Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Subjective Metrics

measuring-tape-1414773-1598x902The Security Culture Framework, quite rightly, suggests you begin your journey towards a security culture by looking at metrics. Start out by defining the current situation, known as As-Is. Then, document your target situation, known as To-Be. The next stage is to conduct a gap analysis between the two states.

The SCF then goes on to talk about result goals and learning outcomes, provides some examples and suggests these should be SMART (Specific, Measurable, Attainable, Realistic and Time-bound). All excellent advice.

However, to my mind there’s a potential problem here which could delay your move forward: metrics tend to be objective in nature, they need facts and numbers so they can be measured precisely. But culture is subjective, concerning ideas, customs, and behaviours – not things which can be accurately measured. How to overcome the challenge of bridging the gap between the two?

If you’re struggling with this consider defining some subjective metrics relating to the culture of your organisation and how security is viewed within it. Start with questions like:

Do you see security as helpful to your job?

Do you think the organisation is protected from hackers?

Do you know where to go to find security information?

Think of the way security-related processes – such as password resets, the time it takes to get a building pass, screensaver settings – are handled and ask if your users are happy or do they have problems with these.

Put the questions to all those within the scope of your security culture plan. By phrasing your subjective questions as needing Yes/No answers or asking for answers on a numeric scale you can easily obtain the objective numbers you need and turn them into SMART goals. I’ll even get you started with this illustration of what I mean:

Take the example question above: “Do you see security as helpful to your job?” What if 60% of your staff said “no”? The result goal could be to change this around to 60% saying “yes” within 6 months. This is Measurable by asking the question again, Attainable, Realistic and also Time-bound. I didn’t forget Specific; the question asks for a perception to be stated but when the total of “yes” answers are added up that leaves you with a specific number – as a percentage of the total – and completes all the requirements of a security culture metric.

Also using such metrics will give you a good basis for your As-is and To-be gap analysis, enabling you to easily solve any problems with your first step towards a secure culture.

Rob Horne

Senior Security Consultant at Info-Assure Ltd
Rob has many years experience in security management and assurance. Currently he's on long-term assignment to UK Government.

Latest posts by Rob Horne (see all)

Posts Forums Subjective Metrics

This topic contains 1 reply, has 2 voices, and was last updated by  jeremy 2 years, 2 months ago.

  • Author
  • #1311

    Rob Horne

    The Security Culture Framework, quite rightly, suggests you begin your journey towards a security culture by looking at metrics. Start out by defining
    [See the full post at: Subjective Metrics]

  • #1356


    I’d certainly agree that measurement is a foundation stone of any cyber security programme. But it is important to realise that measurement is trickier than it might appear. And this is because measurement is a very human, and culturally influenced, process.

    Here’s one reason:
    What you want to report influences what and how you measure
    What and how you measure influences what you discover
    What you discover, as well as what you want to report, influences what you report

    Here’s another reason:
    People are bad at expressing their opinions and motivations clearly and even worse at understanding them. So asking them questions may well be a fruitless exercise. (Oh, and they frequently lie too – sometimes because they want to please the researcher, sometimes because they want to be seen in a particular way, sometimes because they simply want to lie…)

    Here’s another reason
    People aren’t always the same. I may answer one thing in the morning and another thing in the evening. My responses will be influenced by my current circumstances. Today I may find something difficult because I am tired, or in a noisy environment, or stressed and thinking about something else. But tomorrow I will find it easy.

    That’s not to say you shouldn’t try to measure. But you should use different techniques (qualitative, quantitative, behavioural observation, neurological if you have the budget…). You should repeat measurements, perhaps using slightly different techniques or questions. And you shouldn’t necessarily believe the results – especially if they seem inconsistent or go against common sense.

    And finally remember what Einstein said: Not everything that is worth measuring can be measured. And not everything that can be measured is worth measuring.

You must be logged in to reply to this topic.