Cat-skinning

Incident reporting is a key objective of next month's security awareness module. More specifically, we'd like workers to report information security matters promptly. 

So how might we achieve that through the awareness and training materials? Possible approaches include:

1. Tell them to report incidents. Instruct them. Give them a direct order.
   
   
2. Warn them about not doing it. Perhaps threaten some form of penalty if they don't.
   
   
3. Convince them that it is in the organization's interests for workers to report stuff. Persuade them of the value.
   
   
4. Convince workers that it is in their own best interest to report stuff. Persuade them.
   
   
5. Explain the reporting requirement (e.g. what kinds of things should they report, and how?) and encourage them to do so.
   
   
6. Make reporting incidents 'the easy option', and not reporting harder.
   
   
7. Reward people for reporting incidents.
   
   
8. Something else? Trick them? Goad them? Follow up on those who did not report stuff promptly, asking about their reasons?

Having considered all of them, we'll combine a selection of these approaches in the awareness content and the train-the-trainer guide.

In the staff seminar and staff briefing, for instance, the line we're taking is to describe everyday situations where reporting incidents directly benefits the reporter (approach #4 in the list). Having seeded the idea in the personal context, we'll make the connection to the business context (#3) and expand a little on what ought to be reported (#5) ... and that's pretty much it for the general audience.

For managers, there is mileage in #1 (policies and procedures) and #7 (an incentive scheme?) ... and #8 in the sense that we are only suggesting approaches, leaving our subscribers to interpret or adapt them as they wish. Even #2 might be necessary in some organizations, although it is rather negative compared to the alternatives. 

For professionals, #6 hints at designing reporting systems and processes for ease of use, encouraging people to report stuff ... and, where appropriate, automatic reporting if specific criteria are met, which takes the awareness materials into another potentially interesting area. If the professionals are prompted at least to think about the issue, our job is done.

Mandatory reporting of incidents to third parties is a distinct but important issue, especially for management. The privacy breach reporting deadline under GDPR (a topical example) is a very tough challenge for some organizations, requiring substantial changes in their approach to internal incident reporting, escalation and external reporting, and more generally the attitudes of those involved, making this a cultural issue.