Comment So... (Score 4, Insightful) 150
What percentage of them would expect to receive zero praise and potential reprisal if they did report a security problem?
Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.
Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?
This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.
Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.
Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?
This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.