search menu icon-carat-right cmu-wordmark

InTP Series: Confidential Reporting (Part 9 of 18)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

"If you see something, say something." That phrase has been a popular security slogan for some time, and it applies to insider threat as well as other security arenas. Organizations need to develop a robust reporting capability that their employees can use because they may observe concerning behaviors and dispositions that technical controls might miss.

Hi, this is David McIntire of the CERT Insider Threat Center. In this installment of our blog series on establishing insider threat programs, I'll discuss the importance of confidential reporting capabilities within an insider threat program.

Why Confidential Reporting Is Important

Because employees may observe concerning behaviors and dispositions that technical controls might miss, a robust reporting capability is invaluable. However, employees who report suspicious behavior often shoulder unreasonable amounts of risk if they cannot report their observations in a confidential way.

The ability to confidentially report something concerning or, more importantly, an incident is critical because, without it, employees may be unable to report malfeasance on the part of anyone who is their superior without the risk of retribution. Many organizations already have internal reporting capabilities in the form of ombudsmen programs. These types of programs can be ideal for confidential reporting for an insider threat program.

In addition, organizations should consider the viability of an anonymous reporting system. Even if reporting is confidential, employees still may be unwilling to report their coworker's malfeasance if they are forced to associate their name with an internal report.

Components of a Confidential Reporting System

The CERT Insider Threat Center recommends the following components be part of a confidential reporting system to ensure an effective reporting capability:

  • Employees must be aware that the program exists and should be trained on how to make confidential reports.
  • The reporting mechanism must accept, process, and store reports in a confidential fashion.
  • The reporting mechanism must have explicit guidelines for providing the confidential reports to appropriate action offices in a timely fashion.
  • There are procedures in place that ensure that every report is reviewed and processed.
  • Confidential reporting mechanisms should be easy to use and non-conspicuous.


Look for future blog posts about the components of an insider threat program. If you have more in-depth questions, the CERT Insider Threat Program Manager Certification may be a good fit for you and your organization.

If you have questions or comments, contact us; we'd like to hear from you.

About the Author