How to Interview an Insider Threat Suspect

Don Kohtz, Director-Special Investigations Unit, Markel Corporation and Josh Anderson, SIU, Manager - Special Investigations Unit, Markel Corporation
Don Kohtz, Director-Special Investigations Unit, Markel Corporation

Don Kohtz, Director-Special Investigations Unit, Markel Corporation

Has your database administrator or a rogue IT (Information Technology) employee breached your company’s sensitive customer data? Ask him or her – then watch to see if they repeatedly rub the tip of their nose or pulls on their earlobes.

This article will address ways on how to “read” insider threat suspects. Insider threats are just as real as an external threat to your company. Knowing different ways to discern the truth will put you in a better position when determining fact from fiction.

Non-verbal communication is generally something most “insider” threat suspects’ forget about when being interviewed about a system compromise. They focus more on words than body language.

Unfortunately, data breaches seem to be a way of life rather than the exception. Security professionals should not forget about the fraud professionals in their organizations. Collaborating on investigations can prove valuable. Learning proper interview techniques can make all the difference spotting a perpetrator.

There are many investigative techniques you can use to get the most out of an interview with a suspected insider threat. The focus of this article is understanding how to interpret nonverbal cues and language patterns. There are strategies in delivering and timing questions to get the most out of a response. Security professionals may not necessarily see it as an interview, but every time you’re asking questions, you are in a fact-gathering intelligence.

  ​The good news is there is an entire new breed of cyber products and services to filling the gaps for an organization’s security strategy   

The nose-rubbing habit is proven to be a physiological response to anxiety. Stress can cause the blood vessels to dilate, which stretches the skin and causes the tip of the nose to itch. Other red flags include fidgeting, continuous throat clearing, excessive sweating, covering parts of the mouth, and picking at fingernails or cuticles (telltale sign of a white-collar criminal). The suspected insider threat may sigh or yawn a lot, which may be due to a lack of oxygen caused by a decreased rate of breathing triggered by anxiety. It frequently occurs during a polygraph.

Anyone can display signs of anxiety during an interview, so how can the innocent IT employee be differentiated from the guilty IT employee? Initially, look for these symptoms in a cluster and establish a baseline. Start by asking non-threatening questions such as their name, address, job title, job duties, etc. If the suspected insider threat starts displaying nervous symptoms at that time, you’ve established a baseline that can be used as a clue.

Josh Anderson, SIU, Manager - Special Investigations Unit, Markel CorporationAnother important clue to look for is eye movement patterns. When asked to recall an event, a right-handed person typically shifts his eyes up and to the left, while a left-handed person will shift his eyes up and to the right. Generally, someone who is lying looks downward as they are experiencing emotions. Over 90 percent of people communicate with their eyes, so using eye movement can be an effective cue.

Verbal cues are another sign. The use of pronouns can tell a lot about a person’s attempt, to tell the truth, or be deceptive. Saying “I did this” tends to show truthfulness by demonstrating accountability. When a person distances himself, i.e., using the word “the” and no possessive pronouns (i.e., “I”), the investigator can interpret that as a possible sign of distancing themselves from the event or point in time.

Most people don’t lie – they don’t tell you everything by modifying their language to be deceptive. If the suspected insider threat avoids answering a direct question about his or her involvement in a data breach, try asking it again in a different way. Most people (97 percent) will answer a question the second time it’s asked, so repeat the question. Don’t be afraid to be persistent and ask it a third time to get a response.

If your suspected insider threat ends the interview with “that’s all I know” or “that’ sit,” try the story reversal technique. Ask them to re-tell the story in reverse order. Query him or her about what happened right before the last point in time the insider recounted (i.e., “What happened before that?”), and then before that, and such. Lead them backwards through their story. It is a helpful technique to display contradictions in the subject’s story. All of the main events and milestones should be the same if they are telling the truth whether described forwards or backward.

Successful interviews are a result of solid preparation. Prepare to look for nonverbal cues, language patterns, and any cultural or personal issue that could influence a response. Prepare yourself for a potential cat and mouse game with the suspected insider threat, but in understanding how to implement strategies to identify these clues will strengthen the success of the interview. The body never lies.

(The contents of this article are intended to convey general information only. The views, thoughts, and opinions expressed in the article belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual. The contents of this article should not be construed as, and should not be relied upon for, legal or insurance advice in any particular circumstance or fact situation)

See Also:

Top Enterprise Security Solution Companies

Top Enterprise Security Consulting Companies

Read Also

Today's Threat Landscape Requires Adaptive Security

Today's Threat Landscape Requires Adaptive Security

Dan Joe Barry, VP Positioning and Chief Evangelist, Napatech
Staying Abreast of Application Development and Delivery

Staying Abreast of Application Development and Delivery

James F. Bal, CISSP, GICSP ,CISO, Western Area Power Administration
This Is How Your Computer Gets Hacked!

This Is How Your Computer Gets Hacked!

Mustapha A. Obeid, Information Systems Operations Manager, Illinois Institute of Technology