Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Metrics – What to measure, why and how

The starting point in the Security Culture Framework is metrics. In this phase, you understand your current posture and where you want to get to.

Metrics are based on facts and measurable information. You use the measurements to analyse your organization’s strengths, weakness’ and possibilities.

You start out by defining the current sitiuation, known as As-Is. Next, you document your target situation, known as To-Be.

When you are satisfied that you understand both of the states, you can determine the gaps using a standard GAP-analysis. Documenting the gaps helps you design a path of activities to take your organization from the As-Is state to the To-Be state.

This is the module is where you spend time to define mile-stones, and at what level your organization should be at each milestone.

Documenting the metrics, and the reasons you use those metrics, is an important part of the Security Culture Framework.

Defining Goals

There are two kinds of goals of relevance to the SCF: Result Goals, and Learning Outcomes.

It makes sense to create so-called SMART Result Goals.
S   = Specific
M = Measurable
A = Attainable
R = Realistic
T = Time-Bound

An example on a Result Goal can be;
The organization shall within six months reduce the number of “forgotten password” requests by 50%

An example of a Learning Outcome can be;
Those that recieve training shall be aware of the importance of strong passwords, gain experience in creating strong passwords, learn how to manage their password portfolio in a secure manner and to share that knowledge.

Over the course of the training you will need to evaluate and possibly make some revisions. As such, you should set certain objectives as well as defining and setting tolerance and acceptance criteria. Naturally, if the goals for the training are adjusted a revision of the objectives has to be considered.

It’s important to distinguish between the metrics that are used to define a baseline for a holistic plan, and the metrics that are used as a check point for progress or those that reveal the need for adjustments in the initial plan. In the Security Culture Framework these are vitally important.

GAP Analysis

In order to determine the difference between your current situation, and your defined goals, a gap analysis can be performed.

As-Is describes how things are today. Understanding your current posture is an important point in the framework. Once you are fully appraised of your current environment then you can begin to plan appropriately.

To define today’s status you can, among other data collect; deviation data, incident reports, inquires to support and qualitative surveys, like interviews and questionnaires.

To – Be

To–Be describes the desired future state. Quantifiable goals, objectives and measuring parameters are described here (See goals)

It is also important to define how data is collected to document how the To–Be status is achieved, and to be able to track the progression.

When As–Is and To–Be is defined, it may be prudent conduct out a GAP analysis to determine the next steps.

How do we measure success?

It’s important to be conscious of responding to a single employee or the entire organization, during accomplishment of activities.

Where the activity is done electronically it is easy to see who does what, which makes the data collection easier.

Among all the tools for this, The Security Culture Framework recommends to use an existing and already known tool for data collection.

Data Sources

Where to find sources of data?

Most organisations, if they look carefully, already have a lot of data that can be used. A couple of recommendations are to take an objective view and map the existing data flow. Also, talk to key individuals like the Helpdesk manager, IT manager and even non-IT managers. You may be suprised at what you discover.

You will end up with both types of data; either quantitative based on numbers or qualitative based on interviews or surveys.

Proposed procedure

Using known tools and methods is always an advantage. We recommend using the

Plan – Do – Check – Act (PDCA) a well-known process model from ISO, if your organization does not already have a preferred model.

•    What do you need answers to?
•    What are realistic objectives and goals?

•    Collect and structure information

•    Analyze results, and do a GAP analysis

•    Adjust needed parameters/actions
•    Define controls and milestones
•    Check the plan, review and new iteration

Latest posts by Cultura von Fun (see all)

2 comments for “Metrics – What to measure, why and how

Comments are closed.