Kantyra Kantyra

← Alle artikelen

Signaleren

Why does hardly anyone report an incident?

Alain Rees · 10-07-2026 · 8 min leestijd

Ask any group of employees whether they would report a security incident, and almost everyone says yes. Then look at the incident register of the same organisation, and you find a handful of reports per year. Every CISO knows this gap, and the temptation is great to explain it with unwillingness or indifference. The research points in a different direction: people do not report because reporting costs them something and rarely yields anything. That is good news, because both sides of that scale can be changed.

This article belongs to the Detect phase of the model behind Kantyra. Incidents are the richest source of signals an organisation has, but only if they reach the register.

How large is the gap between saying and doing?

The Netherlands Institute for the Study of Crime and Law Enforcement (NSCR) has mapped this gap for the Netherlands. Steve van de Weijer, Rutger Leukfeldt and Wim Bernasco analysed data from more than ninety-seven thousand victims in the Dutch population survey and established that cybercrime is reported considerably less often than traditional crime. In a follow-up study among 529 Dutch SME entrepreneurs, the contrast became painfully precise. Almost all entrepreneurs said they would report fictitious cyber incidents, but of the real cybercrimes they actually fell victim to, the police got to see just over fourteen percent. The reasons non-reporters gave sound familiar to every security officer: the expectation that nothing will be done with it anyway, and the preference to solve it themselves. Those who did report were, moreover, often dissatisfied with the follow-up.

These figures concern reporting to the police, but the pattern does not stand alone. In healthcare, where reporting behaviour has been studied most thoroughly, a systematic review by Hamed and Konstantinidis of reporting barriers among nurses found exactly the same ranking: the most frequently mentioned reason not to report is fear of negative consequences, followed by cumbersome reporting systems and a culture of assigning blame. Knowledge and technology problems only come after that. The gap between saying and doing is therefore not an information problem, but a weighing problem.

Does punishment make people more careful, or just more silent?

The reflex to look for the culprit after an incident is understandable and disastrous at the same time. Amy Edmondson showed in a field study among fifty-one teams, now a classic, that the willingness to admit and discuss mistakes depends on what she calls psychological safety: the shared conviction that in this team you can admit something without being made to pay for it. Teams with that safety learn more and therefore perform better. In that light, punishment changes little about the behaviour that led to the incident, but much about whether you will ever hear about it again.

Safety science has formulated a workable answer to this. James Reason described how a reporting culture only arises when it is clear in advance where the line lies between acceptable and unacceptable behaviour, so that a reporter knows where they stand. The Dutch safety scientist Sidney Dekker, professor in Australia, developed this with Hugh Breakey into what has since become the standard under the name just culture: a way of handling mistakes that is experienced as just, aimed more at restoration and learning than at retribution. Their core point is that it is not the sanction itself that breaks the reporting culture, but the handling that is experienced as unjust. An organisation that deals with mistakes honestly and predictably can be strict where it must be and still keep the reports coming.

What happens after the report, and why does that decide everything?

The second half of the weighing is what a report yields. Paul Barach and Stephen Small studied reporting systems outside healthcare, including the aviation system ASRS, and distilled the characteristics of the systems that work: reporting is voluntary and confidential, the reporter enjoys protection, the analysis is done independently of the line, and rapid, visible feedback follows. They also point out that near misses occur seven to one hundred times more often than actual incidents, and are therefore by far the richest source of learning for whoever manages to catch them.

Here too, the Netherlands provides the evidence. Ian Leistikow and colleagues of the Dutch Health Inspectorate described how the Dutch supervision of serious-incident reports shifted from judging the outcome to judging the quality of the learning process a report sets in motion. Their proposition is that the value of a report does not lie in the report itself, but in what the organisation does with it. An evaluation of that same system by researchers of Erasmus University, based on more than four thousand four hundred investigated incidents, shows that it works: staff attitudes changed, the number of reports rose and the quality of the investigations increased. The researchers note that the learning only comes about where the organisation actively works with the reports.

And it is behaviour that can be influenced. Recent Australian research among more than five hundred working adults, aimed specifically at the reporting of cyber incidents, found that the intention to report is carried by three factors: the attitude towards reporting, the norm that colleagues and managers radiate, and the feeling of knowing how to report. That last factor also predicted actual reporting behaviour. A follow-up study added that the mere presence of a knowable security policy goes hand in hand with more frequent reporting, as does the awareness that security belongs to one's own role. It was also striking that employees lower in the hierarchy report less, while incidents are precisely there where they first become visible.

What can you do with this tomorrow?

From this literature follows a recipe that costs little and yields much.

