05/04/2016 at 09:44 #1311
16/08/2016 at 12:24 #1356
I’d certainly agree that measurement is a foundation stone of any cyber security programme. But it is important to realise that measurement is trickier than it might appear. And this is because measurement is a very human, and culturally influenced, process.
Here’s one reason:
What you want to report influences what and how you measure
What and how you measure influences what you discover
What you discover, as well as what you want to report, influences what you report
Here’s another reason:
People are bad at expressing their opinions and motivations clearly and even worse at understanding them. So asking them questions may well be a fruitless exercise. (Oh, and they frequently lie too – sometimes because they want to please the researcher, sometimes because they want to be seen in a particular way, sometimes because they simply want to lie…)
Here’s another reason
People aren’t always the same. I may answer one thing in the morning and another thing in the evening. My responses will be influenced by my current circumstances. Today I may find something difficult because I am tired, or in a noisy environment, or stressed and thinking about something else. But tomorrow I will find it easy.
That’s not to say you shouldn’t try to measure. But you should use different techniques (qualitative, quantitative, behavioural observation, neurological if you have the budget…). You should repeat measurements, perhaps using slightly different techniques or questions. And you shouldn’t necessarily believe the results – especially if they seem inconsistent or go against common sense.
And finally remember what Einstein said: Not everything that is worth measuring can be measured. And not everything that can be measured is worth measuring.
You must be logged in to reply to this topic.