Reporting Culture
Build a team that reports without fear.
What You'll Learn
- Recognize the psychological barriers that prevent employees from reporting security incidents, including fear of punishment and social embarrassment
- Apply blameless post-incident communication techniques adapted from aviation safety models
- Respond to a direct report's security mistake in a way that reinforces trust and future reporting behavior
- Identify organizational signals that discourage reporting, such as public blame, punitive responses, or lack of feedback
- Design feedback loops that close the reporting cycle by communicating outcomes back to the employees who filed reports
Training Steps
-
A Typical Tuesday
Welcome to Sentinel Security Solutions! You are Alice, a business analyst on the operations team. Today, you'll learn about reporting culture - the organizational mindset that encourages employees to speak up about security concerns without fear of blame or punishment.
-
Something Seems Off
While working, Alice notices her colleague Marcus looking frustrated at his computer. He clicks on an email link, then quickly closes the browser with a worried expression. He glances around nervously but says nothing. Alice wonders if she should say something. Maybe it was nothing. Maybe Marcus just made a mistake.
-
The Hesitation
Alice's internal debate: - 'Maybe I'm overreacting - it could be nothing.' - 'I don't want to get Marcus in trouble.' - 'What if I'm wrong and waste IT's time?' - 'It's probably not my place to say anything.' These thoughts are common, but they can have serious consequences.
-
Understanding Reporting Culture
A healthy reporting culture has three key elements: Psychological Safety - Employees feel safe speaking up without fear of punishment Non-Retaliation - The company protects reporters from negative consequences Appreciation - Reports are valued, even if they turn out to be false alarms Security teams would rather investigate ten false alarms than miss one real threat.
-
The Company's Commitment
Alice receives a reminder email from the Security Team about Sentinel's reporting policy. Reading it helps reinforce that reporting is encouraged and protected.
-
Making the Decision
After reading the email, Alice feels more confident. She decides to report what she observed - not to get Marcus in trouble, but to help the security team protect the company.
-
Logging Into the Portal
Alice uses her password manager to log in securely to the reporting portal.
-
Submitting the Report
The reporting form asks for a description of the concern. Alice provides factual details about what she observed without speculation or blame. The form emphasizes that reports are confidential and the reporter's identity is protected.
-
The Security Team Responds
Within minutes, Alice receives a response from the security team thanking her for the report. They confirm they will investigate discreetly.
-
The Outcome
Later that afternoon, Alice learns the outcome. The security team discovered that Marcus had indeed clicked on a phishing link. Because Alice reported it quickly, they were able to reset Marcus's credentials before any damage occurred. Marcus later thanked Alice. He was relieved it was caught early and grateful the company handled it without blame - just a quick password reset and a reminder about phishing awareness.