Powered by

# 8.4 Reporting Culture, Simulations, and Practice

# Goals

Cybersecurity education only works if employees are willing to report suspicious activity quickly.

A company can have good tools, policies, and training, but still miss an incident if employees are afraid to report mistakes, do not know where to report, or assume someone else will handle the issue.

The goal of this section is to build a reporting culture where employees report suspicious activity, mistakes, and unusual situations early without fear or delay.

This section also defines how the company practices real-world scenarios through simulations, drills, and tabletop exercises.

# Step 1: Build a No-Blame Reporting Culture

Employees should be told clearly that fast reporting is expected and appreciated.

The company should avoid language that shames employees for clicking a link, opening a suspicious attachment, entering a password, approving a strange MFA prompt, or sending data to the wrong person.

The message should be simple:

“If something seems wrong, report it quickly. If you made a mistake, report it immediately. Fast reporting helps protect the company.”

This does not mean careless behavior has no consequences. It means honest and prompt reporting should be treated as a protective action, not a failure.

# Step 2: Define What Employees Should Report

Employees should know exactly what situations need to be reported.

The company should ask employees to report:

  • Suspicious emails
  • Suspicious links
  • Unexpected attachments
  • Unknown QR codes
  • Fake login pages
  • Unexpected MFA prompts
  • Requests for passwords or MFA codes
  • Payment-change requests
  • Bank-detail changes
  • Executive impersonation attempts
  • Vendor or customer impersonation
  • Lost or stolen devices
  • Data sent to the wrong person
  • Files shared publicly by mistake
  • Strange device behavior
  • Possible malware or ransomware warnings
  • Unusual account activity
  • Suspicious phone calls or messages
  • Use of unapproved tools for company data

The reporting message should be repeated regularly.

# Step 3: Create Simple Reporting Channels

Reporting should be easy.

Employees should not have to search through a long policy to find out what to do.

Useful reporting channels include:

  • A phishing report button in email.
  • A dedicated security email address.
  • A helpdesk ticket category for security concerns.
  • A security channel in the approved chat platform.
  • A hotline or phone number for urgent incidents.
  • A manager escalation path for employees who are unsure.
  • A simple web form for suspicious activity reports.

For urgent issues such as ransomware, payment fraud, lost devices, or suspected account compromise, employees should know how to escalate immediately.

# Step 4: Tell Employees What to Do Immediately

Training should explain the first action employees should take.

Examples:

  • If you clicked a suspicious link, report it.

  • If you entered your password into a fake page, report it immediately.

  • If you receive an unexpected MFA prompt, deny it and report it.

  • If you opened a suspicious attachment, stop using the device and report it.

  • If you sent data to the wrong person, report it.

  • If a vendor requests new bank details, verify through a trusted channel before acting.

  • If your device is lost or stolen, report it immediately.

Employees should not try to investigate on their own, delete evidence, hide the mistake, or wait until the end of the day.

# Step 5: Practice With Phishing and Social Engineering Simulations

Phishing simulations can help employees recognize suspicious messages and practice reporting.

Simulations should be used carefully. The goal is learning, not embarrassment.

A good phishing simulation program should:

  • Use realistic but fair examples.
  • Avoid humiliating employees.
  • Teach after the exercise.
  • Measure reporting rates, not only click rates.
  • Identify teams that need more support.
  • Improve the reporting path.
  • Avoid overly deceptive or emotionally harmful scenarios.

The best outcome is not only fewer clicks. The best outcome is faster reporting.

# Step 6: Run Short Practical Drills

The company should practice common incident situations in short drills.

Useful drills include:

  • Suspicious email reporting drill
  • Unexpected MFA prompt drill
  • Lost laptop drill
  • Wrong-recipient data sharing drill
  • Fake vendor bank-detail change drill
  • Fake executive payment request drill
  • Ransomware first-action drill
  • Public file-sharing mistake drill
  • Customer impersonation drill
  • Suspicious phone call drill

These can be done as 10-minute team exercises, short quizzes, tabletop discussions, or manager-led scenarios.

