How to make people report incidents?
Of course no one wants to report, they are "turning in" their peers. Also, the time and complexity it takes to go through the reporting process you described is another negative reinforcement. You are only going to get low compliance if everything is a negative.
And ... YOU CANNOT FORCE PEOPLE TO DO ANYTHING!!
You are approaching the problem backwards. You need to:
- use technical controls so that people do not have to think (set an auto-lockout time on idle workstations)
- reward people for doing the right thing (and no, reporting their peers is not the right thing)
Instead of punishing non-locked stations, reward people who locked their stations! Praise them publicly, offer them a chocolate. Whatever works for that office/local culture.
Your focus, at the moment, is to collect metrics for your incident reports. I suggest that this is also backwards. Locking a station is a behaviour. Not locking a station is not an incident (it's an event, at best). You are never going to get accurate metrics, so I'm not sure why this would be a focus.
I know that it is a huge mental shift, but there is a big difference between an intentional act of omission or commision (to not do or to do something) to violate policy (an incident) and inattention and inertia that results in non-compliance. You cannot confuse the two. Non-compliance is a behaviour issue, which needs to be handled (and tracked) differently.
To answer your question directly, in order to get people to do things, you need to address 3 factors:
- motivation
- ability
- trigger
They have to want to do it, it needs to be easy to do, and the trigger for when they are supposed to do it needs to be clear (the Fogg Model).
Scratching an itchy nose has high motivation, it's easy to do, and the itch is its own trigger. So, everyone does it reliably.
Reporting your peer for not locking a workstation has low motivation (even if you rewarded them for reporting), the process is complex, and the trigger is also not that clear. When does one deem that there is non-compliance? Does one have to be watching all the time? What if the other user stepped away and was within view of their workstation? What if the user is "looking out" for the workstation to ensure there is no unauthorised access?
You simply are on the wrong side of the Fogg Model. Address these 3 factors, and you can experience high compliance.
Encouraging your employees to snitch on each other by sending documentation of minor misbehavior to a centralized email address is a terrible idea for work climate. Nobody does it because nobody wants their colleagues to hate them and nobody wants to build a work environment governed by a denunciation culture. The resistance to your process is not just understandable, it is completely justified.
For this specific case of enforcing locking of workstations I would recommend an automated process. Configure all clients to go to a screensaver when unattended for a while and require the user to reauthenticate when dismissing the screensaver. That's a configuration supported by every operating system I could think of. Locking, unlocking and going to screensaver are all events you should be able to log. If some people's workstations frequently go to screensaver while they are logged in and they don't unlock very soon afterwards, then they likely left their desk without locking their workstation. You could register that as a very (very! (VERY!!)) minor security incident. You should also only act on these incidents when they happen very frequently for specific users. Keep in mind that there are other reasons for this to happen, for example when the user was involved in a longer discussion with someone while still sitting in front of their workstation.
For more serious security incidents (compromising passwords, losing security tokens, setting up insecure systems), you should encourage self-denunciation. "Confess your sins, and you shall receive absolution". Promise that anyone who caused such an incident and reports it in a properly and timely manner will get pardoned for its consequences, while those who try to hide their security blunders will not.
I find it interesting to speak to the one who ever thought this was a good way to achieve results.
The stimulus is extremely negative. You ask people to snitch on their co-workers. They must do this in full view of other co-workers (taking photographs). You clearly distrust the offender to 'own up' and the snitch to report honestly, as you require hard evidence: a photograph. Where in this scenario does an individual ever get anything positive out of it?
Reverse it. Train all staff in security risks. Online courses are easy. Focus on good behaviour. Count locked workstations at lunch. And most important: Reward teams. Team with the highes number of locked workstations gets a reward. Keep a public score. Reward the team weekly. Leave individuals out of it. You want the team to correct their team-members.
Last: Bonus round. Go around and ask the teams to count how many times they've told a co-worker to lock their PC. Reward that team; and reward the team that says they lock without being told.
Public rewards, open scores, no individuals.