Alain Rees · 10-07-2026 · 8 min leestijd
Ask any group of employees whether they would report a security incident, and almost everyone says yes. Then look at the incident register of the same organisation, and you find a handful of reports per year. Every CISO knows this gap, and the temptation is great to explain it with unwillingness or indifference. The research points in a different direction: people do not report because reporting costs them something and rarely yields anything. That is good news, because both sides of that scale can be changed.
This article belongs to the Detect phase of the model behind Kantyra. Incidents are the richest source of signals an organisation has, but only if they reach the register.
The Netherlands Institute for the Study of Crime and Law Enforcement (NSCR) has mapped this gap for the Netherlands. Steve van de Weijer, Rutger Leukfeldt and Wim Bernasco analysed data from more than ninety-seven thousand victims in the Dutch population survey and established that cybercrime is reported considerably less often than traditional crime. In a follow-up study among 529 Dutch SME entrepreneurs, the contrast became painfully precise. Almost all entrepreneurs said they would report fictitious cyber incidents, but of the real cybercrimes they actually fell victim to, the police got to see just over fourteen percent. The reasons non-reporters gave sound familiar to every security officer: the expectation that nothing will be done with it anyway, and the preference to solve it themselves. Those who did report were, moreover, often dissatisfied with the follow-up.
These figures concern reporting to the police, but the pattern does not stand alone. In healthcare, where reporting behaviour has been studied most thoroughly, a systematic review by Hamed and Konstantinidis of reporting barriers among nurses found exactly the same ranking: the most frequently mentioned reason not to report is fear of negative consequences, followed by cumbersome reporting systems and a culture of assigning blame. Knowledge and technology problems only come after that. The gap between saying and doing is therefore not an information problem, but a weighing problem.
The reflex to look for the culprit after an incident is understandable and disastrous at the same time. Amy Edmondson showed in a field study among fifty-one teams, now a classic, that the willingness to admit and discuss mistakes depends on what she calls psychological safety: the shared conviction that in this team you can admit something without being made to pay for it. Teams with that safety learn more and therefore perform better. In that light, punishment changes little about the behaviour that led to the incident, but much about whether you will ever hear about it again.
Safety science has formulated a workable answer to this. James Reason described how a reporting culture only arises when it is clear in advance where the line lies between acceptable and unacceptable behaviour, so that a reporter knows where they stand. The Dutch safety scientist Sidney Dekker, professor in Australia, developed this with Hugh Breakey into what has since become the standard under the name just culture: a way of handling mistakes that is experienced as just, aimed more at restoration and learning than at retribution. Their core point is that it is not the sanction itself that breaks the reporting culture, but the handling that is experienced as unjust. An organisation that deals with mistakes honestly and predictably can be strict where it must be and still keep the reports coming.
The second half of the weighing is what a report yields. Paul Barach and Stephen Small studied reporting systems outside healthcare, including the aviation system ASRS, and distilled the characteristics of the systems that work: reporting is voluntary and confidential, the reporter enjoys protection, the analysis is done independently of the line, and rapid, visible feedback follows. They also point out that near misses occur seven to one hundred times more often than actual incidents, and are therefore by far the richest source of learning for whoever manages to catch them.
Here too, the Netherlands provides the evidence. Ian Leistikow and colleagues of the Dutch Health Inspectorate described how the Dutch supervision of serious-incident reports shifted from judging the outcome to judging the quality of the learning process a report sets in motion. Their proposition is that the value of a report does not lie in the report itself, but in what the organisation does with it. An evaluation of that same system by researchers of Erasmus University, based on more than four thousand four hundred investigated incidents, shows that it works: staff attitudes changed, the number of reports rose and the quality of the investigations increased. The researchers note that the learning only comes about where the organisation actively works with the reports.
And it is behaviour that can be influenced. Recent Australian research among more than five hundred working adults, aimed specifically at the reporting of cyber incidents, found that the intention to report is carried by three factors: the attitude towards reporting, the norm that colleagues and managers radiate, and the feeling of knowing how to report. That last factor also predicted actual reporting behaviour. A follow-up study added that the mere presence of a knowable security policy goes hand in hand with more frequent reporting, as does the awareness that security belongs to one's own role. It was also striking that employees lower in the hierarchy report less, while incidents are precisely there where they first become visible.
From this literature follows a recipe that costs little and yields much.
For completeness: this is the logic behind Kantyra's incident module. Reporting is open to every employee and asks for a description, not a confession. Every report gets a handler and a visible status, so that feedback is not a good intention but a workflow. And serious incidents that touch a risk automatically queue up a reassessment of that risk, so that the organisation demonstrably does something with the signal. The report thus becomes what the research says it should be: the beginning of a learning process instead of the end of a career.
Do not look at the number of reports as a performance indicator, but at what happens with reports. Ask yourself three questions. Does a random employee know within ten seconds where to lodge an incident? Can someone who reported last quarter tell what happened with their report? And does your most junior colleague dare to report a mistake of their own without sounding out their manager first? Three times yes means your reporting culture works, whatever the number of reports. Every no points to the place where you should start, and none of the three requires a large project.
This article is a substantiated synthesis of existing scientific research and not independent, peer-reviewed research of its own. Where I interpret or explain, that interpretation is my own responsibility.
In een demo van 30 minuten lopen we het model door aan de hand van jouw situatie.
Plan een demo