We've been teaching these questions like they’re trivia. They’re not. They’re survival instincts. Think about it: the average data breach takes 207 days to detect. In that time, attackers move. They adapt. But most organizations still treat security like a checklist, not a conversation.
Why Journalists and Spies Use the Same Questions
The five W's—Who, What, When, Where, Why—originated in journalism as a way to capture the full story. But law enforcement and intelligence agencies adopted them quickly. There’s a reason for that. When you’re sifting through chaos, you need structure. Not rigid protocol—just enough scaffolding to keep from missing the obvious.
And that’s where security ops go off the rails. They deploy SIEMs, EDRs, SOARs—$2.7 million on average for midsize firms in 2023—and still get blindsided by phishing emails that look like vacation requests from HR. Why? Because they’re not asking "Who benefits?" or "Why this employee?" They’re stuck on "What signature matches?"
It’s a bit like installing 12 deadbolts on your front door while leaving the garage window cracked. Technically secure? Sure. Practically useless? Absolutely. That changes everything when you realize the weakest link isn’t the tech—it’s the narrative.
Who: Not Just Identity, But Motive and Access
Who is often reduced to usernames or IP logs. That’s surface-level. Real "who" work asks: Is this internal sabotage? A contractor with sunset access? A compromised account mimicking legitimate behavior? In 2022, 18% of breaches involved internal actors—some malicious, others just careless. Knowing the name isn’t enough. You need context.
Take the SolarWinds breach. The "who" wasn’t just a Russian APT group. It was a supply chain vendor with privileged access to 18,000 customers. The identity mattered less than the access path. That’s why modern identity and access management (IAM) tools now track behavioral baselines—not just logins, but whether Bob from accounting suddenly queries HR databases at 3 a.m.
We’re far from it, though. Many companies still rely on static role-based access. Fine in theory. A disaster in practice when roles bloat over time. I’m convinced that privilege creep is a bigger risk than zero-day exploits for most orgs.
What: Defining the Event Without Bias
What seems straightforward—malware? Data exfiltration? Ransomware? But confirmation bias distorts this. If your dashboard lights up with DNS tunneling, you assume data theft. Maybe. But what if it’s just misconfigured IoT devices? Or a dev team testing a new tunneling tool?
The thing is, 34% of alerts are false positives in typical environments (per IBM’s 2023 Cost of a Data Breach report). That noise drowns real signals. So "what" has to be defined neutrally. Start with facts: "Outbound traffic to IP X increased 400% over 12 minutes." Not: "We’re being hacked."
Because jumping to conclusions wastes time. And money. The average cost per minute during a breach response? $6,300. That’s not theoretical. That’s real payroll, overtime, legal retainers ticking like a bomb.
When: Timing Tells the Story
When isn’t just timestamps. It’s patterns. Attackers avoid holidays? So do defenders. That’s why breaches spike in November and December—not because hackers love Christmas, but because SOC teams are understaffed and distracted.
And here’s something people don’t think about enough: time zones. If logins from a Brazilian IP happen at 2 a.m. local time, is that odd? Maybe not. But if they’re accessing U.S.-based servers during American business hours, that’s coordination. That suggests planning. That’s not a bot—it’s a person.
Behavioral analytics tools now map activity against historical rhythms. A user logging in at 4 a.m. once? Might be jet lag. Three nights in a row? Flag it. That’s how Microsoft detected the 2021 Exchange attacks—not from the exploit, but from anomalous login times across thousands of accounts.
Where: Physical and Logical Boundaries Blur
Where used to mean network segments: DMZ, internal LAN, cloud VPCs. Now? Employees work from Bali, contractors plug into coffee shop Wi-Fi, and servers live in hybrid clouds. The perimeter is gone. What remains is context.
Location isn’t just IP geolocation. It’s device posture. Is this laptop encrypted? Patched? On a known network? A device in Lagos accessing Azure with MFA? Plausible. Same device, no MFA, jumping through a Tor exit node? Red flag.
