🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
Security Awareness Coming Soon

SA Incident Reporting

Incident Reporting Awareness teaches employees to recognize security incidents, follow proper reporting channels, preserve evidence, and understand legal obligations, enabling rapid response and a stronger security culture.

Who Should Take This

All staff members who handle data, use corporate systems, or interact with external partners should take this course. It is designed for employees at any experience level who need a clear, actionable guide to detecting and reporting security events, supporting compliance and organizational resilience.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Recognizing Security Incidents
3 topics

Incident identification

  • Recognize what constitutes a security incident, including unauthorized access, data breaches, malware infections, phishing successes, physical security violations, and policy breaches.
  • Identify the difference between a security incident and a security event, understanding that events are observable occurrences while incidents are events that threaten security.
  • Describe common indicators that a security incident may have occurred, including unexpected account lockouts, unfamiliar login locations, missing files, and unusual system behavior.
  • Explain why every employee is considered part of the organization's detection capability and how human observation catches incidents that automated tools miss.
  • Recognize social engineering incidents including pretexting phone calls, impersonation of IT support, and tailgating into secure areas as reportable security events.
  • Describe the difference between a security violation (deliberate policy breach) and a security incident (event that threatens confidentiality, integrity, or availability) and how both require reporting.

Near-miss events

  • Recognize near-miss security events where a breach was narrowly avoided, such as catching a phishing email before clicking, noticing tailgating, or spotting a misconfigured sharing link.
  • Describe why reporting near-misses is as valuable as reporting actual incidents, since near-misses reveal vulnerabilities before they are exploited.
  • Identify examples of near-miss events in daily work, including suspicious emails reported before clicking, USB drives found and turned in, and visitors challenged before entering restricted areas.
  • Explain how organizations use near-miss data to proactively strengthen controls, update training, and address systemic vulnerabilities before they are exploited.

Common incident types for employees

  • Recognize the indicators that you may have fallen for a phishing attack, including entering credentials on a suspicious site, opening a malicious attachment, or clicking a deceptive link.
  • Identify signs that your account may have been compromised, including password reset emails you did not request, unfamiliar sent messages, and login notifications from unknown locations.
  • Recognize accidental data exposure incidents, including sending sensitive data to wrong recipients, uploading files to public cloud storage, and leaving printed documents in public areas.
  • Describe the difference in urgency between a ransomware infection requiring immediate response and a minor policy violation requiring routine reporting.
  • Recognize physical security incidents including tailgating, propped-open secure doors, unauthorized photography, and unescorted visitors in restricted areas.
  • Identify the signs that a device may be infected with malware, including unexpected pop-ups, browser redirects, unexplained data usage, and disabled security tools.
2 Reporting Channels and Procedures
2 topics

Reporting channels

  • Identify the organization's available reporting channels for security incidents, including help desk tickets, dedicated security email, phone hotlines, and reporting apps.
  • Describe which reporting channel to use for different incident types and urgency levels, including when to call the security hotline versus submitting a ticket.
  • Explain why using the official reporting channel is preferred over telling only your manager, since security teams need direct notification to begin response procedures.
  • Recognize the importance of knowing reporting contact information before an incident occurs and keeping security hotline numbers accessible on your phone and desk.
  • Describe the information that should be ready before contacting the security team, including the type of event, affected systems, timeline, and any actions already taken.

Escalation procedures

  • Describe the typical incident escalation path from initial employee report through IT security triage to management notification and executive communication.
  • Recognize situations requiring immediate escalation, including active ransomware, ongoing data exfiltration, physical intruder, or compromised executive accounts.
  • Explain what to do when the primary reporting channel is unavailable, including alternative contacts, out-of-hours procedures, and when to escalate directly to management.
  • Analyze an incident scenario to determine the appropriate reporting channel, urgency level, and escalation path based on the type and severity of the event.
3 Evidence Preservation and Documentation
2 topics

Preserving evidence

  • Recognize the importance of not deleting, modifying, or attempting to fix a compromised system before reporting, since these actions can destroy evidence needed for investigation.
  • Describe basic evidence preservation actions employees should take, including leaving the computer on, not closing suspicious emails, taking screenshots, and noting timestamps.
  • Explain the concept of chain of custody at a basic level and why only authorized security personnel should handle potentially compromised devices.
  • Identify actions that inadvertently destroy evidence, including rebooting a compromised computer, deleting suspicious emails, running antivirus scans, and changing passwords on the affected device.
  • Explain why disconnecting a compromised device from the network while leaving it powered on helps contain the incident while preserving volatile memory evidence.

