Incydr - Empathetic Investigations Approach

This article contains information on using an empathetic approach to insider risk investigations, emphasizing trust, transparency, and positive intent to foster a security-first culture and improve inquiry outcomes.

Overview

Instead of investigating employees the same way we investigate threats from external actors, it’s time to take a more empathetic approach to investigations.

Prerequisites

• You are an  Incydr Administrator or Security Practitioner, with beginner to intermediate experience level.
• You are familiar with Incydr.

Introduction

Welcome!

In this course, we’ll investigate how you can employ an empathetic approach to your event inquiries and investigations.

We’ll look at how empathy and trust are vital components of any modern Insider Risk Management Program. We’ll outline the steps you can take during an inquiry, including the how and when to use an empathetic investigation approach, and how to set the correct tone when doing so. We’ll also look at real-world cases and allow you to practice what you learned. And don’t forget to test your knowledge at the end!

Why Use an Empathetic Approach

Why Empathy?

One of the critical foundations of a modern Insider Risk Management program is a positive security culture. Building trust with your employees will get more honest, timely information when you inquire about an event. Conversely, if they feel attacked when you reach out, their natural instinct is to go on the defensive and deny knowing anything. And that's where an empathetic approach to investigations can help.

The Steps

You got this!

We’ve identified the steps you can take to add Empathetic Investigations to your skillset. This may not be easy, especially if you’re accustomed to reacting suspiciously to alerts, and for some of us, we may need to unlearn some previous ways of “digging into” investigations. But, give yourself some grace, and try this high-level approach to start building your response finesse.

When to Use the Empathetic Approach

Most exfiltration events are typically unintentional and non-malicious. While we should always start an inquiry free of pre-judgment, there will be times where you suspect something more malicious was at hand. So, when should you use the Empathetic Investigation Approach? Well, that all depends on intent.

Empathetic Communication

When investigating an insider risk that is likely the result of human error, when interacting with our employees, the words we use and how we use them can significantly impact their trust in us. One of the hallmarks of using an Empathetic Investigation approach is presuming positive intent, giving the employee the benefit of the doubt. And it’s important for our words and actions to mirror that presumption.

Knowledge Check

Check your understanding of Incydr's Empathetic Investigations Approach.

You got this!

Question One: True or False? If employees feel attacked when you reach out, their natural instinct may be to go on the defensive and deny knowing anything.

• True.
• False.

Question Two: Empathetic investigations _____________. (choose all correct answers)
 

1. approach the situation without preconceived conclusion
2. begin by assuming something malicious is going on
3. may require a shift from traditional investigative approaches
4. should begin with an inquiry free of pre-judgment

Question Three: Initiating an insider risk investigation using an adversarial approach:
 

1. Is foolish because an adversary is still an adversary.
2. Works better than assuming Jane in accounting is “just trying to get her work done” and made a mistake.
3. Runs counter to establishing a security-first mindset within your organization.
4. Is the best way to catch data thieves.

Question Four: Using an empathetic approach to insider investigations:
 

1. Will make your security team appear “soft” when it comes to enforcing security policies.
2. Can replace your security policy.
3. Is best left to the People or HR teams, not the security or risk teams.
4. Can provide useful insights about where security policies are failing.

Question Five: Three pillars of a successful insider risk program are:
 

1. Policies, Procedures and Practices.
2. Trust, Transparency and Training.
3. Simplicity, Sincerity, Service.
4. Training, Teaching and Toggling.

Question Six: As part of a positive security culture, transparency ____________________.
 

1. never works - users should fear us to keep them on their toes.
2. is expected from our users but security must remain mysterious.
3. helps build trust with our users.
4. Is a marketing term and therefore, not pertinent.

Question Seven: Using an empathetic approach to your investigation ________________.
Choose the WRONG answer:

1. always comes naturally to seasoned investigators.
2. can inform how to conduct the interview more thoughtfully and effectively.
3. may take some practice if you’re accustomed to reacting suspiciously to alerts.
4. allows you understand what the employee was thinking.

Question Eight: Which of the following are the key steps to a successful empathetic investigation?

1. Connect, Reassure, Recover, Educate.
2. Connect, Correct, Report.
3. Block, Contain, Remediate.
4. Correct, Reprimand, Recover, Educate.

Question Nine: Changing user behaviors to better protect data works best when: (choose all correct answers) 
 

1. Users receive punitive training after making mistakes.
2. The same training is delivered to all employees, regardless of their demonstrated ability to follow policy.
3. Lessons are short, easy to consume, and engaging.
4. Lessons are delivered to a specific user at the time they put data at risk (just-in-time training).

Question Ten: What is the best indicator that you should pivot from an empathetic investigation to a more traditional investigation??

1. The intention of the actor.
2. What was lost/stolen.
3. Who caused the event.
4. When the event happened.

Question Eleven: You should move to a full/traditional investigation when it becomes clear that the actor’s intention was
 

1. Accidental
2. Unintentional
3. Intentional but non-malicious
4. Malicious

Additional Resources

Getting Started with Incydr

• Getting started with Incydr
• Getting started with Instructor
• Incydr ecosystem integrations

General Resources

• Incydr articles

Questions or Comments?

Reach out to your Customer Success Manager (CSM).