Reporting Culture

Build a team that reports without fear.

What Is Reporting Culture?

Most security breaches that cause serious damage involve an employee who noticed something unusual and decided not to report it. The reasons are predictable: fear of blame, embarrassment about a mistake, uncertainty about the process, or the belief that someone else will handle it. This exercise takes a different approach from typical security training. Instead of teaching you what to report, it focuses on why people do not report and how organizations can fix that. You step into three roles. First, you are an employee who clicked a phishing link and must decide whether to tell anyone. Second, you are a manager receiving a report from a direct report who made a security mistake. Third, you are a security team member reviewing reports and deciding how to communicate back to the organization. Each role reveals a different piece of the reporting chain and shows where trust breaks down. The exercise draws on research from the aviation industry's Crew Resource Management framework, where blameless reporting transformed safety outcomes. You practice giving and receiving incident reports in a way that encourages future reporting instead of suppressing it.

What You'll Learn in Reporting Culture

Reporting Culture — Training Steps

  1. A Typical Tuesday

    Today, you'll learn about reporting culture - the organizational mindset that encourages employees to speak up about security concerns without fear of blame or punishment.

  2. Something Seems Off

    While working, Alice notices her colleague Marcus looking frustrated at his computer. He clicks on an email link, then quickly closes the browser with a worried expression. He glances around nervously but says nothing. Alice wonders if she should say something. Maybe it was nothing. Maybe Marcus just made a mistake.

  3. The Hesitation

    Alice's internal debate: - 'Maybe I'm overreacting - it could be nothing.' - 'I don't want to get Marcus in trouble.' - 'What if I'm wrong and waste IT's time?' - 'It's probably not my place to say anything.' These thoughts are common, but they can have serious consequences.

  4. Understanding Reporting Culture

    A healthy reporting culture has three key elements: Psychological Safety - Employees feel safe speaking up without fear of punishment Non-Retaliation - The company protects reporters from negative consequences Appreciation - Reports are valued, even if they turn out to be false alarms Security teams would rather investigate ten false alarms than miss one real threat.

  5. The Company's Commitment

    Alice receives a reminder email from the Security Team about Sentinel's reporting policy. Reading it helps reinforce that reporting is encouraged and protected.

  6. Making the Decision

    After reading the email, Alice feels more confident. She decides to report what she observed - not to get Marcus in trouble, but to help the security team protect the company.

  7. Logging Into the Portal

    Alice uses her password manager to log in securely to the reporting portal.

  8. Submitting the Report

    The reporting form asks for a description of the concern. Alice provides factual details about what she observed without speculation or blame. The form emphasizes that reports are confidential and the reporter's identity is protected.

  9. The Security Team Responds

    Within minutes, Alice receives a response from the security team thanking her for the report. They confirm they will investigate discreetly.

  10. The Outcome

    Later that afternoon, Alice learns the outcome. The security team discovered that Marcus had indeed clicked on a phishing link. Because Alice reported it quickly, they were able to reset Marcus's credentials before any damage occurred. Marcus later thanked Alice. He was relieved it was caught early and grateful the company handled it without blame - just a quick password reset and a reminder about phishing awareness.