The Insider Risk Investigations Playbook is a practical, comprehensive, and expertly crafted guide, developed by McGrathNicol and the Australian Insider Risk Centre of Excellence. Designed to support insider risk practitioners, it equips them with actionable tools, structured frameworks, and clear guidance to navigate every stage of an insider threat investigation. With an emphasis on organisational security and integrity, the playbook ensures incidents are managed thoroughly, consistently, and with a focus on reducing future risks.

How to Use the Investigations Playbook
The playbook is organised into three key stages, each containing five steps (15 steps in total), with a clear focus on guiding practitioners through the complexities of insider threat investigations.
Stage 1: Detection & Triage
This stage focuses on the early identification and verification of potential insider threats, laying the foundation for further investigation.
Stage 2: Investigate & Assess
In this stage, investigators dive deeper into understanding the full scope of the incident. It includes uncovering behaviours, motivations, and impacts, shifting from detection to analysis.
Stage 3: Resolve & Rectify
This stage centres on finalising the response, addressing vulnerabilities, and preventing similar incidents from recurring, ensuring long-term resilience.
Each step within the playbook includes:
- A key question to clarify focus.
- Expert guidance to navigate challenges.
- A strategic tool for answering the key question.
- Interactive instructions to promote collaboration and structured decision-making.
However, this playbook is not a rigid, linear process. Think of it as a flexible series of 15 questions designed to create clarity and certainty, regardless of how the investigation unfolds. Whether your process is linear, circular, short, or complex, the playbook adapts to your needs, providing practical tools to move forward confidently.
Each tool is interactive and collaborative, encouraging investigators to print large formats for brainstorming, mapping out decisions, and visually tracking progress. By using these tools effectively, teams can ensure that no detail is overlooked and that investigations remain focused and thorough.
The Investigations Playbook can be used by:
An investigator: The playbook helps navigate investigations in real-time, providing tools that support decision-making and help identify the next steps in the process.
An investigations team: It offers a clear process to follow when incidents occur, ensuring that every team member is aligned and equipped to handle insider threats effectively.
A department: The playbook enables the rapid scaling of best practices, ensuring that all teams within the organisation can respond to insider risks consistently and efficiently.
With its clear and structured approach, the Insider Risk Investigation Playbook is an essential tool for building resilience against insider threats and strengthening the organisation’s overall security posture.
How to Access the Investigations Playbook
The Investigations Playbook is securely hosted on the Australian Insider Risk Centre of Excellence (AIR CoE) platform, ensuring secure access, data management, and updated playbooks.
Practitioners can preview and download a free step and tool from each stage of the playbook: Verify (Stage 1), Outline (Stage 2), and Communicate (Stage 3). These free resources provide an introduction to the framework and a chance to experience the value of the tools firsthand.
Once signed up, you can explore the full Investigations Playbook by progressing through the 15-step framework, deepening your understanding of each step as you go. You have the flexibility to download individual tools step-by-step, tailoring the experience to your needs.
When you have completed the steps, you will gain access to the Next Steps section, where you can download the full playbook as a convenient PDF, providing you with a complete and comprehensive resource.
For more information about our playbooks and other resources, visit the Playbook Hub on our platform.
