Surveying the corporate security culture

Inspired perhaps by yesterday's blog about the Security Culture Framework, today we have been busy on a security culture survey, metrics being the first stage of the SCF. We've designed a disarmingly straightforward single-sided form posing just a few simple but carefully-crafted questions around the corporate security culture. 

Despite its apparent simplicity, the survey form is quite complex with several distinct but related purposes or objectives:

• Although the form is being prepared as an MS Word document with the intention of being self-completed on paper by respondents (primarily general staff), the form could just as easily be used for an online survey on the corporate intranet, a survey app, or a facilitated survey (like shoppers being stopped in the shopping mall by friendly people with clipboards ... and free product samples to give away).
  
  
• The survey form is of course part of our security awareness product, linking-in with and supporting the other awareness content in October's module on 'security culture', and more broadly with the ongoing awareness program.  The style and format of the form should be instantly familiar to anyone who has seen our awareness materials. 
  
  
• A short introduction on the form succinctly explains what 'security culture' means and why it is of concern and value to the organization, hence why the survey is being carried out. I'm intrigued by the idea of positioning the entire organization as a ‘safe pair of hands’ that protects and looks after information: a reasonable objective given the effort involved in influencing the corporate security culture. Even the survey form is intended to raise awareness, in this case making the subtle point that management cares enough about the topic to survey workers' security-related perceptions and behaviors including their attitudes towards management. 
  
  
• Conducting the survey naturally implies that management will consider and act appropriately on the results. We take that implied obligation seriously, and will have more to say about it in the module's train-the-trainer guide. The survey is more than just a paper exercise or an awareness item: respondents will have perfectly reasonable expectations merely as a result of participating.
  
  
• The survey questions themselves are designed to gather measurable responses i.e. data on a few key criteria or aspects of 'security culture'.  We have more work to do on the questions, and even when we're done we hope our customers will adapt them to suit their specific needs (e.g. if there is an organization-wide issue around compliance, it might be worth exploring attitudes and perceptions in that area to tease out possible reasons for that).  For starters, though, the questions are extremely simple -  at face value, very quick and easy to read and answer - and yet given sufficient responses, the survey is a powerful, statistically valid and meaningful metric measuring a complex, multi-faceted and dynamic social construct. No mean feat that!
  
  
• It would be feasible to develop further forms to survey populations other than 'general employees'. I'm thinking particularly of management and perhaps third parties: how does the corporate security culture appear from their perspectives? What concerns them? Are there issues that deserve concerted action? We may not have the time to prepare forms for October's awareness module ... but we might pose that suggestion to our subscribers, again in the train-the-trainer guide.
  
  
• Beneath each of the questions are spaces for respondents to comment, plus we encourage respondents to make their views known either on the reverse or (to maintain their anonymity) on a separate sheet, web page or email. We take the interactive approach quite deliberately and routinely because there's a lot of value to be gained by getting workers to open up a little and mention things that concern or interest them, from their perspectives and in their terms. In the particular context of the survey, we want to give respondents the opportunity to explain, expand or elaborate on the numeric responses if they feel the need. It's surprising just how powerful and insightful quotes direct from the horse's mouth can be. Pithy quotations make excellent content to illustrate and pep-up management reports and further awareness materials.
  
  
• Mentioning 'free product samples' and 'sufficient responses' suggests the possibility of offering some sort of inducement for people to complete the survey, other than the opportunity to express their opinions and hopefully influence management. I have previously mentioned the gold-silver-bronze 'award menu' included in the Information Security 101 module: bronze level rewards would be ideal for this purpose. [Provided the anonymity aspect is addressed, a more attractive silver or gold award could be offered in, say, a prize draw: given the potential business value of the information generated by a well-designed survey, that's not a bad investment.]

So there we go. All we have to show for a whole day's work is a single page survey form (oh, and this blog piece!), illustrating once again the key point I made in relation to the elevator pitch for Information Security 101: the shortest, pithiest awareness pieces are often the hardest to prepare. Less really is more!