You are here: Home Contents V18 N1 V18N1_White.html
Personal tools

Root Cause Analysis for Information Security Incidents: A Pedagogical Requirement



Full text

Journal of Information Systems Security
Volume 18, Number 1 (2022)
Pages 324
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Garry White — Texas State University, USA
Jaymeen Shah — Texas State University, USA
Information Institute Publishing, Washington DC, USA




Even with laws and technology, computer/information security incidents still occur in corporations. Corporations need to be not only able to protect from, but also be able to detect and respond to security incidents. It is essential to identify and understand the main cause of the security incident to take appropriate corrective actions. Root Cause Analysis (RCA) is a technique to identify the main cause(s) of an incident. It is used in many fields; however, it is not found in higher education introductory information/computer security textbooks or curriculum plans. There is very little peer-reviewed literature about using RCA when there is an information/computer security incident. The purpose of this exploratory research is to investigate issues in RCA education and show the need to teach RCA in an information security course. The results of this study indicated students had problems with analytical thinking; differentiating symptoms and causes of security incidents. However, students were very creative with valid content beyond what was presented in a security course.




Security, Root Cause Analysis, Education, Training, Problem-Solving, 5-Whys, MindTools, Cause-and-Effect, Analysis, Critical-Thinking.




Abdi, Z. and Ravaghi, H. (2017). Implementing root cause analysis in Iranian hospitals: Challenges and benefits. The International Journal of Health Planning and Management, 32, 147-162.

ACM (2017). Cybersecurity Curricula 2017, version 1. Computing Curricula Series Joint Task Force on Cybersecurity Education. Accessed on 09/23/2018 from:

Aiello, T. (2007). Five steps to securing data in the contact center. Customer Inter@ction Solutions, 26(1), 26.

Al-Mamory, S. O. and Zhang, H. (2007). A survey on IDS alerts processing techniques. 6th WSEAS International Conference on Information Security and Privacy, Tenerife, Spain, December 14-16, 2007, p. 69-78.

Al-Mamory, S. O. and Zhang, H. (2009). Intrusion detection alarms reduction using root cause analysis and clustering. Computer Communications 32, 419–430.

Andersen, B. and Fagerhaug, T. (2006). Root Cause Analysis: Simplified Methods and Techniques. ASQ Quality Press: Milwaukee, WI.

Baskerville, R. (1993). Information systems security design methods: implications for information systems development. ACM Computing Surveys 25, 375-414.

Benjamin, S. J., Marathamuthu, M. S., and Murugaiah, U. (2015). The use of 5-Whys technique to eliminate OEE’s speed loss in a manufacturing firm. Journal of Quality in Maintenance Engineering, 21(4), 419-435.

Black, N. H. and Vernetti, B. J. (2015). Root-cause analysis: Creating & utilizing a functional database. Professional Safety, 60(2), 60-62.

Bowie, P., Skinner, J., and de Wet, C. (2013). Training health care professionals in root cause analysis: A cross-sectional study of post-training experiences, benefits and attitudes. BMC Health Services Research, 13, 50. doi:

Braithwaite, J., Westbrook, M.T., Mallock, N.A., Travaglia, J.F., and Ledema R.A. (2006). Experiences of health professionals who conducted root cause analyses after undergoing a safety improvement program. Qual Saf Health Care, 15(6), 393-399

Chadha, R. (2016). Why ask why? Quality Progress, 49(1), 49.

Dhillon, G. and Backhouse, J. (2001) Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal 11, 127-153.

Dhillon, G., Smith, K., and Dissanayaka, I. (2021). Information systems security research agenda: Exploring the gap between research and practice. The Journal of Strategic Information Systems, 30(4).

Doggett, A. (2004). A statistical comparison of three root cause analysis tools. Journal of Industrial Technology, 20(2), 2-9.

Fogle, A. and Kandler, E. (2017). Five whys and a why not. Quality Progress, January 2017, 63-63.

Gerber, M. and von Solms, R. (2008), Information security requirements – Interpreting the legal aspects. Computers & Security, 27(5-6), 124-135.

Goldratt, E. M. (1994). It’s Not Luck. North River Press: Great Barrington, MA.

Gonzalez, G. (2007). Simple yet overlooked IT security path: Make sure 'mundane' fixes are made. Business Insurance, 41(21), 26-26, 28.

Goodall, J., Lutters, W., and Komlodi, A. (2004). The Work of Intrusion Detection: Rethinking the Role of Security Analysts. AMCIS 2004 Proceedings. 179.

Huertas-Quintero, L.A.M., Conway, P. P., Segura-Velandia, D., and West, A. A. (2011). Root cause analysis support for quality improvement in electronics manufacturing. Assembly Automation, 31(1), 38-46. doi:

ISACA (2012). ISACA Model Curriculum for Information Security Management 2nd Ed. ISACA, Rolling Meadows, IL 60008 USA.

Ishikawa, K. (1982). Guide to Quality Control. Asian Productivity Organization: Tokyo, Japan.

Julisch, K. (2003). Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security, ACM Press 6(4), pp. 443-471.

Kaelin, A. B. (2018). Root cause analysis and corrective action: Turning problems into solutions. JPCL, pp. 19-23.

Kessler, G. C. and Ramsay, J.D. (2014). A Proposed Curriculum in Cybersecurity Education Targeting Homeland Security Students. 2014 47th Hawaii International Conference on System Science, 4932-37. 978-1-4799-2504-9/14 2014 IEEE, DOI 10.1109/HICSS.2014.605

Laberis, B. (2016). 20 Eye-opening cybercrime statistics. Security Intelligence, Nov. 14, 2016.