But even geolocation fails sometimes. Attackers use proxy networks. They spoof GPS. That’s why "where" must be layered—device ID, network reputation, user behavior. One signal alone? Worthless. Together? They form a fingerprint.
Why: The Missing Piece in Most Investigations
Why is the elephant in the room. We track what was taken, who did it, how they got in. But rarely do we ask: Why this target? Why now? Why this method?
Some attacks are opportunistic. Scan the internet, hit unpatched systems. But targeted attacks? They have logic. A merger about to close? Maybe someone wants to sabotage the stock. A whistleblower about to speak? Maybe they’re silencing them digitally first.
Here’s where threat intelligence matters—not just feeds of IOCs, but human analysis. Knowing that APT41 targets healthcare during vaccine seasons. Or that FIN7 loves holiday retail breaches. That’s not data. That’s insight.
And that’s exactly where most companies fall short. They buy tools that answer "what" and "when" but outsource "why" to third-party reports they never read. Suffice to say: if you don’t understand motive, you can’t predict the next move.
How the Five W’s Beat Conventional Security Models
Traditional security frameworks—NIST, ISO 27001, CIS Controls—are solid. But they’re static. They tell you what to do, not how to think. The five W’s? They’re dynamic. They force inquiry. They turn analysts into detectives.
Compare that to SOAR playbooks. Automated. Efficient. But brittle. They work until the attacker does something unexpected. And attackers love doing the unexpected. That’s how Maze ransomware bypassed EDR in 2020—by using signed drivers. The playbook didn’t cover that. But a human asking "Why signed drivers?" might have connected it to supply chain attacks.
The issue remains: automation scales. Curiosity doesn’t. Yet we can’t automate curiosity. Not yet. So the best teams blend both—playbooks for the routine, the five W’s for the weird.
Who vs. What: Which Matters More in Incident Response?
Some teams prioritize who—because attribution feels powerful. Catch the hacker. Name them. Shame them. But in practice, identifying the attacker rarely stops the breach. Law enforcement moves slowly. Geopolitical barriers block extradition. Hackers hide behind proxies, cryptocurrencies, fake identities.
Others focus on what—containing damage, preserving evidence, restoring systems. More practical. Faster ROI. But without knowing who, you can’t predict what’s next. A script kiddie? Likely done after the first hit. A nation-state? They’re probably still inside, lying low.
So which wins? I find this overrated—the debate. The answer is: you need both, but in sequence. First, contain the what. Then investigate the who. Flip that order, and you risk letting the fire spread while chasing smoke.
Frequently Asked Questions
Are the Five W’s Relevant in Cybersecurity Only?
No. They originated in journalism. Now they’re used in forensics, emergency response, even customer support. Any field where narrative clarity matters. In healthcare, doctors use them to triage. In logistics, managers trace supply chain delays. The model is universal because human cognition is. We make sense of chaos through stories. The five W’s are the skeleton of those stories.
Can AI Replace Human Inquiry in Applying the W’s?
Partly. AI excels at "when" and "where"—processing logs, spotting anomalies. But "why"? Not so much. Machine learning can correlate events, but it can’t infer motive without bias. It might link a breach to a protest group because of keywords, missing that it’s a false flag. Humans bring context AI lacks. Data is still lacking on AI’s ability to replace investigative judgment. Experts disagree. Honestly, it is unclear if it ever will.
How Long Should a Five W’s Analysis Take During a Breach?
Initial pass? 30 to 90 minutes. That’s enough to build a working hypothesis. But deep analysis? Days. Weeks. The Colonial Pipeline investigation took four months to fully map the who and why. Real-time decisions use partial answers. That’s okay. Because asking the questions early shapes the investigation. It prevents tunnel vision.
The Bottom Line
The five W’s aren’t a checklist. They’re a mindset. They force you to look beyond alerts, beyond logs, beyond the immediate fire. They make you ask, really ask, what’s happening—and why it matters. Most breaches aren’t won by better tools. They’re lost by lazy thinking. We automate the easy stuff and forget that security, at its core, is a human game. And that’s exactly where the W’s win. Because they keep us curious. They keep us asking. They keep us one question ahead.