You are the first to arrive at work in the morning and notice that the CD ROM on which you saved contracts yesterday has disappeared. You were the last to leave yesterday. When should you report this information security incident?

A.
This incident should be reported immediately.

B.
You should first investigate this incident yourself and try to limit the damage.

C.
You should wait a few days before reporting this incident. The CD ROM can still reappear and, in that case, you will have made a fuss for nothing.

Explanation:
Reporting weaknesses in the security
When staff, temporary personnel and external users of information systems and services notice that there are (suspected) weaknesses in the system or services, it is important that they report those weaknesses as soon as possible. Only then can incidents be avoided.
When an information security incident is discovered, it is often not immediately clear whether the incident will lead to legal action. There is also the danger of critical evidence being destroyed, either intentionally or unintentionally, before the seriousness of the situation is realized. It is therefore important to firstly report the incident and then ask for advice on the action to take. It is possible that a lawyer or the police need to be involved at an early stage and that evidence will need to be collected.