  1. Make the reporting route ridiculously simple and make it known. The feeling of knowing how to report is the strongest predictor of actual reporting behaviour, and a knowable policy alone already raises the likelihood of reporting.
  2. Agree in advance how the organisation deals with mistakes, and stick to it. The line between acceptable and unacceptable must be clear before the incident, not invented afterwards. That is the core of a just culture.
  3. Respond to every report with investigation and feedback, never with silence. The reporter who hears nothing back does not report a second time. The systems that work feed back quickly and visibly what happened with the report.
  4. Catch the near misses too. They are many times more numerous than real incidents and teach you the same lessons without the damage.
  5. Celebrate the report instead of the silence. Few reports almost never means few incidents; it means your register no longer describes reality.

For completeness: this is the logic behind Kantyra's incident module. Reporting is open to every employee and asks for a description, not a confession. Every report gets a handler and a visible status, so that feedback is not a good intention but a workflow. And serious incidents that touch a risk automatically queue up a reassessment of that risk, so that the organisation demonstrably does something with the signal. The report thus becomes what the research says it should be: the beginning of a learning process instead of the end of a career.

What does this mean for your organisation?

Do not look at the number of reports as a performance indicator, but at what happens with reports. Ask yourself three questions. Does a random employee know within ten seconds where to lodge an incident? Can someone who reported last quarter tell what happened with their report? And does your most junior colleague dare to report a mistake of their own without sounding out their manager first? Three times yes means your reporting culture works, whatever the number of reports. Every no points to the place where you should start, and none of the three requires a large project.

Accountability and sources

This article is a substantiated synthesis of existing scientific research and not independent, peer-reviewed research of its own. Where I interpret or explain, that interpretation is my own responsibility.

  1. Van de Weijer, S.G.A., Leukfeldt, R. & Bernasco, W. (2019). Determinants of reporting cybercrime: A comparison between identity theft, consumer fraud, and hacking. European Journal of Criminology, 16(4). https://doi.org/10.1177/1477370818773610
  2. Van de Weijer, S., Leukfeldt, R. & Van der Zee, S. (2021). Cybercrime Reporting Behaviors Among Small- and Medium-Sized Enterprises in the Netherlands. In: Cybercrime in Context. Springer. https://doi.org/10.1007/978-3-030-60527-8_17
  3. Dekker, S.W.A. & Breakey, H. (2016). 'Just culture:' Improving safety by achieving substantive, procedural and restorative justice. Safety Science, 85. https://doi.org/10.1016/j.ssci.2016.01.018
  4. Reason, J. (1998). Achieving a safe culture: theory and practice. Work & Stress, 12(3). https://doi.org/10.1080/02678379808256868
  5. Barach, P. & Small, S.D. (2000). Reporting and preventing medical mishaps: lessons from non-medical near miss reporting systems. BMJ, 320(7237). https://doi.org/10.1136/bmj.320.7237.759
  6. Edmondson, A. (1999). Psychological Safety and Learning Behavior in Work Teams. Administrative Science Quarterly, 44(2). https://doi.org/10.2307/2666999
  7. Leistikow, I., Mulder, S., Vesseur, J. & Robben, P. (2017). Learning from incidents in healthcare: the journey, not the arrival, matters. BMJ Quality & Safety, 26(3). https://doi.org/10.1136/bmjqs-2015-004853
  8. De Kam, D., Kok, J., Grit, K., Leistikow, I., Vlemminx, M. & Bal, R. (2020). How incident reporting systems can stimulate social and participative learning: A mixed-methods study. Health Policy, 124(8). https://doi.org/10.1016/j.healthpol.2020.05.018
  9. Hamed, M.M.M. & Konstantinidis, S. (2022). Barriers to Incident Reporting among Nurses: A Qualitative Systematic Review. Western Journal of Nursing Research, 44(5). https://doi.org/10.1177/0193945921999449
  10. Ahola, K., Butavicius, M., McCormac, A. & Sturman, D. (2025). Hey "CSIRI", should I report this? Investigating the factors that influence employees to report cyber security incidents in the workplace. Information and Computer Security, 33(2). https://doi.org/10.1108/ICS-11-2023-0214
  11. Ahola, K. and others (2025). 'Ctrl, alt, report': the influence of policy, cyber security job relevance, rank and gender on cyber security incident reporting. Information and Computer Security. https://doi.org/10.1108/ICS-02-2025-0044
Zien hoe dit in Kantyra werkt?

In een demo van 30 minuten lopen we het model door aan de hand van jouw situatie.

Plan een demo

Meer in de fase Signaleren