What investigative techniques should be used? There are many styles of investigation and analysis. The NTSB uses a party system in which it formally designates organizations or individuals as parties to the investigation. Investigating failures in complex, high reliability systems is a skillset that must be developed. The absence of single points of failure is a hallmark of a high-reliability design. And so failures in such systems rarely have a single “root cause,” and investigators look at contributing factors, including human factors and control failures. They use techniques that look to delve deeper than finding a root cause or operator error.
FINDING: “Contributing Factors” is a better approach than Root Cause Analysis Aviation and other high safety fields have eliminated single points of failure, and as such, there never is a single root cause but rather a series of “contributing factors.” The tradeoffs in investigative structures that try to understand the causes of incidents and prevent their emergence elsewhere have been studied deeply in the context of safety, reliability, and resilience. A series of “contributing factors” likely led to the ultimate bad outcome. In some cases, correction of any single contributing factor may have prevented the bad outcome. In contrast, cybersecurity professionals often focus on understanding the “one thing” that led to an incident. For example, guidance from the Center for Internet Security and the Department of Defense both call for incident investigators to understand “root causes.”61 Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Version 1.02, March 18, 2020, [IR 2.097], https://www.acq.osd. mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf; Center for Internet Security, CIS Controls Version 8, [16.3], https://www.cisecurity. org/controls/v8/. Root cause analysis, as called for in both the CMMC and CIS Controls, is important for treating cyber incidents as isolated events rather than as a systemic issue. IR 2.097 in NIST CMMC and CIS 19.6 are both about “root cause” vs. “contributing factors”. Root cause analysis is, as previously mentioned, often part of treating cyber incidents as isolated instead of systemic.
61
36
Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity
