Skip to Content
Cyber and Privacy Risk and Insurance

Human Aspect of Incident Response Investigations

Mark Lanterman | January 3, 2020

On This Page
A hacker being put in handcuffs next to a laptop

In a previous article, I discussed the need for clear communication in responding to cyber events and the importance of establishing channels for employees to report incidents. When a cyber event occurs, preparation can be the difference between quick mitigation and recovery or complete breakdown. Incident response is a complicated process that can cost organizations a lot of time and a lot of money.

Given this reality, organizations are frequently tempted to take shortcuts or ignore warning signs only to pay an even greater price later, especially considering the long-term risks of reputational and legal damages that ensue as a result of a breach. A prime example of an investigation-worthy incident, the departure of a disgruntled employee, can be especially critical when the theft of intellectual property is a possibility.

An often difficult to manage aspect of cyber security is accounting for the insider threat. The insider threat refers to the possibility of an attack being conducted by an employee or person with "insider" knowledge, such as a third-party vendor, who has access to an organization's assets; events typically fall into two camps, either malicious or accidental. 1 Regardless of whether or not a cyber event is brought about accidentally or maliciously, incidents involving an insider threat need to be thoroughly investigated to assess damages, begin mitigation processes, and identify sources of vulnerability in existing security policies. Acknowledgment of an insider threat in security policies and incident response requires the "human element" of investigation to be most efficacious.

Expanding the Investigation

Consider again the case of the disgruntled employee. Upon being terminated, after months of poor performance and less than exemplary work product, the employee is seen plugging a USB drive into his work computer on the day of his termination. The incident is reported, and it is determined that an investigation needs to be conducted to determine whether or not anything was stolen and whether or not any assets were inappropriately accessed in the weeks prior to the employee's departure.

The information technology (IT) department is often brought in to examine the computer and assess the technical signs of unauthorized data exfiltration. This decision tends to be the first problem with the carrying out of an investigation, as IT departments may not be trained in digital evidence and the best course of action is to bring in a third party to collect and preserve relevant evidence from the outset. A complete investigation also requires a hands-on approach, including interviews of involved parties, the review of existing security policies, the determination of how well employee departure procedures were carried out (if at all), and how technical controls were examined and documented.

Using a third-party investigator helps to ensure objectivity, but most importantly, he or she will be best suited when it comes to asking the right questions. Legal departments and attorneys will not necessarily have the technological or security background needed to make sure that the right boxes are being checked. Some important considerations that may be overlooked include the employee in question's access controls, administrative privileges, and the ability to view and use sensitive data. What internal relationship dynamic existed between the employee and the IT department? Does the employee still have remote access to company networks?

Investigations are multifaceted, especially in the sense that they inform the need for revisions, improvements, and interdepartmental support for security planning. The results of an investigation could be the catalyst for internal change and commitment to developing a sound culture of security, starting with the implementation of regular auditing and security assessments.


Combining technology and brainpower is a hallmark of thorough incident response, just as the most damaging attacks can be a combination of technical access and insider knowledge. When technology is involved, the knee-jerk reaction of many organizations is to assign all responsibility for incident response to the IT department. However, unbiased results can be difficult to gather with this approach, and sensitivity to internal relationships is definitely required to obtain the most accurate information. Furthermore, collection and preservation need to be executed correctly to ensure adherence to digital evidence standards. The role of objective investigation is pivotal in incident response, as technology and the human element of security need to be addressed in honing policies and effectively carrying out security procedures.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.


1 Oliver Buckley, Sadie Creese, Michael Goldsmith, Philip A. Legg, Jason R.C. Nurse, Monica Whitty, and Gordon R.T. Wright, "Understanding Insider Threat: A Framework for Characterising Attacks," 2014 Institute of Electrical and Electronics Engineers Security and Privacy Workshops, 2014.