On Measuring the Unmeasurable

The industry frequently discusses security culture, yet many criticize it as vendor-driven jargon or dismiss those using it as unknowledgeable. This discourse has created confusion that obscures a fundamental truth: numerous abstract concepts remain measurable and impactful despite lacking universal definitions.

Consider intelligence — humanity has debated this concept for centuries without reaching consensus. Scholars continue asking whether intelligence reflects raw cognitive ability, adaptability, problem-solving prowess, or emotional awareness. Despite this definitional ambiguity, intelligence remains measurable through established frameworks.

The Parallel Challenge

Security culture presents similar difficulties. Organizations recognize its importance for resilience, yet struggle to articulate precise definitions. Ask one hundred cybersecurity professionals for their interpretation, and you might receive one hundred distinct answers. Some emphasize behavioral components, others prioritize attitudinal shifts, still others highlight risk comprehension.

The practical world has addressed intelligence’s definitional vagueness through measurement tools — IQ testing represents perhaps the most recognized approach. While these assessments imperfectly capture intelligence, they provide standardized benchmarks for quantifying inherently subjective phenomena.

Building a Framework

Security culture requires similar measurement infrastructure. Organizations cannot effectively assess their current position or identify improvement opportunities without clear metrics and baselines. The Security Culture Report (2017) provided early foundational work.

Effective measurement demands multiple data sources rather than single metrics. Evaluating intelligence solely through spatial reasoning provides incomplete information; similarly, assessing security culture through one or two elements misses the comprehensive picture. Combining behavioral insights, incident reporting patterns, and training outcomes creates more reliable frameworks.

Why Measurement Matters

Both intelligence and security culture drive tangible outcomes. Intelligence enables individuals to navigate complexity and innovate. A robust security culture builds organizational resilience against threats while reducing human risk factors.

Without understanding theoretical underpinnings, we risk emphasizing superficial behaviors over substantive improvement. Organizations must grasp current positions and envision necessary destinations.

Approximately two hundred intelligence assessments exist worldwide, measuring various cognitive dimensions. Even collectively, they represent estimates of something that — relying on definition alone — lacks concrete existence. Yet this paradox hasn’t prevented meaningful progress.

Moving Forward

Security culture isn’t one-size-fits-all. It demands thoughtful approaches acknowledging organizational nuances. Like intelligence, it resists reduction to simple checklists. With appropriate frameworks and metrics, meaningful quantification becomes achievable.

The industry should stop treating security culture as too nebulous for management. If measurable progress can occur with intelligence — that shifting, theoretical construct — identical progress applies to security culture. The measurement journey begins now.