In order to measure something in a useful way, a clear understanding of the phenomenon to measure is needed. Take the unit of mass, the kilogram, as an example. It is usually not hard to reach an agreement that mass exists, even amongst the uneducated. The same can be said of culture – most of us will agree that we know what culture is and, also, that culture is a crucial part of society and our workplace. We can even agree that culture is different from one place to another.
The challenge arises when we want to apply functions to a phenomenon. With mass, it is common to express it is a number of different ways, including weight. Before 1889, no common standard of measuring mass existed, resulting in each village, city, country and region operating with their own units. Then, the French introduced the Kilogram as a standard unit of measurement. Many years later, the Kilogram is the globally accepted standard for measuring mass, effectively paving the way for informed discussions, where everyone in the dialogue knows (or can easily verify) that we are talking about the same thing.
Unlike mass, distance and many other physical phenomena, culture is yet to reach a standard definition and metric. The result is that the term culture is being used to describe a wide variety of things, some being relevant and some not. This ambiguity introduces risk and uncertainty.
When discussing security culture with our peers, how do we know that we talk about the same things?
Imagine the following conversation between a CISO and his CEO. The CISO reports, “We have a positive security culture in our organization.” The CEO responds, “Great, but what does that mean? How do you know? How do you measure that?” Pushing further, she asks, “Does this mean we are better than X, Y or Z? How does this impact our risk?”
The challenge for the CISO is that unless he uses a standardized metric (a 3rd party tool) to measure security culture, he cannot provide good answers for the CEO. He may have opinions to offer her, or reasons, but it will be very difficult for him to back those up without clear evidence.
To provide that evidence, a security culture metric is needed.
A metric is a standard of measurement.
The term, metric, comes from another French innovation, the meter (metre). Similar story to the Kilogram, the meter is a standard unit to measure length. Because it is a standard, everyone has a clear understanding of what it is, what it measures, and what it is not measuring. A meter is measuring length, not mass.
Security culture metrics serves the purpose of measuring security culture, it is not measuring awareness training completion rates or phishing assessments. Security culture metrics measure the sentiments towards security in an organization – the psychological and social aspects that drive individual and social behavior.
CLTRe provide a standalone, independent and unbiased security culture metric that is recommended by ENISA. We aim to become the global standard of measuring security culture. Such a global standard will enable organizations worldwide to understand the individual and social aspects that influence the security of their workforce. With that clear and concise understanding, can they improve and document the change – knowing that the effects can be compared in a meaningful way.
There is a difference between saying, “we have a positive security culture,” and “we rank in the top 5% of security culture in our industry.” One offers an opinion, the other presents a fact.
Let’s work together to create a standard that will improve the industry as a whole. Contact us if you want help in any way.