Hey “CSIRI”, should I report this? Investigating the factors that influence employees to report cyber security incidents in the workplace

Cyber security incidents pose a major threat to organisations. Reporting cyber security incidents and providing organisations with information about their true nature, type and volume, is crucial to inform risk-based decisions. Despite the importance of reporting cyber security incidents, little research has addressed employees’ motivations to do so. Therefore, the purpose of this study is to investigate the factors that influence employees to report cyber security incidents using the theory of planned behaviour as a theoretical framework.

Survey data were collected from a sample of 549 working Australian adults. Demographics were gathered, in addition to data using the Cyber Security Incident Reporting Inventory (CSIRI; pronounced, “Siri”).

Attitude towards reporting, subjective norms and perceived behavioural control each significantly predicted intention-to-report cyber security incidents. Perceived behavioural control also significantly predicted actual reporting behaviour.

The results of this study validate the application of the theory of planned behaviour to the cyber security incident reporting context, also indicating that the relationship between intention to report a cyber security incident and actual reporting behaviour may be facilitated by perceived behavioural control.

These findings can be applied to inform the development of strategies that increase employees’ cyber security incident reporting behaviour.

This study outlines the development of a new tool to measure attitudes, subjective norms and perceived behavioural control in relation to the reporting of cyber security incidents. To the best of the authors’ knowledge, this is the first study of its kind to identify the relationship between these factors and intentions to report cyber security incidents.