enterprisesecuritymag

How to Interview an Insider Threat Suspect

By Don Kohtz, Director- Special Investigations Unit, Markel Corporation And Josh Anderson, SIU, Manager - Special Investigations Unit, Markel Corporation

Don Kohtz, Director- Special Investigations Unit, Markel Corporation

Has your database administrator or a rogue IT (Information Technology) employee breached your company’s sensitive customer data? Ask him or her – then watch to see if they repeatedly rub the tip of their nose or pulls on their earlobes.

This article will address ways on how to “read” insider threat suspects. Insider threats are just as real as an external threat to your company. Knowing different ways to discern the truth will put you in a better position when determining fact from fiction.

Non-verbal communication is generally something most “insider” threat suspects’ forget about when being interviewed about a system compromise. They focus more on words than body language. 

Unfortunately, data breaches seem to be a way of life rather than the exception. Security professionals should not forget about the fraud professionals in their organizations. Collaborating on investigations can prove valuable. Learning proper interview techniques can make all the difference spotting a perpetrator.

There are many investigative techniques you can use to get the most out of an interview with a suspected insider threat.  The focus of this article is understanding how to interpret nonverbal cues and language patterns. There are strategies in delivering and timing questions to get the most out of a response. Security professionals may not necessarily see it as an interview, but every time you’re asking questions, you are in a fact-gathering intelligence.

"Knowing different ways to discern the truth will put you in a better position when determining fact from fiction"

The nose-rubbing habit is proven to be a physiological response to anxiety. Stress can cause the blood vessels to dilate, which stretches the skin and causes the tip of the nose to itch. Other red flags include fidgeting, continuous throat clearing, excessive sweating, covering parts of the mouth, and picking at fingernails or cuticles (telltale sign of a white-collar criminal). The suspected insider threat may sigh or yawn a lot, which may be due to a lack of oxygen caused by a decreased rate of breathing triggered by anxiety. It frequently occurs during a polygraph.

Josh Anderson, SIU, Manager - Special Investigations Unit, Markel Corporation

Anyone can display signs of anxiety during an interview, so how can the innocent IT employee be differentiated from the guilty IT employee? Initially, look for these symptoms in a cluster and establish a baseline. Start by asking non-threatening questions such as their name, address, job title, job duties, etc. If the suspected insider threat starts displaying nervous symptoms at that time, you’ve established a baseline that can be used as a clue.

Another important clue to look for is eye movement patterns. When asked to recall an event, a right-handed person typically shifts his eyes up and to the left, while a left-handed person will shift his eyes up and to the right. Generally, someone who is lying looks downward as they are experiencing emotions. Over 90 percent of people communicate with their eyes, so using eye movement can be an effective cue.

Verbal cues are another sign. The use of pronouns can tell a lot about a person’s attempt, to tell the truth, or be deceptive.  Saying “I did this” tends to show truthfulness by demonstrating accountability. When a person distances himself, i.e., using the word “the” and no possessive pronouns (i.e., “I”), the investigator can interpret that as a possible sign of distancing themselves from the event or point in time.

Most people don’t lie – they don’t tell you everything by modifying their language to be deceptive. If the suspected insider threat avoids answering a direct question about his or her involvement in a data breach, try asking it again in a different way.  Most people (97 percent) will answer a question the second time it’s asked, so repeat the question. Don’t be afraid to be persistent and ask it a third time to get a response.

If your suspected insider threat ends the interview with “that’s all I know” or “that’ sit,” try the story reversal technique. Ask them to re-tell the story in reverse order.  Query him or her about what happened right before the last point in time the insider recounted (i.e., “What happened before that?”), and then before that, and such.  Lead them backwards through their story. It is a helpful technique to display contradictions in the subject’s story. All of the main events and milestones should be the same if they are telling the truth whether described forwards or backward.

Successful interviews are a result of solid preparation. Prepare to look for nonverbal cues, language patterns, and any cultural or personal issue that could influence a response.  Prepare yourself for a potential cat and mouse game with the suspected insider threat, but in understanding how to implement strategies to identify these clues will strengthen the success of the interview. The body never lies.

Read Also

CIO Only Until the Next Data Breach

CIO Only Until the Next Data Breach

Bob Fecteau, CIO, SAIC
Cyber Fraud & Data Breach Protection: Challenges & Best Practices

Cyber Fraud & Data Breach Protection: Challenges & Best Practices

Kirstie Tiernan, National Data Analytics Leader, BDO USA LLP
Data Breaches in the Age of Hyperconnectivity

Data Breaches in the Age of Hyperconnectivity

Maurice Dawson, Director of the Center for Cyber Security and Forensics Education & Asst Prof of Info Tech and Mgmt at Illinois Institute of Technology
Data Breaches in the Age of Hyperconnectivity

Data Breaches in the Age of Hyperconnectivity

Maurice Dawson, Director of the Center for Cyber Security and Forensics Education & Asst Prof of Info Tech and Mgmt, Illinois Institute of Technology

Weekly Brief