Lastly, would your users know what to do if they believed they detected such an incident? Clearly, if you are in an organization’s security department, the desired action would be the user reporting the incident to you. However in order for that to happen, the user has to know how to report a potential incident and, most important, feel comfortable enough to do so.
People knowing how to report an incident should be simple to accomplish. However in this case, you must ask yourself if a typical person would consider this a physical security or cybersecurity incident. Do you provide a single contact to triage any potential security related incident? You need to make reporting easy.
However even if it is easy to report, it is irrelevant if people won’t report potential concerns. Consider that people might not be motivated to report incidents in the first place. Generally, it should be considered a requirement for people to report any potential incidents. That is not always obvious. They might feel they are bothering people and being overly paranoid. They might feel stupid if they report something that is not a valid concern.
More important, they may feel stupid by reporting that they fell for an attack in the first place. Consider that it is ironic that I am admitting that the impetus for this article is admitting that I might have made a mistake. I however realize that everyone makes mistakes and I am not embarrassed to admit it. The average user doesn’t realize this.
Possibly more relevant is that a person might believe they will be blamed and punished for failing. They might be afraid of repercussions. If they believe they are the only one who knows about their potential error, they would want to hide the mistake.
In the awareness field, the focus seems to be on making sure users know how to protect themselves, and not fall victim to attack. All too frequently that focus is on protecting against specific attacks, and not on general guidance, as I previously detailed. That must change.
However as important, awareness needs to feature detection and reaction. But remember, even an aware person will not react appropriately, if you don’t have a supportive environment. People will make mistakes, and they should feel comfortable admitting it.