In Australia, the number of serious cyber incidents keeps climbing. The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) responded to more than 1,200 cyber security incidents in a single year — an 11% increase — and that’s just what gets reported.
Yet many organisations still treat post-incident reviews as a technical debrief: patch the system, restore the backup, blame a weak password, move on.
If you come from a safety-critical industry, you probably know that approach would never fly after a serious injury or equipment failure. You would reach for a structured method like the Incident Cause Analysis Method (ICAM), designed to uncover deeper organisational, human and environmental factors — not just the immediate trigger.
This is where ICAM for cyber incidents comes in. By adapting a proven safety investigation method, you can turn security breaches into rich sources of learning, not just bad headlines.
In this article, you will learn:
- How ICAM translates from safety incidents to cyber security breaches
- How to map ICAM elements to common cyber scenarios
- Practical steps to design a cyber security investigation process using ICAM
- Governance and documentation tips to make investigations defensible and repeatable
- Common pitfalls to avoid when you apply ICAM for the first time
Table of contents
- Why use ICAM for cyber incidents?
- Mapping ICAM elements to cyber security breaches
- Designing a cyber security investigation process with ICAM
- Governance and documentation essentials
- Practical tips and common pitfalls
- Turning every breach into a learning opportunity
Why use ICAM for cyber incidents?
ICAM was originally developed to investigate workplace accidents in sectors like mining, aviation and oil and gas. It focuses on understanding systemic causes, not just what the last person in the chain did wrong.
At its core, ICAM structures contributing factors into four elements:
- Absent or failed defences
- Individual or team actions
- Task or environmental conditions
- Organisational factors
That structure is a powerful fit for cyber security incidents, where:
- Attacks often exploit multiple small weaknesses rather than a single catastrophic failure
- Human decisions (approving an access request, clicking a link, delaying a patch) interact with complex systems
- Organisational pressures, such as tight project deadlines or under-resourced security teams, quietly shape risk
Australian cyber security guidance already emphasises clear incident response roles, governance, and lessons learnt. ICAM gives you a practical lens to turn that guidance into a repeatable investigation process.
Mapping ICAM elements to cyber security breaches
To optimise ICAM for cyber incidents, you first need to “translate” its elements into the language of security.
| ICAM element | Safety context (typical focus) | Cyber security example questions |
| Absent / failed defences | Guards, interlocks, inspections, alarms | Which controls failed or were missing (MFA, monitoring, approvals)? |
| Individual / team actions | Front-line decisions, errors, workarounds | Who did what, when — and why did those actions make sense at the time? |
| Task / environmental conditions | Workload, time pressure, lighting, noise, tooling | What was the context (on-call at 2am, project go-live, vendor outage)? |
| Organisational factors | Culture, resourcing, training, procedures, design decisions | How did policies, priorities or structures make this breach possible? |
These categories guide your investigation beyond “the firewall rule was wrong” towards questions such as:
- Why was the change not peer-reviewed?
- Why was multi-factor authentication out of scope for that system?
- Why did monitoring alerts go untriaged for several days?
To make this work in practice, your incident responders need a structured cyber security investigation approach — not just technical playbooks. That often includes learning how to gather evidence, interview stakeholders and build a coherent cause map that stands up to governance and regulatory scrutiny.
Specialist cyber security investigation programs that integrate ICAM with digital forensics and incident response can help teams build that capability in a focused way.
Designing a cyber security investigation process with ICAM
Once you have the ICAM lens, you need a consistent process that can be triggered after significant incidents or near misses.
A practical ICAM-informed investigation process for cyber incidents might follow these steps:
- Define the event and scope
- What exactly are you investigating (e.g. “compromise of privileged credentials leading to unauthorised database access”)?
- Which systems, time periods and stakeholders fall in scope?
- Build a factual timeline
- Combine logs, tickets, emails, alerts and interviews
- Capture both attacker activity and defender actions (detections, decisions, escalations)
- Identify absent or failed defences
- Technical controls (MFA, network segmentation, endpoint controls)
- Process controls (change approvals, segregation of duties, monitoring thresholds)
- Analyse individual and team actions
- What made those actions reasonable at the time (information available, norms, expectations)?
- Were there conflicting procedures or unclear responsibilities?
- Examine task and environmental conditions
- Was this during a peak trading period, a major project, or a resourcing crunch?
- Were tools slow, noisy with alerts, or hard to use?
- Explore organisational factors
- How did strategy, resourcing, training, risk appetite and KPIs shape decisions?
- Develop corrective actions and learnings
- Prioritise changes that address systemic issues, not just the symptom in this particular case
- Link actions to owners, timelines and measures of effectiveness
If you operate across regions — including places like Papua New Guinea, where critical infrastructure and resource projects face both safety and cyber risks — you may also want to build local investigation capability. Advanced icam training PNG can help lead investigators in those contexts adapt ICAM thinking to both safety and cyber incidents.
Governance and documentation essentials
A well-run ICAM investigation is as much about governance as it is about analysis.
Key elements to put in place include:
- Clear trigger thresholds
- Define which incident types automatically require an ICAM-style investigation (e.g. high-impact data breaches, repeated control failures, supply chain compromises).
- Consider including serious near misses where controls only just prevented a breach.
- Alignment with national guidance
- ACSC guidance stresses well-documented plans that outline roles, reporting obligations, and communication processes.
- Your ICAM for cyber incidents approach should be referenced in, or linked from, your incident response plan.
- Standard templates and storage
- Use a consistent investigation report template grounded in ICAM elements.
- Store reports and evidence in a secure, searchable repository so you can spot patterns across incidents.
- Lessons learnt loop
- Ensure actions from ICAM investigations are tracked through risk registers, audit findings and security roadmaps.
- Periodically review clusters of ICAM findings (e.g. recurring absent defences or organisational factors) to inform strategy.
Done well, governance turns ICAM work from “a good investigation” into sustained organisational learning.
Practical tips and common pitfalls
As you optimise ICAM for cyber incidents, a few practical tips can save you grief:
Do:
- Bring both technical and non-technical voices into the investigation workshop
- Use plain, non-blaming language when describing actions and decisions
- Treat timelines as living artefacts — refine them as more evidence appears
- Test every recommended action against the question: “Would this have realistically prevented or reduced the impact of this incident?”
Avoid:
- Stopping at “human error” as a cause — keep asking what shaped that error
- Over-focusing on the attacker and under-analysing your own systems and decisions
- Turning the report into a technical log dump that executives can’t use
- Letting investigations drag on so long that they lose relevance and momentum
Looking at real-world Australian breaches — such as recent incidents affecting airlines, universities and telecoms — shows how often basic process and governance issues sit behind the headlines. ICAM helps you name and fix those issues systematically.
Turning every breach into a learning opportunity
Cyber incidents are no longer rare events. For many organisations, they are an uncomfortable but regular feature of doing business in a connected world.
By deliberately applying ICAM for cyber incidents, you:
- Move from ad-hoc post-mortems to structured, repeatable investigations
- Make it easier to explain causes and actions to boards, regulators and customers
- Capture systemic lessons that reduce the likelihood and impact of future breaches
- Build a culture where reporting vulnerabilities and near misses is encouraged, not punished
You cannot control when the next security incident will happen. But you can control how deeply you learn from it — and whether those lessons meaningfully change how your organisation manages cyber risk.
