2LRN4 security awareness platform
NL · EN
← Back to overview

Why employees don't report, even when they recognize an attack

Many organizations assume that employees don't recognize cyberattacks. But that perception is often incorrect. Employees recognize a surprising number of risks: strange emails, suspicious text messages, strange requests from "colleagues," messages that sound too good to be true. The recognition isn't the problem. The problem lies in what happens next.

Because even when employees know something isn't right, they often keep it to themselves. Not because they don't consider it important, but because they're afraid reporting it will cause trouble. "It might turn out I'm wrong," "I might be overreacting," or even worse: "They'll think I've done something wrong." That fear, while small and human, is persistent and one of the biggest obstacles to a secure organization. Behavior falters not due to a lack of knowledge, but due to a lack of security.


"People don't report because they don't see something, but because they're not sure if they're still safe if they do."


The Fear Behind Silence

Reporting only occurs in a culture where mistakes can be discussed. But in many organizations, the reflex of "who did this?" still prevails instead of "good that you reported it." This may seem small, but it forms the entire undercurrent. Employees are extremely aware of how their reports are received. A sigh of irritation, a comment that they "should have known this," or a manager who says, "I'll look into it later"—these are signals that say: Silence is safer.


And then people do exactly that. They remain silent.


Ironically, employees are very quick to report suspicious things in their private lives. They send screenshots to friends, ask in the family app if a message is true, or share warnings on social media. There, they feel no judgment, only support. That's where the willingness to report emerges that organizations so desperately want to see. It only shows one thing: people are willing to report, but only if they feel safe.


How to build a culture where reporting becomes second nature

An organization that wants to take reports seriously must start with one clear choice: we don't focus on mistakes, but on the fact that someone reports something. This means communication needs to change. Not just through posters or the intranet, but through how managers respond. By normalizing doubt. By demonstrating that a mistake doesn't lead to shame, but to learning. By actively thanking reporters.


When employees realize that a report is never used against them, but always benefits the organization, everything changes. Reports are filed sooner, faster, and with more detail. This is precisely where the behavior that truly makes organizations safer originates.


Willingness to report isn't a communication issue, but a cultural one. A safe reporting culture is the backbone of awareness. And without that culture, you can train all you want, but silence is always safer than reporting.

Want help with implementation?

Book a short demo or discuss your use case. We respond quickly.

Book a demo View support