Encouraging Organisational Information Security Incident Reporting

21𝑠𝑡 -century organisations can only learn how to respond effec- tively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employ- ees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach. (1) We review the related research on report- ing, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident re- porting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most ef- fective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. ... mehrWe make recommendations for encouraging information security incident reporting and suggest future work.