# Step 7: Run Tabletop Exercises

A tabletop exercise is a structured discussion where the team walks through a realistic incident scenario.

The company should use tabletop exercises to test:

  • Who takes charge
  • How employees report
  • How leadership is notified
  • How IT or the MSP responds
  • How evidence is preserved
  • How containment decisions are made
  • How customers, vendors, insurers, or legal contacts are involved
  • How recovery priorities are decided
  • How communication is controlled
  • Good tabletop scenarios include:
  • Business email compromise
  • Ransomware
  • Lost executive laptop
  • Compromised payroll account
  • Vendor account compromise
  • Public exposure of sensitive files
  • Cloud or SaaS account compromise
  • Website compromise
  • Payment fraud attempt

Tabletop exercises should produce improvement actions, not just discussion.

# Step 8: Include Managers in Practice

Managers are important because employees often report concerns to them first.

Managers should know how to respond when an employee says:

  • “I clicked something suspicious.”

  • “I entered my password.”

  • “I approved an MFA prompt by mistake.”

  • “I sent a file to the wrong person.”

  • “I think my device is infected.”

  • “I received a suspicious payment request.”

Managers should not dismiss the concern, punish the employee, or tell them to wait. They should know how to escalate immediately through the approved reporting path.

# Step 9: Measure Reporting and Participation

The company should track whether reporting culture is improving.

Useful metrics include:

  • Training completion rate
  • Phishing simulation reporting rate
  • Phishing simulation click rate
  • Number of employee reports
  • Time from suspicious activity to report
  • Number of reports that turned out to be real issues
  • Departments that need more support
  • Missed or delayed reports
  • Repeated confusion points
  • Tabletop exercise findings
  • Drill participation

Do not use metrics only to criticize employees. Use them to improve training, reporting paths, and controls.

# Step 10: Feed Lessons Back Into Training and Controls

After simulations, drills, tabletop exercises, incidents, and near misses, update the training program.

Update:

  • Employee reporting instructions
  • Manager escalation instructions
  • Phishing examples
  • Payment verification process
  • MFA guidance
  • Lost device instructions
  • Data sharing rules
  • Incident response checklist
  • Recovery communication process
  • Training reminders
  • Simulation scenarios

Practice should directly improve the playbook.

# Recommended Free, Open-Source, and Affordable Solutions

These free and affordable resources can help deliver this essential training:

Resource or Tool Link Type Best Use
CISA Secure Our World CISA Secure Our World Free resource Awareness messages on phishing, passwords, MFA, and updates
CISA Cybersecurity Awareness Month Resources CISA Awareness Resources Free resource Posters, tip sheets, and campaign materials
CISA Tabletop Exercise Package Documentation CISA Tabletop Exercise Package Documentation Free exercise resource Planning and running tabletop exercises
NCSC Exercise in a Box NCSC Exercise in a Box Free exercise resource Tabletop and micro exercises for practicing cyber response
Cyber.gov.au Exercise in a Box Cyber.gov.au Exercise in a Box Free exercise resource Discussion-based cyber exercises and templates
CIS MS-ISAC Tabletop Exercises CIS Tabletop Exercises Free resource Short tabletop exercises and cyber resilience scenarios
SANS OUCH! Newsletter SANS OUCH! Free newsletter Monthly awareness reminders for employees
FTC Cybersecurity for Small Business FTC Cybersecurity for Small Business Free resource Small-business cybersecurity education and fraud prevention guidance
Google Phishing Quiz Google Phishing Quiz Free exercise Quick phishing recognition practice
Microsoft Outlook Built-In Report Button Microsoft Report Messages Included in supported Outlook environments Employee reporting of phishing and junk messages
Gmail Report Phishing Gmail Report Phishing Included in Gmail Employee reporting of phishing emails
Gophish Gophish Open-source Phishing simulations and reporting practice
CanIPhish CanIPhish Free tier/commercial Phishing simulation and awareness campaigns
Moodle Moodle Open-source LMS Hosting training, quizzes, and practice content
H5P H5P Open-source/free options Interactive quizzes and scenario-based learning
Google Forms Google Forms Free/Workspace Simple reporting forms, quizzes, and acknowledgements
Microsoft Forms Microsoft Forms Included with many Microsoft 365 plans Reporting forms, quizzes, and training confirmation
Zammad Zammad Open-source/commercial Helpdesk ticketing for security reports
osTicket osTicket Open-source/commercial Simple ticketing for employee security reports
GLPI GLPI Open-source/commercial IT service desk, security ticketing, and asset-linked reporting
Jira Service Management Jira Service Management Commercial/free tier Security request intake and incident workflow tracking
TheHive TheHive Commercial/security case management Security incident case handling and response collaboration
Mattermost Mattermost Open-source/commercial Approved internal reporting and incident communication channel
Zulip Zulip Open-source/commercial Structured internal security reporting discussions
Rocket.Chat Rocket.Chat Open-source/commercial Internal chat channel for reporting and response coordination
ntfy ntfy Open-source/free options Lightweight alerts and security notifications
Gotify Gotify Open-source Self-hosted push notifications for security alerts
Canarytokens Canarytokens Free resource Simple awareness demos and alerting exercises
VirusTotal VirusTotal Free/commercial Checking suspicious files, hashes, domains, and URLs
urlscan.io urlscan.io Free/commercial Reviewing suspicious links and phishing pages
BookStack BookStack Open-source Internal security handbook and reporting instructions
Wiki.js Wiki.js Open-source Internal knowledge base for reporting procedures and playbook pages

