Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Subjective Metrics

Posts Forums Post Comments Subjective Metrics

This topic contains 1 reply, has 2 voices, and was last updated by  jeremy 2 years, 2 months ago.

  • Author
  • #1311

    Rob Horne

    The Security Culture Framework, quite rightly, suggests you begin your journey towards a security culture by looking at metrics. Start out by defining
    [See the full post at: Subjective Metrics]

  • #1356


    I’d certainly agree that measurement is a foundation stone of any cyber security programme. But it is important to realise that measurement is trickier than it might appear. And this is because measurement is a very human, and culturally influenced, process.

    Here’s one reason:
    What you want to report influences what and how you measure
    What and how you measure influences what you discover
    What you discover, as well as what you want to report, influences what you report

    Here’s another reason:
    People are bad at expressing their opinions and motivations clearly and even worse at understanding them. So asking them questions may well be a fruitless exercise. (Oh, and they frequently lie too – sometimes because they want to please the researcher, sometimes because they want to be seen in a particular way, sometimes because they simply want to lie…)

    Here’s another reason
    People aren’t always the same. I may answer one thing in the morning and another thing in the evening. My responses will be influenced by my current circumstances. Today I may find something difficult because I am tired, or in a noisy environment, or stressed and thinking about something else. But tomorrow I will find it easy.

    That’s not to say you shouldn’t try to measure. But you should use different techniques (qualitative, quantitative, behavioural observation, neurological if you have the budget…). You should repeat measurements, perhaps using slightly different techniques or questions. And you shouldn’t necessarily believe the results – especially if they seem inconsistent or go against common sense.

    And finally remember what Einstein said: Not everything that is worth measuring can be measured. And not everything that can be measured is worth measuring.

You must be logged in to reply to this topic.