The Security Culture Framework, quite rightly, suggests you begin your journey towards a security culture by looking at metrics. Start out by defining the current situation, known as As-Is. Then, document your target situation, known as To-Be. The next stage is to conduct a gap analysis between the two states.
The SCF then goes on to talk about result goals and learning outcomes, provides some examples and suggests these should be SMART (Specific, Measurable, Attainable, Realistic and Time-bound). All excellent advice.
However, to my mind there’s a potential problem here which could delay your move forward: metrics tend to be objective in nature, they need facts and numbers so they can be measured precisely. But culture is subjective, concerning ideas, customs, and behaviours – not things which can be accurately measured. How to overcome the challenge of bridging the gap between the two?
If you’re struggling with this consider defining some subjective metrics relating to the culture of your organisation and how security is viewed within it. Start with questions like:
Do you see security as helpful to your job?
Do you think the organisation is protected from hackers?
Do you know where to go to find security information?
Think of the way security-related processes – such as password resets, the time it takes to get a building pass, screensaver settings – are handled and ask if your users are happy or do they have problems with these.
Put the questions to all those within the scope of your security culture plan. By phrasing your subjective questions as needing Yes/No answers or asking for answers on a numeric scale you can easily obtain the objective numbers you need and turn them into SMART goals. I’ll even get you started with this illustration of what I mean:
Take the example question above: “Do you see security as helpful to your job?” What if 60% of your staff said “no”? The result goal could be to change this around to 60% saying “yes” within 6 months. This is Measurable by asking the question again, Attainable, Realistic and also Time-bound. I didn’t forget Specific; the question asks for a perception to be stated but when the total of “yes” answers are added up that leaves you with a specific number – as a percentage of the total – and completes all the requirements of a security culture metric.
Also using such metrics will give you a good basis for your As-is and To-be gap analysis, enabling you to easily solve any problems with your first step towards a secure culture.
- Subjective Metrics - 05/04/2016
- Culture includes both the artist and their audience - 13/01/2016