^ /Root cause analysis ~versus~ Self-justification

First some copy & paste definitions:
Source: --> someone quotes someone

Root
Cause
Analysis

"A root cause is an initiating cause of a causal chain which leads to an outcome or effect of interest. Commonly, root cause is used to describe the depth in the causal chain where an intervention could reasonably be implemented to change performance and prevent an undesirable outcome.

Root cause analysis (RCA) is a class of problem solving methods aimed at identifying the root causes of problems or incidents. The practice of RCA is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms. By directing corrective measures at root causes, it is hoped that the likelihood of problem recurrence will be minimized. However, it is recognized that complete prevention of recurrence by a single intervention is not always possible. Thus, RCA is often considered to be an iterative process, and is frequently viewed as a tool of continuous improvement.
RCA, initially is a reactive method of problem detection and solving. This means that the analysis is done after an incident has occurred. By gaining expertise in RCA it becomes a pro-active method. This means that RCA is able to forecast the possibility of an incident even before it could occur. While one follows the other, RCA is a completely separate process to Incident Management

Notice that RCA (in steps 3, 4 and 5) forms the most critical part of successful corrective action, because it directs the corrective action at the true root cause of the problem. The root cause is secondary to the goal of prevention, but without knowing the root cause, we cannot determine what an effective corrective action for the defined problem will be.
1. Define the problem.
2. Gather data/evidence.
3. Ask why and identify the true root cause associated with the defined problem.
4. Identify corrective action(s) that will prevent recurrence of the problem (your 100 year fix).
5. Ensure that solutions are within your control, meet your goals and objectives and do not cause other problems.
6. Implement the recommendations.
7. Observe the recommended solutions to ensure effectiveness."

Self-justification

The Fox and the Grapes by Aesop.

"The need to justify our actions and decisions, especially the wrong ones, comes from the unpleasant feeling called "cognitive dissonance" . Cognitive^* dissonance^* is a state of tension that occurs whenever a person holds two cognitions that are inconsistent. For example, "Jumping out of an aeroplane may kill me" and yet "I like parachute jumping". The most direct way to reduce the dissonance would be to not jump. However, if the person failed to quit that adrenaline addictive pastime, he must find another way to reduce the dissonance. He could do so by convincing himself that jumping is not really dangerous, or reasoning that it is worth the risk because it helps him to relax.

There are two self-justification strategies defined: internal self-justification (IS) and external self-justification (ES).
Internal self-justification refers to a change in the way people perceive their actions. It may be an attitude change, trivialization of the negative consequences or denial of the negative consequences. Internal self-justification helps make the negative outcomes more tolerable and is usually elicited by hedonistic^* dissonance.
External self-justification refers to the use of external excuses to justify one's actions. The excuses can be a displacement of personal responsibility, lack of personal control or social pressures. External self-justification aims to diminish one's responsibility for a behaviour and is usually elicited by moral dissonance. Probable external self-justification strategies include arguments such as 'environmental problems will be solved in the future"'

cognition: the mental action or process of acquiring knowledge and understanding through thought, experience, and the senses.
From Latin cognoscere ‘get to know'

dissonance: a tension or clash resulting from the combination of two disharmonious or unsuitable elements.
From Latin dissonant ‘not agreeing in sound'

A few intriguing observations:

As you may have read on some of these pages and in the general media, it is rather common that those who are responsible for the protection, like Security Officers or Infrastructure Security Architects, are generally not able to handle information protection pragmatically enough to get a solid result. In other words; they fail to deliver.
There is a stream of news articles about organisations which have security departments with 10..100+ people; with 24/7 SOC's; a budget over 100.000,- per year; are fully certified; have the latest fancy 'security' products; and.. still get hacked by bored teenagers, have malware infections, and other easy to prevent disturbances/(security incidents)

The use of External Self-justification (ES) comes into strong play when they are confronted with the facts. Partly because top level management is in an interdependent trust relationship with their chosen 'security experts', the reasoning (self-justification excuses) is taken for granted by management. Thus all contradicting evidence is conveniently ignored.
Routinely it becomes their prime goal to protect and maintain the status quo, at times resulting in behaviour resembling some symptoms associated with "Schizophrenia", because of the overgrowing "cognitive dissonance". Like for instance; Lack of responsiveness or motivation, Self-contradicting and incoherent statements in reports, poker-face denial of own recorded statements and actions, 'hiding under a rock/behind a desk', etc..

The situation described above is sadly the result of a flawed academic education method for such jobs. People are led to believe that, when they get their degree or certification, they have mastered the craft and have become "The Experts".
Then the expectations are inherently raised, and admitting "to not know all that is required to get the desired result" seems to be no option. Failure/Losing face, can be basic things like having to read a manual before answering a question or revising previously made plans after new information comes to light.
That popular construction is a fantastic root cause to set people up to fail by default.

If those people would learn to be able to just switch between "Expert" and "Learner" roles in their work environment depending on the situation. A root cause issue is then removed.

_{Fantastic: from Greek phantastikos, from phantazein ‘make visible’, from phantos ‘visible’
status quo: the existing state of affairs, esp. regarding social or political issues.}

A few more words before using pixels for a visual effect:

How to get them out of the loony bin, or prevent them from getting on that thin ice:

To get people out of that catch-22 situation, a combination of methods can be used.
- Re-education, with a set of balanced teaching/training methods.
- Superior_Peer mentoring.
- Allowing the person enough space and freedom to 'fail' from time to time, and slip into the role of pupil when needed, without losing honour.
- Guided demotion, when the person has slipped into a long term severe state of cognitive dissonance.
- Mitigating the top-down pressures, like unreasonable expectations.
- Reorganising the organisations structure, to facilitate a space where the people can acclimate to a healthier group structure.
- ....

To prevent those upcoming 'Experts' from getting lost with those 'official' ice skating methods.
- Let us take care of the pre- and post- education.
Then they can go to the regular educational institutes to learn about the nuts and bolts for the technical side of the profession, but with enough pre-knowledge and post-correction to stay clear of the pitfalls that come with the methods used by those institutes.

Now lets use those last pixels:
How to get across a lake without skating on thin ice.

Sailing