Lang, A., Bashir, M., Campbell, R., and DeStefano, L. (2014). Developing a new digital forensics curriculum. Digital Investigation, 11(2), 76-84.

Lehtinen, T. O., Mäntylä, M. V., and Vanhanen, J. (2011). Development and evaluation of a lightweight root cause analysis method (ARCA method) - field studies at four software companies. Information and Software Technology, 53(10), 1045.

Luo, X. and Liao, Q. (2007). Awareness education as the key to ransomware prevention. Information Security Journal, 16(4), 195-202.

Mahto, D. and Kumar, A. (2008). Application of root cause analysis in improvement of product quality and productivity. Journal of Industrial Engineering and Management, 1(2), 16-53.

McFadzean, E., Ezingeard, J.-N., and Birchall, D. (2006). Anchoring information security governance research: sociological groundings and future directions. Journal of Information System Security 2, 3-48.

Miller, R. J. and Maellaro, R. (2016). Getting to the Root of the Problem in Experiential Learning: Uisng Problem Solving and Collective Reflection to Improve Learning Outcomes. Journal of Management Education, 40(2), 170-193.

MindTools (2017). “Root Cause Analysis – Tracing a problem to its origins.” Accessed from htpps:// on March 29, 2017.

Mizuno, S. (1988). Management for Quality Improvement: The Seven New QC Tools. Productivity Press: Cambridge, MA.

Nailen, R. L. (2015). Root cause analysis: Methodology or mythology? Electrical Apparatus, 68(1), 19-24.

NIST SP 800-115 (2008). Technical Guide to Information Security Testing and Assessment. National Institute Standards and Technology of the Department of Commerce, Washington D.C., U.S.A.

Okes, D. (2005). Improve your Root Cause Analysis. Manufacturing Engineering, 134(3), 171-178.

PCI Security Standards Council (2018). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, Version 3.2.1. Accessed on 09/23/2018 from

Peerally M.F., Carr, S., Waring, J., and Dixon-Woods M. (2017). The problem with root cause analysis. BMJ Qual Saf, 26, 417-422.

Percarpio K.B., Watts, B.V., and Weeks, W. B. (2008). The effectiveness of root cause analysis: what does the literature tell us? Jt Comm J Qual Patient Saf., 34(7), 391-398.

Plachkinova, M. and Maurer, C. (2018). Teaching Case: Security breach at Target. Journal of Information Systems Education, 29(1), 11-19.

Pylipow, P.E. and Royall, W.E. (2001). Root Cause Analysis in a world-class manufacturing operation. Quality, 40(10), 66-70.

Radware, M. (2017). Threat Alert: WannaCry ransomware. White paper. Radware, Mahwah, NJ 07430. Accessed May 21, 2017:

Rasmussen, M. (2003) Analyst Report: IT trends 2003 – Information Security Standards, Regulations and Legislation – Giga Information Group® 2003. Retrieved from on May 21, 2017.

Riley, M., Elgin, B., Lawrence, D., and Matlack, C. (2014). Missed alarms and 40 million stolen credit card numbers: How Target blew it. Bloomberg Business – Businessweek March 13, 2014. Retrieved from: /articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data, on July 20, 2016.

Sharma, R. K. and Sharma, P. (2010). System failure behavior and maintenance decision making using, RCA, FMEA and FM. Journal of Quality in Maintenance Engineering, 16(1), 64-88. doi:

Siponen, M.T. (2005). An analysis of the traditional IS security approaches: implications for research and practice. European Journal of Information Systems 14, 303-315.

Spencer, K. (2015). Getting to the root cause. Quality, 54(8), 42-45.

Sproull, R. (2001). Process Problem Solving: A Guide for Maintenance and Operations Teams. Productivity Press: Portland, OR.

Srinivasan, S. (2009). Computer forensics curriculum in security education. Proceeding of InfoSec CD '09 2009 Information Security Curriculum Development Conference, 32-36. Kennesaw, Georgia, September 25 - 26, 2009.

Stamper, R. (1991). The semiotic framework for information systems research. Proceedings of the IFIP TC8/WG8.2 Conference on Information Systems Research Arena of the 90s. Copenhagen, Denmark, pp. 515-527.

Thomen, J.R. (1996). Root Cause: Holy Grail or fatal trap? Professional Safety, 41(9), 31-32.

Tu, M., Xu, D., Wira, S., Balan, C., and Cronin,K. (2012). On the development of a digital forensics curriculum. Journal of Digital Forensics Security and Law, 7(3).

USDHHS (2017). U.S. Department of Health and Human Services, Office for Civil Rights. Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. accessed May 24, 2017.

Vidyasagar, A. (2015). The art of Root Cause Analysis. Quality Progress, 48(2), 64.

White, G. (2015). Education and prevention relationships on security incidents for home computers. Journal of Computer Information Systems, 55(3), 29-37. doi:10.1080/08874417.2016.1232991

Wu, A. W., Lipshutz, A.K., and Pronovost, P.J. (2008). Effectiveness and efficiency of root cause analysis in medicine. JAMA, 299(6), 685–687.doi:10.1001/jama.299.6.685

Yang, S. C. and Wen, B. (2017). Towards a cybersecurity curriculum model for undergraduate business schools: A survey of AACSB-accredited institutions in the United States. Journal of Education for Business, 92:1, 1-8, DOI: 10.1080/08832323.2016.1261790.

Yasinsac, A. (2002). Information Security Curricula in Computer Science Departments: Theory and Practice. Research Gate publication 228849708.