What is the best way to investigate the insider threat?

Is there a right way to deal with an insider threat investigation?