How to measure culture
If you’d rather watch a 3-minute video instead of reading another email, click here to see me explain in vibrant technicolor
Last time I talked about 4 models of security culture. The next question is how can we measure culture or preferred mental models? How can we look at an organization and figure out which security cultures are present, and which are dominant?
What we are measuring is preference, and specifically observed preference over time.
the likert scale
You are probably familiar with the survey where you read a statement, and then asked to rank the statement based on what you think of it. For example:
“I like chocolate ice cream”
- strongly agree
- strongly disagree
This is a Likert scale, readily available in most survey tools. And it does measure preference. You can use that scale to measure how much someone agrees or disagrees with all kinds of things: a particular culture, a policy, a way of doing things.
There is a better option. What we really want to measure is not how much someone is ok with the idea of something, but in practice how often do they prefer one thing versus another thing. We are trying to measure something much more subtle.
the ipsative measure
The ipsative measure is designed for measuring preference among multiple options, where you may not disagree with any of the options, it’s more a question of which option is more preferred. This scale is less common, in fact I haven’t been able to find it in any of the common survey tools like Google Forms, SurveyMonkey, TypeForm, etc.
Here’s a quick example
You have 10 points. Allocate the points between each of the 3 options.
Over the last year how often did people in your household choose each option:
- Strawberry ice cream
- Chocolate ice cream
- Vanilla ice cream
2 points going to strawberry means 20% of the time people ate strawberry, 8 points going to chocolate means 80% of the time people ate chocolate, 0 points going to vanilla means we don’t eat that around here.
The ipsative measure is how you measure culture preference or mental model preference, any kind of preference where people aren’t necessarily disagreeing with something, you are trying to understand what they tend to use more.
building an open source ipsative survey tool
At work we’ve been working away on building a little open source survey engine that can handle these ipsative measures, and are getting close to launching a service to measure security culture in organizations. Here’s a little sneak preview
We’ve spent 5 of 6 posts talking about Empathy & Culture which is part 1 of the Kindly Ops model for Governance, Risk & Compliance. Next time we’ll switch gears completely and talk about setting a baseline. It will be totally different.