How to measure culture

If you’d rather watch a 3-minute video instead of reading another email, click here to see me explain in vibrant technicolor

Last time I talked about 4 models of security culture. The next question is how can we measure culture or preferred mental models? How can we look at an organization and figure out which security cultures are present, and which are dominant?

What we are measuring is preference, and specifically observed preference over time.

the likert scale

You are probably familiar with the survey where you read a statement, and then asked to rank the statement based on what you think of it. For example:

“I like chocolate ice cream”

  • strongly agree
  • agree
  • neutral
  • disagree
  • strongly disagree

This is a Likert scale, readily available in most survey tools. And it does measure preference. You can use that scale to measure how much someone agrees or disagrees with all kinds of things: a particular culture, a policy, a way of doing things.

There is a better option. What we really want to measure is not how much someone is ok with the idea of something, but in practice how often do they prefer one thing versus another thing. We are trying to measure something much more subtle.

the ipsative measure

The ipsative measure is designed for measuring preference among multiple options, where you may not disagree with any of the options, it’s more a question of which option is more preferred. This scale is less common, in fact I haven’t been able to find it in any of the common survey tools like Google Forms, SurveyMonkey, TypeForm, etc.

Here’s a quick example

You have 10 points. Allocate the points between each of the 3 options.

Over the last year how often did people in your household choose each option:

  • Strawberry ice cream
  • Chocolate ice cream
  • Vanilla ice cream

2 points going to strawberry means 20% of the time people ate strawberry, 8 points going to chocolate means 80% of the time people ate chocolate, 0 points going to vanilla means we don’t eat that around here.

The ipsative measure is how you measure culture preference or mental model preference, any kind of preference where people aren’t necessarily disagreeing with something, you are trying to understand what they tend to use more.

building an open source ipsative survey tool

At work we’ve been working away on building a little open source survey engine that can handle these ipsative measures, and are getting close to launching a service to measure security culture in organizations. Here’s a little sneak preview

We’ve spent 5 of 6 posts talking about Empathy & Culture which is part 1 of the Kindly Ops model for Governance, Risk & Compliance. Next time we’ll switch gears completely and talk about setting a baseline. It will be totally different.

Want to get the latest analysis and open source tools we publish?

It's so easy for experts to put their head down and work without ever sharing lessons learned with the rest of the world. We publish all our best ideas, analysis, and latest open source tools and techniques by email every week.

    We won't send you spam. Unsubscribe at any time.

    Powered By ConvertKit