The five whys of information security

5 May 2021

The five ‘whys’ can help you analyse the underlying cause of information security incidents – AKA data breaches.

Data breaches are a common problem, and getting to the root of the issue is important. In 2020, 37% of companies in the UK reported an information security incident to the Information Commissioner’s Office.

And according to a 2020 report by IBM, the average cost of a data breach globally was $3.86 million.

The five ‘whys’

This method can be a handy way to discover the real underlying cause of the problem. Often what appears to be simple human error may actually be a systemic issue that can be solved.

You don’t have to specifically ask why five times, just as many times as needed to determine the root cause.

Each ‘why’ must be derived from the answer/s to the previous answers. The idea is to trace a problem back to its origin.

Example of using the five whys

Problem: a letter went to the incorrect person

  • Why did the letter go to the incorrect person? The address was wrong
  • Why was the address wrong? Because the system had two different addresses
  • Why did the system have two addresses? The address had been updated but only in one place on the record
  • Why wasn’t the record properly updated? The worker was not trained properly
  • Why were they not trained properly? Because the system has changed and internal procedures have not been updated and communicated properly

As you can see, each answer leads to the next why.

Next time you have an information security incident (even a near miss), give this a try. You never know what root causes you might uncover.

Need support with information security? Contact our team, or visit the National Cyber Security Centre