As security practitioners we understand that prompt and accurate reporting of a security incident can save time, money, and can minimize damage. But when a user clicks a malicious link, replies to a spear phishing email, or gets a virus warning; they may confuse the need to report as an RGE (Resume Generating Event). How can we encourage users to report incidents without the fear of repercussion?
There is nothing more frustrating then getting a phone call reporting an incident that occurred days, weeks, or months in the past.
Did the user really not notice for a month that their computer was gone and the cables were left dangling off their desk? Did they think it would just re-appear? What about a cell phone that is missing, was it just misplaced? How long should the user look for it before they report it missing? When is too long, too long? How can management create an environment that users are willing to come forward when the realize that a security incident has occurred? What can be done to encourage, or reward reporting?
These are the questions; what are the answers? Maybe my topic will be accepted at RSA 2012 San Francisco Peer2Peer and we will find out!
John "Mike" Wright