# Practical Delivery Options

# Very Small Company

Use a dedicated security email address, Google Forms or Microsoft Forms, CISA awareness materials, SANS OUCH!, NCSC Exercise in a Box, and a simple spreadsheet to track reports and exercises.

# Microsoft 365-Based Company

Use the Outlook built-in Report button, Microsoft Forms, Teams, SharePoint, Microsoft Defender alerts where available, and a simple incident intake process.

# Google Workspace-Based Company

Use Gmail’s phishing reporting, Google Forms, Google Drive, Google Meet, Google Groups, Google Workspace admin alerts where available, and a simple tracking sheet.

# Cost-Conscious Open-Source Setup

Use Gophish for simulations, Zammad or osTicket for security reporting tickets, Moodle and H5P for quizzes, BookStack or Wiki.js for instructions, and ntfy or Gotify for security notifications.

# More Mature SME

Use phishing simulations, helpdesk security categories, tabletop exercises, incident response case management, employee reporting metrics, role-based drills, and quarterly awareness campaigns tied to actual incident trends.

# Simulation and Practice Schedule

A practical annual schedule may look like this:

  • Quarter 1: Core suspicious email reporting drill.

  • Quarter 2: Payment fraud and bank-detail change scenario for finance, procurement, and managers.

  • Quarter 3: Lost device, data sharing mistake, or unexpected MFA prompt drill.

  • Quarter 4: Tabletop exercise covering ransomware, business email compromise, or cloud account compromise.

After any real incident or near miss: short refresher training and updated scenario.

# Reporting Culture Metrics

Track these items:

  • Number of suspicious emails reported
  • Number of phishing simulations reported
  • Average time from receipt to report
  • Number of employees who reported
  • Number of real threats found through employee reporting
  • Number of mistaken reports
  • Departments needing more practice
  • Repeated training gaps
  • Exercise participation
  • Exercise findings
  • Improvement actions completed after exercises

A higher number of reports is not automatically bad. It may mean employees are paying attention.

# Expected Outputs from This Section

At the end of this section, the company should have:

  • A clear no-blame reporting message.
  • A list of reportable situations.
  • Simple reporting channels.
  • Employee instructions for immediate action.
  • A phishing simulation or reporting practice plan.
  • A tabletop exercise plan.
  • Short practical drills for common scenarios.
  • Manager escalation guidance.
  • Reporting and simulation metrics.
  • A process for turning exercise findings into improvements.

# Objective

Fast reporting reduces damage.

A company should leave this section able to say:

“Our people know how to report suspicious activity, they are not afraid to report mistakes, and we regularly practice the situations most likely to affect the business.”

That is reporting culture, simulations, and practice.

© Copyright 2026. All rights reserved.