In this chapter I will look at a few ways to measure culture, and how you can take existing data to use as a baseline.

One thing I often hear from fellow security professionals is that it is impossible to measure awareness and culture. It is an interesting point of view, and one that is usually based upon:

•    not knowing how to measure soft skills.

•    previous failures to create results from awareness activities.

It often boils down to not realising that awareness and culture are reflected in the behaviours of employees. In most organisations today, the heavy use of computer systems enables us to closely monitor any and all use. An example:

Bob, a salesperson who has been in your organisation for two years in ...

Get Build a Security Culture now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.