If a colleague forwards you an email they suspect is phishing, how do you respond? If someone makes a mistake that impacts security, are they comfortable calling to tell you? If someone leaves a laptop at the airport, do they know who to call?\tThe only expected outcome of a properly defined security awareness program (confirm the definition here\u00a0 to stop others from conflating security awareness)\u00a0is that people report suspected\u00a0incidents. That requires the incident reporting program needs to match the needs of people.\tHow does your incident reporting process work?\t\t\tDo people know when and what to report?\t\t\tDo they understand how to report? Is it a specific person, a team, a generic "mailbox"? Can they use email, telephone, and other means?\t\t\tWhat does the process entail? What are they getting themselves involved in? Will they be scolded, mocked, or ridiculed?\t\t\tWhat sort of involvement does reporting an incident have on them?\t\t\tDo they get any confirmation of the incident? What if they are right, do they get any accolades?\tWhy the incident reporting process matters\tHere's the challenge: just telling people, "report suspected incidents" without demonstrating and building confidence in the process generally results in people choosing to remain quiet.\tIf someone doesn't know what to expect or fears that reporting creates a problem for them, it's easier to not engage. A poorly designed and executed incident reporting process derails an entire security awareness program.\tHow does your process\u00a0work? How are people treated?\tTwo tenets build the right incident reporting process\tJames K runs an impressive program where people routinely contact him with potential and actual incidents. The director of security for a financial services firm, James agreed to share his experience in building the process.\tJames says the core of a strong incident reporting program has two basic tenets:\t\t\tSay it: incorporate the incident reporting process into the security awareness program. In addition to explaining what to expect, James also sets the stage with his colleagues that his job "is protect the company, not catch you making mistakes.\u201d\t\t\tDo it: follow-through on the promise made. James explains that the first incident after launching the program defines how people will act in the future. When someone reports an incident, what happens to them? If the person gets chastised, punished, or fired, credibility is lost.\tPractice communication over messaging\tJames explains that a successful incident reporting program means \u201cyou\u2019re always communicating, and people are always communicating back.\u201d\tAs a result, James gets a lot of email from colleagues about suspected phishing attacks and other security concerns. He notes that while more than half of the messages turn out to be concerns about spam, "it's okay, because it means people are thinking about security."\tHe replies to each message with a quick note of thanks. More than expressing his genuine appreciation, it reinforces that people should report suspected incidents.\tIf someone gets a bit too excited and sees an incident in everything, James simply uses that as an opportunity to provide "one-on-one security training" to explain the differences and what to look for.\tAmplify the good\tJames points out that "if security is everyone's job, then everyone deserves a pat on the back for a job well-done."\tWhen someone forwards a phishing email or discovers a targeted attack before the traditional systems catch it, James not only thanks them, but makes sure that the management chain is made aware of the great work.\tWhile it takes a few extra seconds to find and copy the appropriate managers on the message, the approach creates allies and encourages broader participation.\tCultivating the change takes time - but it pays off\tJames suggests "it takes a year to work\u2026 but once it starts, it builds." In his experience, people are happy to help. Especially because it's exciting to catch something before others and make a difference.\tIn addition to seeing a rise in the number of incidents reported, James sees the benefits of his approach in the annual security testing. Because his colleagues are used to looking for things and comfortable reporting, they catch a lot of the tests before they are complete.\tFor example, James explained that during the last external security test, the sales team collectively figured out someone was attempting to social engineer them. Initially, they tipped each other off about the caller and scolded the tester. Then they reported the incident to James. Their success meant the tester was removed from the team.\tSometimes people make mistakes. It\u2019s a busy world and we run at a hectic pace. We don\u2019t expect people to catch everything all the time. We still need our tools in place, but having people aware and willing to share makes a difference.