There is an old saying: If you can’t measure it, you can’t manage it. It applies to many things and information security is definitely one of them. Before you even begin to establish an effective security culture through awareness, you have to know where you’re starting from, so that you can prioritise actions and track progress.
But how exactly do you measure security culture and establish KPIs? Well, it’s certainly not straightforward and sometimes it can be quite intuitive, but it can be done using two basic research approaches: quantitative and qualitative.
Quantitative methods measure culture objectively using standardised questionnaires, audits and statistical evaluations, while qualitative methods assess security culture through observation and interpretation, typically using face-to-face interviews, appraisals and interactive workshops.
Methodology that fits
As with most approaches, both have their advantages and disadvantages. Quantitative methods are straightforward and produce statistical results, yet by their nature can only express security culture through arbitrary parameters – say, for example, the number of people who have attended a training course. Qualitative methods on the other hand are more thorough, but require more resource to run and produce results that aren’t always easy to interpret or compare.
Because every organisation is different, security culture will vary and so too will the best way to measure it. A combination of qualitative and quantitative methods is therefore often the order of the day although there is no right or wrong answer – it’s whatever works best for the organisation.
Generally speaking, a combination of these methods assesses security culture from multiple angles and makes the overall measurement more precise.
It’s also important to consider culture measurement as part of the overall security awareness programme and use it as an opportunity to establish a benchmark as well as a way of getting people to think about security in a different way.
Finding out what employees do and don’t know (and often what they think they know) about security is an essential part of awareness building, revealing the overall level of consciousness and competence around security matters – and more crucially, highlighting areas that need urgent attention.
Quantitative methods are useful, especially for very large organisations and multinationals. Qualitative methods will produce greater insight and often reveal attitudes and perceptions of other, parallel topics. Ultimately security awareness is about engagement and communication and the best way to measure the impact of communication is with more communication.
Measuring security culture is a challenging task but it’s not insurmountable. Our experience tells us that there is no one correct way to do it. However, incorporating at least an element of qualitative research will often achieve a more accurate overall result and help to focus attention on the areas which will strengthen security culture the most.
Read the Awareness is only the first step white paper to learn more.