Research Review: Measuring Security Culture

There has long been a gap between security researchers and security practitioners. One of the goals of research is to inform on current practices with the intent of improving them. In turn, practice should also inform on theory. There is no point in implementing security countermeasures if they either do not improve the security profile of an organization or, at the very worst, increase its risk profile.

In “Measuring the Security Culture in Organizations: A Systematic Overview of Existing Tools,” published in Security Journal in February 2020 and written by Marlies Sas, Wim Hardyns, Karolien van Nunen, Genserik Reniers, and Koen Ponnet, the researchers took on this very issue.

They looked at measuring security culture within an organization to determine if the various countermeasures in place were effective in reducing threats against that organization. The study authors wrote that this may be important to measure as traditionally there has been more of a focus on simply implementing countermeasures without determining if they work or not.

The researchers’ goal was to evaluate the various tools available to determine whether they are effective in accurately measuring the security culture within an organization. Their intent was to determine if the countermeasures—belonging to personnel, technology, and documentation—were known and used by staff. Ultimately, the survey tools were used to measure the security behavior of employees.

Security countermeasures are not implemented in a vacuum.

The study authors evaluated 12 tools, ultimately discounting several, either because they focused on security awareness instead of culture, were not created by the authors (which was a criterion), due to a lack of information on the content of the tool, because the tool could not be generalized to other situations, or because they were purely theoretical.  The authors provided a detailed evaluation of the six remaining tools. These tools—laid out in a table in the research article—focused on both information security and physical security domains.

There are two issues to consider when designing and installing a countermeasure. First, there are the technical requirements that must be met to ensure a countermeasure will work as expected. Issues to consider include location of equipment, cabling and conduit, maintenance, and error rate. For example, there are multiple technical requirements involved in installing a video surveillance system, including camera and lens types, transmission medium, location of cameras, storage, software and hardware requirements, and storage.

Second, consideration should be given to operational requirements and impacts, including changes in standard operating procedures, impact on corporate culture, whether the countermeasure fits with the culture, employee training, and if ultimately employees embrace the countermeasure, thereby reducing the risk profile of the organization.

Overall results of the research indicated that the tools for determining countermeasure effectiveness were difficult to implement and measure. The authors’ first recommendation was to improve the effectiveness of the tools included using a combination of a quantitative and qualitative evaluation processes. They also recommended to involve the entire organization in the measuring process, that both external and internal threats should be measured, and that there be a robust process to ensure that well-developed recommendations for security program improvement be followed up to ensure their implementation. 

You may be asking yourself: “So what? How does this affect me as the person responsible for security at a site or for the organization overall?” For starters, security countermeasures are not implemented in a vacuum. There must be an expectation that—if countermeasures are not properly presented to employees—there may be those who embrace security efforts, some who ignore them, and others who actively seek to defeat them. In addition, a poorly planned and communicated security project might be a waste of time and money, and it could increase the risk profile of the organization or reduce the respect for the security department or its leader.

From a practical perspective, this research reinforces the notion that security countermeasure effectiveness studies are an important—if often overlooked—aspect of security management. It also suggests that measuring the effectiveness of security measures is a complex issue that requires expertise to do properly. 

The conclusions arrived at in this review are the opinion of the author and are based on his experience and education. Research findings in one area may not translate into similar findings in another. Individual readers may find different takeaways from research reports, and hopefully these explorations encourage new lines of thought.

Dr. Glen Kitteringham, CPP, M.Sc., has worked in the security industry since 1990. He holds a doctorate in security risk management from the University of Portsmouth and a master’s degree in security and crime risk management from the University of Leicester. He is president of Kitteringham Security Group Inc., consulting with companies around the globe. Kitteringham holds an adjunct instructor position the Justice Institute of British Columbia where he teaches security and emergency management courses. He has been incorporating a variety of research results into his security management and consulting services for more than 25 years.