How long is a piece of string? The challenges and benefits of benchmarking security culture

In the months since my book People-Centric Security was published, I’ve enjoyed a running conversation with Lance Spitzner of the SANS Securing the Human program. Lance S. (to clarify any “two Lance’s” confusion) and I both believe strongly that harnessing the power of people and culture is the next great frontier for information security.

The question we discuss is, how does one best measure organizational security culture? In my book I propose a broad measurement model that treats security culture holistically, as a sort of security “personality” within every organization. The results are intuitive, but the model requires a bit of specialized data collection to produce them.

Lance S., who regularly sees professionals in the security awareness community struggle with limited time and budgets, sees the need for a measurement tool that can take advantage of data that may be closer at hand, but that still accurately portrays security culture. So which, we wonder, is best?

It’s an increasingly important question as the security community grapples with the question of people-centric risk. Traditionally, we have focused more on technology risks and solutions.

Even today, our insider threat narratives tend to reflect more system-level thinking, in which people function as devices that get hacked and therefore must be programmed to behave better. That narrows our solution spectrum. We may obsess about people succumbing to phishing attacks, but we struggle to limit the damage resulting from bad security leadership or the ineffective balancing of security and other legitimate business goals like profitability and efficiency.

All of these reflect cultural risks, but leadership and prioritization risks are both more dangerous and harder to assess and manage.

Measuring security culture is challenging. You can’t just throw a few “culture” questions into a security survey and expect to get meaningful results. It’s not uncommon to hear people talk about culture metrics or benchmarks without first defining what culture even is. The result is imprecision and confusion, and perpetuates the idea that culture is subjective and fuzzy, an unreliable target of analysis, maybe one that is not really measurable at all.

Security culture is, most definitely, measurable. And the security community needs to get better at doing it in so that we can leverage the value of our organizations’ human capital (a fancy term for the value of people) to make security more robust at all enterprise levels. People-centric security is an enormous improvement over threat-centric perspectives that treat human beings primarily as dangers to be mitigated.

As I like to remind clients, if tonight you throw out all your technology, the organization will still be there in the morning when the people arrive. That’s what organizations are. But if you throw out all your people, the next morning will find you with no organization, just rooms full of metal and plastic that are now empty of purpose.

[ MORE ON CULTURE: Cyber security culture is a collective effort ]

Security culture reflects the beliefs and values of the people that make up your organization. These are intangible, embedded in thoughts and minds. We can’t directly observe them, so how are we supposed to measure them? How long, metaphorically, is our piece of cultural string?

One good answer to the question, “How long is a piece of string?” is “Twice as long as half it’s length.” In other words, you measure the string by comparing it to itself. Applied to security culture, this translates into a process of analyzing the culture by measuring the values and beliefs that produce it. It’s the approach I took with the Competing Security Cultures Framework, the model from my book. The result isn’t a “score” or a determination of “high/low” or “good/bad” culture. Instead it’s more of a snapshot, a cultural “selfie” showing how strong certain security values and priorities are.

A second way to answer, “How long is a piece of string?” is to actually compare the string to something else, like a defined unit of length. Then you get an answer like “three feet” or “one meter” or “half a cubit.” But for this measurement to work, you must already have some level of baseline established (like a yardstick). You should know why you want to know. Is the string long enough? For what? Applied to security culture this can mean measuring whether a culture succeeds under certain circumstances, and how that culture can be made better. This baseline measure is the approach Lance S. hopes to see. We’re working on it, by the way, but that’s another post…

At the end of the day, organizations need multiple culture metrics. You need to be able to measure security culture organically, as a collective personality, across entire organizations. We all know personalities can clash – does security in your enterprise always play nice with others?

Competing cultures inside organizations are a major source of enterprise risk. To manage that risk, you need to understand what motivates and drives people to behave the way they do. But you also need to measure security culture granularly, as both an input and an output for specific goals and activities. Lots of initiatives fail due to cultural reasons, and it would be good to know up front how your security culture influences whether security will succeed under certain conditions.

My conversation with Lance is unlikely to end anytime soon. Although there are more or less useful ways to measure culture, there’s no single best way. The first question you have to answer is what exactly you want that measurement to accomplish.