SMotW #8: Corporate security culture

Security Metric of the Week #8: measuring the organization's security culture

Culture is such a simple word for such a huge amount of complexity and ambiguity.  Fostering a 'culture of security' within the organization sounds like an excellent idea, but it's a lot easier to say than to do.  Perhaps metrics can help drive things in the right direction?

Culture can be measured in various ways ranging from informally observing and describing things, through to scientific research methods used in sociology and psychology.  Common surveys fall in the middle somewhere: their Accuracy depends on how well they are designed and conducted.  

The Independence of the surveyors is another factor: using a specialist team of competent, scientifically trained, professional assessors is an option but will dramatically impact the Timeliness and Costs, compared to using internal auditors and students.  Self-administered intranet surveys may be the way to go, but again they need to be designed carefully to avoid excessive bias (like for instance the reluctance of some employees to complete web surveys honestly, if at all).

Another option is to measure, say, the extent of employee compliance with policies, or absenteeism, or the general nature and tone of emails, water-cooler mutterings or social media.  These may only be indirectly related to corporate security culture but they do suggest possible metrics, perhaps focusing on certain aspects of most concern. 

With our vision of Acme Enterprises and a specific version of this example metric in mind, we scored it thus:

P	R	A	G	M	A	T	I	C	Score
60	76	55	75	60	60	10	75	20	55%

In your organization, given its current state of security maturity and facing its particular challenges and opportunities, you might score this metric quite differently to our example, and that's OK.  The context is important.  Nevertheless, the PRAGMATIC method provides a rational basis for the discussion, and often leads to insights and even better metrics.