• United States




How long is a piece of string? The challenges and benefits of benchmarking security culture

Mar 30, 20165 mins
IT LeadershipIT SkillsIT Strategy

A strong security culture is one of the best ways for organizations to protect themselves in today's digital world. But what defines a strong security culture? And how do you measure that?

In the months since my book People-Centric Security was published, I’ve enjoyed a running conversation with Lance Spitzner of the SANS Securing the Human program. Lance S. (to clarify any “two Lance’s” confusion) and I both believe strongly that harnessing the power of people and culture is the next great frontier for information security.

The question we discuss is, how does one best measure organizational security culture? In my book I propose a broad measurement model that treats security culture holistically, as a sort of security “personality” within every organization. The results are intuitive, but the model requires a bit of specialized data collection to produce them.

Lance S., who regularly sees professionals in the security awareness community struggle with limited time and budgets, sees the need for a measurement tool that can take advantage of data that may be closer at hand, but that still accurately portrays security culture. So which, we wonder, is best?

It’s an increasingly important question as the security community grapples with the question of people-centric risk. Traditionally, we have focused more on technology risks and solutions.

Even today, our insider threat narratives tend to reflect more system-level thinking, in which people function as devices that get hacked and therefore must be programmed to behave better. That narrows our solution spectrum. We may obsess about people succumbing to phishing attacks, but we struggle to limit the damage resulting from bad security leadership or the ineffective balancing of security and other legitimate business goals like profitability and efficiency.

All of these reflect cultural risks, but leadership and prioritization risks are both more dangerous and harder to assess and manage.

Measuring security culture is challenging. You can’t just throw a few “culture” questions into a security survey and expect to get meaningful results. It’s not uncommon to hear people talk about culture metrics or benchmarks without first defining what culture even is. The result is imprecision and confusion, and perpetuates the idea that culture is subjective and fuzzy, an unreliable target of analysis, maybe one that is not really measurable at all.

Security culture is, most definitely, measurable. And the security community needs to get better at doing it in so that we can leverage the value of our organizations’ human capital (a fancy term for the value of people) to make security more robust at all enterprise levels. People-centric security is an enormous improvement over threat-centric perspectives that treat human beings primarily as dangers to be mitigated.

As I like to remind clients, if tonight you throw out all your technology, the organization will still be there in the morning when the people arrive. That’s what organizations are. But if you throw out all your people, the next morning will find you with no organization, just rooms full of metal and plastic that are now empty of purpose.

[ MORE ON CULTURE: Cyber security culture is a collective effort ]

Security culture reflects the beliefs and values of the people that make up your organization. These are intangible, embedded in thoughts and minds. We can’t directly observe them, so how are we supposed to measure them? How long, metaphorically, is our piece of cultural string?

Lance Hayde

One good answer to the question, “How long is a piece of string?” is “Twice as long as half it’s length.” In other words, you measure the string by comparing it to itself. Applied to security culture, this translates into a process of analyzing the culture by measuring the values and beliefs that produce it. It’s the approach I took with the Competing Security Cultures Framework, the model from my book. The result isn’t a “score” or a determination of “high/low” or “good/bad” culture. Instead it’s more of a snapshot, a cultural “selfie” showing how strong certain security values and priorities are.

A second way to answer, “How long is a piece of string?” is to actually compare the string to something else, like a defined unit of length. Then you get an answer like “three feet” or “one meter” or “half a cubit.” But for this measurement to work, you must already have some level of baseline established (like a yardstick). You should know why you want to know. Is the string long enough? For what? Applied to security culture this can mean measuring whether a culture succeeds under certain circumstances, and how that culture can be made better. This baseline measure is the approach Lance S. hopes to see. We’re working on it, by the way, but that’s another post…

At the end of the day, organizations need multiple culture metrics. You need to be able to measure security culture organically, as a collective personality, across entire organizations. We all know personalities can clash – does security in your enterprise always play nice with others?

Competing cultures inside organizations are a major source of enterprise risk. To manage that risk, you need to understand what motivates and drives people to behave the way they do. But you also need to measure security culture granularly, as both an input and an output for specific goals and activities. Lots of initiatives fail due to cultural reasons, and it would be good to know up front how your security culture influences whether security will succeed under certain conditions.

My conversation with Lance is unlikely to end anytime soon. Although there are more or less useful ways to measure culture, there’s no single best way. The first question you have to answer is what exactly you want that measurement to accomplish.


Dr. Lance Hayden, the Chief Privacy and Security Officer for ePatientFinder, is also an author, speaker, and researcher with over 25 years experience in the field of information security. A leading expert on security behavior and culture, Dr. Hayden is the author of People-Centric Security: Transforming Your Enterprise Security Culture and IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data.

Dr. Hayden began his career as a human intelligence (HUMINT) officer with the CIA, which contributed to a philosophy emphasizing human behavior, organizational psychology, and strategic leadership as central to a successful InfoSec program. Dr. Hayden's career includes security roles at KPMG, FedEx, Cisco, and the Berkeley Research Group before joining ePatientFinder, where he has executive responsibility for all enterprise data protection and security-related regulatory compliance.

Dr. Hayden received his Ph.D. in Information Science from the University of Texas at Austin. As a professor at the UT iSchool, Dr. Hayden develops and teaches graduate and undergraduate courses on subjects including information security, privacy, surveillance and the intelligence community. His industry credentials include CISSP, CISM, CRISC and ISO 27001 Certified Lead Auditor certifications.

The opinions expressed in this blog are those of Lance Hayden and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.