1. Introduction
PLAN is a mnemonic borrowed from British law enforcement and refined by Forscie for use in corporate insider risk and insider threat investigations. In policing, PLAN was originally created to help officers recall the parameters governing use of force. Over time, its scope broadened into a general decision-making aid for lawful, proportionate police action.
PLAN stands for Proportionate, Lawful, Accountable, Necessary.
Forscie has adapted PLAN into an operational framework that governs investigative conduct within insider threat and insider risk programs. It ensures that every action taken by investigators is defensible, ethical, and aligned with the principles of trust that underpin institutional integrity.
This adaptation is designed specifically for the work of Insider Threat Investigators, guiding how investigative steps are justified, carried out, and recorded. Each element of PLAN acts as a test of legitimacy, a check that every investigative action taken is justified and defensible within both organizational and legal boundaries.
2. Proportionate
Investigative actions must be proportionate to the suspected or confirmed infringement. The scope of evidence collection, monitoring, or enforcement should reflect the severity and nature of the conduct under investigation.
For example, if a subject is suspected of inappropriate browsing, it would be proportionate to review web activity logs or browser artifacts from their corporate laptop, but may be considered disproportionate to seize the entire device for full forensic imaging. Similarly, where sufficient evidence can be retrieved from telemetry or centralized logging, direct acquisition from the endpoint should not ordinarily be required.
Proportionality ensures that investigations remain balanced, targeted and fair, protecting both organizational interests and the interests of individuals.
3. Lawful
All investigative activity must operate within the boundaries of both organizational policy and applicable law. “Lawful” includes adherence to employment contracts, Acceptable Use Policies (AUPs), and relevant privacy or surveillance legislation within the organization’s jurisdiction.
For instance, if an investigator remotely accesses a subject’s corporate device to validate a suspected data exfiltration event, it would likely be lawful to examine corporate data stored on that corporate device. However, using that remote connection to explore other devices on the subject’s personal home network would likely fall outside lawful authority.
Lawfulness defines the perimeter of legitimate investigative action. Crossing that boundary not only risks legal violation but undermines the very trust the program exists to protect.
4. Accountable
Every investigative action must be traceable, reviewable, and justifiable within the Insider Risk Program’s governance structure. This includes formal authorization, managerial oversight, and comprehensive record-keeping through documented approval requests, case management notes, and audit logs.
Accountability protects investigators as much as it protects the organization. Every step, decision, and access event should be recorded, either automatically by tool audit logs or through contemporaneous case notes.
Accountability ensures investigators can demonstrate integrity under scrutiny.
5. Necessary
Actions taken must be strictly necessary for achieving a legitimate investigative objective. Investigators must be able to articulate why each action was required and demonstrate that less intrusive means were insufficient.
Necessity prohibits speculative searches, curiosity-driven data access, or any form of activity beyond the specific purpose of the investigation. The concept of necessity anchors investigative restraint, ensuring that power is exercised only in direct proportion to need.
6. Examples
To illustrate how PLAN applies in real investigative workflows, the following examples demonstrate each principle in practice. These scenarios show how investigators make defensible, ethical decisions under operational pressure, and how PLAN acts as a practical safeguard against overreach, unjustified actions, and potential legal or governance issues.
6.1 Proportionate
A detection flags that a subject accessed several inappropriate websites during work hours. The investigator begins by reviewing web proxy logs and browser history telemetry, which clearly show the categories and timestamps of the visits.
Because the suspected behaviour is limited to browsing misuse, the investigator decides not to seize the device or perform a full forensic image. Instead, they collect only the relevant browser artifacts needed to confirm the conduct and assess policy violation.
By ensuring the investigative scope matches the low-severity nature of the infringement, the response remains proportionate to the behaviour under review.
6.2 Lawful
During a suspected data exfiltration case, an investigator remotely connects to the subject’s corporate laptop to validate whether files were transferred to a personal cloud account. Aware that the laptop is connected to the corporate network from the subject’s home, the investigator examines folders, browser sessions, and system logs stored on the corporate device (activities explicitly authorised under the organisation’s investigation procedures).
While connected, the investigator notices a Network Attached Storage (NAS) device on the subject’s home network is mounted and technically accessible through the corporate laptop. The investigator records the NAS device’s presence but deliberately avoids interacting with it or any other personal devices on the home network, recognising that doing so would likely exceed lawful authority and could breach privacy legislation.
By restricting their actions to the corporate device alone, the investigator remains firmly within the boundaries of corporate policy and applicable law.
6.3 Accountable
A subject is suspected of repeatedly accessing HR data outside their role. Before retrieving any database access logs, the investigator submits a request through the Insider Risk Program’s approval workflow, clearly defining the scope of the action and the indicators that justify it. Once approved, the investigator pulls the relevant logs and records the justification, approval, and actions taken within a case management platform. They add a contemporaneous case note summarising what the logs revealed.
When the case is later reviewed by HR and Legal, the entire sequence (justification, approval, access, and findings) is fully traceable, demonstrating procedural integrity and proper governance.
6.4 Necessary
An investigator is approached informally by a colleague from another department whom they know socially. The colleague asks for help locating a member of their team who is working remotely and wants to know the employee’s current physical location. They ask whether the investigator can “quickly check” which Wi-Fi networks the employee’s corporate laptop is connected to, using tools reserved for legitimate insider threat investigations.
The request has not gone through any formal intake process, does not relate to a suspected infringement, and bypasses the established governance and approval channels of the Insider Risk Program. The investigator recognises that using investigative tooling for this purpose is not necessary for any legitimate investigative objective and would constitute an inappropriate use of privileged access.
They decline the request, advise the colleague to follow the correct HR and managerial pathways, and record the interaction in accordance with internal policy. By refusing to perform an action that serves no investigative purpose, the investigator adheres to the principle of necessity and prevents misuse of investigative capability.
7. Conclusion
Together, the principles of PLAN reinforce the governance, legality, and ethical standards required of professional insider threat investigators. It provides investigators with a structured decision-making framework that ensures every action taken is justified, proportionate, and anchored in legitimate authority. When applied consistently, PLAN strengthens the defensibility of investigative work by creating a transparent chain of reasoning behind each decision; why evidence was collected, how access was authorised, and where investigative boundaries were set.
PLAN also serves as an institutional safeguard. It reduces the risk of inappropriate data access, procedural drift, or well-intentioned but misguided actions that could expose the organisation to legal, regulatory, or reputational harm. By limiting investigative activity to what is lawful and genuinely required, investigators uphold both the rights of individuals and the integrity of the Insider Risk Program itself.
Ultimately, PLAN elevates investigative practice from a set of technical tasks to a discipline grounded in trust, accountability, and professional judgement. It ensures that insider threat investigations are conducted with the rigour, restraint, and transparency expected in a domain where the consequences of error can be significant. Applied properly, PLAN keeps the organisation protected, the process defensible, and the investigative team aligned with the highest standards of governance.
