Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

How do you measure culture?

plan and execute (1)

Metrics Matter: Knowing how to measure your progress and results, is key to your security awareness program. How do you measure culture?

With the SCF module Metrics, you set goals, define your baseline and decide how to measure security culture in your organization/program. Read more on the Metrics module:

Posts Forums How do you measure culture?

This topic contains 5 replies, has 4 voices, and was last updated by  Håvard 2 years, 6 months ago.

  • Author
  • #1005

    Irina Petris

    [See the full post at: How do you measure culture?]

  • #1041


    I think this is an interesting question that is deeper than it implies. Culture is like art in that, it is hard to define but I can spot it when I see it. I am currently working on some research that looks at an organization’s computer information security culture relative to information system security maturity and information systems security effectiveness. In doing so, I have been researching various perspectives of security culture: employee participation, SETA training, hiring practices, reward system, management commitment, and communication and feedback (Kraemer and Carayon, 2005). It is difficult in that it is something that directly is intangible and thus, some sort of surrogate or artifcat(s) must be used in order to measure culture.

  • #1062

    Kai Roer

    Hi Joseph! Great comments, and yes, I agree there is much more depth to this challenge than appears at first look.
    I would be very interested in looking at your research, and also to discuss this matter with you in more detail. We are currently working with a few universities to research into better ways to measure.
    I am also involved in the CLT.Re startup ( who works with a security culture assessment tool based on the framework. It looks promising, yet as you say, it is not an easy task!

  • #1206


    I see a lot of strange use of the culture concept. What do you mean with “culture” anyway? Is it a function? A system? A given law of behavior? As an anthropologist I have to say your use of the culture concept is confusing, and given that it is a sub genre of culture, the security culture you are looking for, you make it really hard to imagine how you could measure it.
    It looks like a lot of academic diciplines have had their saying in what security is, but I feel there is a serious lack of social scientist like sociologists and, perhaps more important, anthropologists to keep the concepts of culture straight.

    As far as I know, only one anthropologist have a method for “measuring” culture, and that is Clifford Geertz with what he call “Thick description”. It is not a quantitative size, but a qualitative description on every aspect of given culture, that can in sum give you a indication on where you are standing.
    If you are to measure security culture, not even this method will help you, because you are narrowing down tha concept to not include all aspects it is consisting of. How can you measure culture if your concept of culture is not culture?

    The easy way out of this is to call your concept something else, like security climate, or a discourse. Then you stand more freely to include the concepts you need to measure how your employees behave acording to security, not their culture.

  • #1209

    Kai Roer

    Hi Håvard,
    thank you for commenting. You are right to point out the challenge of measuring culture – it is indeed not as easy as measuring a meter, or a liter; exactly because of the lack of a common metric, a common standard of measure as we see in physics, biology, math and other “hard” sciences. This lack of standard of measure leads us first to the clue that we need a common definition. The Security Culture Framework builds it’s definition of security culture on the sociological definition (one of many) of culture: “the ideas, customs and social behaviours of a group or people”, leading us to look at how we can measure ideas, customs and social behaviours (that impacts security).
    Social anthropology use observation as a way to measure culture – if by measuring culture we accept the meaning of trying to understand similarities and differences between groups of people, and I often make the claim that the focus here is to look at a culture from the outside – like looking through a window.
    Sociology use discourse analytics, semiotics and other analytical models to understand culture through and by the artefacts, symbols (broad meaning) and other information carriers. I like to claim that sociology is about understanding culture from inside the culture itself.
    Psychology analyse culture by looking at how culture impacts people on an individual level – how do I respond to peer pressure? How do I adapt (as an individual) to the ways of a particular group of people? How quick do I adapt? What are adaptation facilitator and factors?
    Culture is, as you correctly point to, a wast and somewhat misunderstood topic. I once read that culture “is impossible to define, but we all know what it is“.
    You may be interested in learning that SINTEF and a few other EU-based organisations, including CLTRe, are currently mounting a research project to learn more about measuring security culture. CLTRe, by the way, launched a security culture metrics tool here:

  • #1217


    Hi Kai, and thanks for answer!
    I think you might have misunderstood what anthropologists do; it’s not just observation, we do what we call “participating observation”, which in this context mean that we try to understand a holistic view on culture. We are not just obeserving what’s going on, we are participating in daily life, coffee conversations and simple tasks. That way we can see the differents between what people say (in questionnaires etc., and what they actually do. If employees say they use hard hats at a construction site, but dont use it when no-one is looking it is a serious safety matter. When observing form “outside” one can find such matters, but not WHY such matters are in place. Anthropologists seek to answer the “why”, not state that the matter in fact is there.

    Many diciplines have had their say in the safety and security debatte, but anthropologists have been conspicuously absent. I hope that when the “culture” in safety and security matters are discussed, the anthropological voice will be heard, as they are the “experts” on culture.

    • This reply was modified 2 years, 6 months ago by  Håvard.

You must be logged in to reply to this topic.