What is root cause analysis?
Root cause analysis is the process of identifying the underlying reason an incident occurred, not just the visible symptoms.
Simple example
A business resets a compromised account, then investigates and finds that the real cause was missing MFA and a successful phishing email.
Why it matters
Finding the root cause helps prevent the same incident from happening again.
Common warning signs
- The activity is unexpected or unusual for the business context.
- The request or system behaviour creates pressure to act quickly.
- Normal approval, verification, or security processes are bypassed.
- There are signs of unauthorised access, data exposure, or system change.
- Staff are unsure whether the request, message, or system behaviour is legitimate.
Cyber Doc view
This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.
What to do
Proactive steps
- Maintain logs and change records.
- Review security controls regularly.
- Document known weaknesses and remediation plans.
- Use post-incident reviews.
- Track repeated incidents and near misses.
Reactive steps
- Identify the initial entry point where possible.
- Separate symptoms from underlying causes.
- Document contributing factors.
- Fix the root cause, not only the immediate issue.
- Turn findings into practical improvements.
Related terms
- Lessons learned
- Incident response
- Security improvement