Incident documentation

  • Recognize the key information to include in an incident report: what happened, when it happened, what systems or data were involved, and what actions were taken.
  • Describe how to document a security incident accurately, including using specific times, avoiding speculation, recording observable facts, and noting any witnesses.
  • Explain why preserving original phishing emails (not forwarding or altering them) helps the security team analyze headers, links, and attachments for threat intelligence.
  • Analyze a described incident to identify the key facts that should be documented and prioritize them by relevance to the investigation.
4 Timely Reporting and Legal Obligations
2 topics

Reporting timeliness

  • Recognize why reporting security incidents immediately is critical and how even short delays allow attackers to expand access, exfiltrate more data, and cover their tracks.
  • Describe the consequences of delayed incident reporting, including larger breach scope, increased regulatory penalties, higher remediation costs, and greater reputational damage.
  • Explain common reasons employees delay reporting (embarrassment, fear of blame, uncertainty, hoping it resolves itself) and why these should never prevent timely reporting.
  • Recognize that the first hour after discovering a security incident is the most critical window for containment and that every minute of delay increases potential damage.

Legal and regulatory obligations

  • Recognize that many regulations (GDPR, HIPAA, state breach notification laws) impose strict timelines for reporting data breaches, often within 72 hours.
  • Describe how employee reporting delays directly impact the organization's ability to meet regulatory notification deadlines and the financial penalties for late notification.
  • Explain why employees must not attempt to determine the severity or scope of an incident before reporting, since this assessment is the security team's responsibility.
  • Analyze a scenario involving a potential data breach to determine the correct immediate reporting actions considering regulatory notification requirements.
  • Describe how breach notification requirements differ across jurisdictions and why the security team rather than individual employees determines notification obligations.
5 Post-Incident Review and Learning
2 topics

Lessons learned participation

  • Recognize the purpose of post-incident reviews (lessons learned, after-action reviews) and why employee participation is valuable for improving security defenses.
  • Describe how post-incident reviews focus on process improvement rather than individual blame and what types of feedback are most helpful from involved employees.
  • Explain how lessons learned from incidents lead to concrete improvements, including updated policies, better training, new technical controls, and revised procedures.
  • Describe the importance of not discussing incident details outside of official channels and why confidentiality during investigation protects both the organization and affected individuals.
  • Analyze a post-incident review summary to identify the root cause, contributing factors, and recommended process improvements that could prevent recurrence.

Continuous improvement

  • Recognize how tracking incident metrics (time to report, types of incidents, frequency) helps the organization measure and improve its security posture over time.
  • Describe how your individual reporting contributes to organizational threat intelligence, trend analysis, and targeted security awareness improvements.
  • Analyze a series of related incident reports to identify a pattern that suggests a coordinated attack campaign or systemic vulnerability requiring organizational response.
6 Reporting Culture and Protections
3 topics

No-blame culture

  • Recognize the organization's no-blame policy for security incident reporting, which protects employees who report in good faith from disciplinary action.
  • Describe why a no-blame culture is essential for effective security: when employees fear punishment, they hide incidents, which increases damage and delays response.
  • Explain the boundary between no-blame reporting (honest mistakes, successful social engineering) and accountable behavior (deliberate policy violations, negligent data handling).
  • Identify how you can contribute to a positive reporting culture by reporting your own incidents promptly, supporting colleagues who report, and sharing lessons learned.
  • Describe how management behavior during and after incidents either reinforces or undermines a no-blame reporting culture and identify supportive leadership actions.

Whistleblower protections

  • Recognize whistleblower protection mechanisms available to employees who report security violations, including anonymous reporting channels and legal protections.
  • Describe when to use anonymous reporting channels, including situations involving suspected insider threats, management involvement, or retaliation concerns.
  • Explain the legal protections available to whistleblowers under relevant regulations and company policy, including protection from retaliation and termination.

Integrating reporting into daily practice

  • Describe how to maintain reporting readiness, including knowing current reporting channels, understanding your role in incident response, and keeping security contacts accessible.
  • Synthesize incident reporting concepts to evaluate a workplace scenario involving multiple suspicious events and produce a comprehensive incident report with appropriate urgency classification.
  • Synthesize a team security awareness plan that incorporates regular incident reporting drills, near-miss discussions, and lessons learned sharing sessions.

Scope

Included Topics

  • Security incident reporting awareness for general corporate employees, covering what constitutes a security incident and how to identify near-miss events.
  • Reporting channels, escalation procedures, and the flow of incident reports from employee to security team to management.
  • Evidence preservation basics, including not deleting logs, not modifying compromised systems, and maintaining chain of custody awareness.
  • Timely reporting importance, regulatory and legal obligations for breach notification, and the cost of delayed reporting.
  • Post-incident review participation, lessons learned processes, and employee contributions to improving security posture.
  • No-blame reporting culture, whistleblower protections, and psychological safety in reporting security events.
  • Common incident types employees may encounter: phishing success, data exposure, device loss, unauthorized access, and suspicious behavior.
  • Practical scenario-driven training focused on recognizing, documenting, and reporting security events.

Not Covered

  • Incident response team operations, SOC analyst workflows, or SIEM-based incident triage and investigation.
  • Digital forensics procedures, disk imaging, memory analysis, or malware reverse engineering.
  • Incident response plan authoring, tabletop exercise facilitation, or crisis communication strategy.
  • Legal proceedings, litigation support, expert witness preparation, or regulatory filing procedures.
  • Security operations center staffing, shift management, or incident management platform administration.

SA Incident Reporting is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified