What qualifies as a security incident worth reporting?

Any event that threatens the confidentiality, integrity, or availability of company data qualifies. This includes suspicious emails, unauthorized access attempts, lost devices, unusual system behavior, and even near-misses. Most frameworks set a low threshold intentionally. If you're unsure whether something counts, report it anyway.

How quickly should a security incident be reported?

Most organizations require reporting within one hour of discovery, and many compliance frameworks mandate it. GDPR requires notifying the supervisory authority within 72 hours, but internal reporting should happen immediately. Early reports give incident response teams more time to contain damage and preserve forensic evidence.

General Incident Reporting

Know when and how to report a security incident.

What Is General Incident Reporting?

A security incident report filed in the first 15 minutes is worth more than a forensic investigation started three days later. This exercise simulates a workday where multiple security events happen in sequence. You receive a suspicious email, notice an unfamiliar device connected to the network, and find a USB drive in the parking lot. For each event, you decide whether it qualifies as a reportable incident, determine the correct reporting channel, and fill out a realistic incident report form. The simulation shows you what happens downstream with each report: the security team's triage process, the escalation criteria, and how your initial description directly affects response time. You will see how vague reports like 'something weird happened' slow everything down, while specific details like timestamps, affected systems, and screenshots accelerate containment by hours. The exercise also addresses the most common reason people do not report incidents. They are not sure it is 'serious enough.' You will learn that the threshold for reporting is much lower than most employees think, and that a false alarm reported quickly is always better than a real incident reported late.

What You'll Learn in General Incident Reporting

Distinguish between security events, potential incidents, and confirmed incidents to calibrate reporting thresholds
Complete an incident report form with the specific details that security teams need for fast triage
Identify the correct reporting channel, whether that is a ticketing system, phone hotline, or direct escalation
Understand why reporting speed directly impacts containment effectiveness and overall organizational damage
Overcome hesitation about reporting uncertain or low-confidence security observations

General Incident Reporting — Training Steps

A Normal Thursday Morning

Today, you'll learn about recognizing and reporting security incidents - events that could indicate a threat to company data, systems, or people.
An Unusual Alert

While reviewing your morning emails, Alice notices an automated security alert from ClearView's IT systems. The email reports a login to her account from an unfamiliar location.
Analyzing the Alert

Alice examines the security alert carefully. Several details stand out as concerning.
Recognizing the Warning Signs

Alice reads the alert carefully. She was asleep at 3:47 AM and has never been to Jakarta. This login wasn't her. Her mind races with questions: Was it a system glitch? Should she wait to see if it happens again? Or should she report it immediately?
Deciding to Report

Alice recalls her security training. A security incident is any event that could compromise confidential data, allow unauthorized access, disrupt operations, or violate security policies. The suspicious login clearly fits this definition. She decides to report it immediately using the link provided in the security alert.
Accessing the Incident Portal

Alice opens the company's internal incident reporting portal. She uses her password manager to log in securely - a good habit that ensures she's using strong, unique credentials.
Selecting the Incident Type

The incident reporting form displays several categories. Since Alice experienced an unauthorized login from a foreign location, she needs to select the appropriate incident type. The suspicious login from Jakarta is clearly an Unauthorized Access attempt.
Completing the Incident Report

With the incident type selected, Alice provides a clear, factual account of what happened, including the time, location data from the alert, and the fact that she did not authorize this login.
Immediate Response Actions

After submitting her report, Alice receives confirmation that the security team has been notified. The system recommends immediate steps: change your password and review recent account activity. Alice knows that quick action can limit damage from a potential breach.
Changing Credentials

Alice uses the company's password manager to generate a strong, unique password. She knows that if her old password was compromised, changing it immediately is critical to preventing further unauthorized access. The form requires her current password to verify her identity before allowing the change.

What Is General Incident Reporting?

What You'll Learn in General Incident Reporting

General Incident Reporting — Training Steps

A Normal Thursday Morning

An Unusual Alert

Analyzing the Alert

Recognizing the Warning Signs

Deciding to Report

Accessing the Incident Portal

Selecting the Incident Type

Completing the Incident Report

Immediate Response Actions

Changing Credentials