M.18) Find the root cause of problems and errors (5 why’s)

Category:        Development process

Responsible:   CTO

Effort:              no additional effort – this measure will actually help the team to save time and avoid errors in future

Based on:       [1]

It is important to find the root cause of problems, so that they do not occur again. While this advice sounds very intuitive and simple, in reality many companies struggle with problems which occur again and again. While problems do not necessarily need to be related to information security, this topic is especially important for information security. Many times security patches do not eliminate the problem at the root and leave vulnerabilities in the software, so that second or third patches are necessary. This can be prevented with the following method:

The “5 Why” method [2] is used to determine the root cause of problems or defects. This is done by asking the question “Why?” multiple times until the cause-effect relationship is found. There are other popular methods to find the cause of a problem (like 8D reports [3]), but this one is very lean and perfect for startups. There are plenty of resources and templates online available concerning the 5 Why analysis. This is why it won’t be further described here.

An example of a 5-Why analysis template can be found here: (5-why analysis).


[1] C. Scott, “Improving application security after an incident,” [Online]. Available: https://www.owasp.org/index.php/Improving_application_security_after_an_incident. [Accessed 09 20 2016].

[2] Lean Production Expert, “5-Why Methode,” [Online]. Available: http://www.lean-production-expert.de/lean-production/5-why.html. [Accessed 2016 10 03].

[3] B. Jung and S. W. J. Schweißer, 8D und 7STEP – Systematisch Probleme lösen, Hanser Verlag: München, 2011.



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.