How to Stand Up a Major Cyber Incident Investigations Board

A Guide for Independent Organizations and State and Local Governments to Develop a Sustainable Mechanism for Investigating and Drawing Lessons-Learned from Cyber Incidents Both in the Immediate Aftermath of a Cyber Incident and Long-Term


The goal of this document is to provide guidance for any organization that wishes to set up an independent cyber incident review board. The document serves as a blueprint for an independent review board which may be needed by private or public organizations, such as municipalities, counties, hospitals, utilities, or other organizations that anticipate experiencing cyberattacks and wish to maximize their learning from them. We offer considerations and analysis throughout the document to present alternative options and insights. An organization such as a think tank, local or federal government agency, university, or other non-profit organization may also set up a MCIIB. Such a Board would conduct investigations of major cybersecurity incidents and deliver a report outlining the sequence of events, contributing factors, and recommendations for security practices.

There are three major stages of an investigation: Opening, Technical Investigation, and Board Review.

This document explains how to stand up a board, the tradeoffs which can be made, and the effects of those tradeoffs. We are also aware that investigations are often triggered by crises, and thread guidance for that scenario throughout the document.

See the attached PDF for the complete paper.

For more information on this publication: Belfer Communications Office
For Academic Citation: Ontiveros, Victoria, Tarah Wheeler and Adam Shostack. “How to Stand Up a Major Cyber Incident Investigations Board.” Paper, June 2022.