Assessment Procedures. (Accessed 12/10/2018).

Segovia, A. J. (October 26, 2015). How to handle incidents according to ISO 27001 A.16. Accessed from: on June 26, 2018.

Siekkinen, M., Urvoy-Keller, G., Biersack, E. W., and Collange, D. (2008). A root cause analysis toolkit for TCP. Computer Networks, 52(9), 1849. Retrieved from

Solomon, H. (2000, Feb 04). Noranda's help desk puts SLAs in question. Computing Canada, 26, 21. Retrieved from

Söylemez, M. and Tarhan, A. (2018). Challenges of software process and product quality improvement: Catalyzing defect root-cause investigation by process enactment data analysis. Software Quality Journal, 26(2), 779-807. doi:

Tang, A., Jin, Y., and Han, J. (2007). A rationale-based architecture model for design traceability and reasoning. The Journal of Systems and Software, 80(6), 918. Retrieved from

Tucker, A. and Edmondson, A., (2003), "Why hospitals don't learn from failures-organizational and psychological dynamics that inhibit system change", California Management Review, Vol. 45 no. 2, pp. 55-72.

van Dyck, C., Frese, M., Baer, M. and Sonnentag, S., (2005), "Organizational error management culture and its impact on performance: a two-study replication", Journal of Applied Psychology, Vol. 90 no. 6, pp. 1228-1240.

Vidyasagar, A. (2015). The art of Root Cause Analysis. Quality Progress, 48(2), 64.

Wangen, G., Hellesen, H., Torres, H., and Braekken, E. (2017). An Empirical Study of Root-Cause Analysis in Information Security Management. SECURWARE 2017: The Eleventh International Conference on Emerging Security Information, Systems, and Technologies. IARIA, Rome, Italy.

Ward, D. (2000). Keystone mercy strives for a healthy security plan. InformationWeek, (805), 192-194. Retrieved from

Wei, L. C. and Madnick, S. (2018). A system theoretic approach to cybersecurity risk analysis and mitigation for autonomous passenger vehicles. MIT Cybersecurity Interdisciplinary Systems Laboratory, Cambridge, MA. Working paper CISL# 2018-09. Retrieved from

White, G. (Spring, 2009). “Strategic, Tactical, and Operational Management Security Model.” Journal of Computer Information Systems, 49(3), 71-75.

White, G. (2013). “A New Value for Information Security Policy Education.” PROCEEDINGS of the 2013 Annual Information Systems Educators Conference (ISECON), San Antonio, Texas, November 7-10, 2013.

White, G. and Shah, J. (2017). “The need to teach Root Cause Analysis in an Information Security course.” Proceedings of the EDSIG Conference, (Nov 5-8, 2017) Austin, Texas.