Each component of your organisation’s effort to improve its security culture requires constant monitoring and measurement to ensure that initiatives are effective and lead to continuous improvement.

Understanding how your security culture is performing, how it is perceived by staff, where gaps or weaknesses exist, and where your areas of strength lie, can all provide valuable lessons on where to target practical measures to enhance your security system most efficiently and effectively. Measurement of your security culture can also help to identity risks and issues early and prevent them from escalating.

Undertake regular self-assessments

Self-assessments present an opportunity to take stock of your organisation’s position and progress in developing your security culture by asking questions that reflect on the measures and initiatives against your established goals. Having a clear idea of your organisation’s ideal end state is important to help contextualise your gains, direct efforts and identify areas of weakness for further work. Self-assessment provides the opportunity to evaluate your performance against objective indicators to ensure initiatives continue to have a positive impact.

Ways to assess your security culture:

  • Use the questionnaires in the appendix, or other similar sector documents, to identify areas of strength for your organisation, and your key gaps. Your gaps are the areas that require the most improvement and should be targeted in the future to improve security culture.
  • Continually reassess your progress by revisiting these questionnaires periodically to maintain current awareness of your organisation’s progress and gaps.
  • Conduct staff surveys, focus groups, interviews, and other organisational engagement activities to track your progress. Staff can provide an insight into the effectiveness of various initiatives and identify where organisational efforts may be failing or require additional work.

Internal audits, observations, and investigations

Formal processes that review your workplace’s security performance in a ‘real-world’ setting are important ways to measure the success of security culture initiatives. These processes can offer a window into your organisation’s day-to-day operations, staff conduct and performance, to help identify exactly how security behaviours are conducted in practice. It is important to be prepared to follow up audits, observations, or investigations with action, consistently with a ‘just culture’ approach, including by re-training staff or re-writing policies or procedures.

Review your security performance:

  • Conduct targeted audits of specific elements of your organisation’s security system to provide assurance and understanding of staff performance. Maintain a clear terms-of-reference to guide your audit activity, monitor a sample of behaviour, and measure this against policies and security culture aims.
  • Monitor the number of security breaches and infringements that occur within your organisation to determine if improvement measures are effective and reflected through an improvement in specific areas of concern. Undertake investigations when appropriate to determine and address the root cause of security issues.
  • Observe security conduct as it occurs on a day-to-day basis within your organisation to help accurately appreciate security performance in real-time. It is important to understand real-world performance through hands-on experience to best appreciate where improvements to security culture can be made.

Review policies and procedures

Periodically reviewing organisational policies and procedures can provide insights into how your organisation’s strategic documents match up with your ideal security culture end-state. Policies and procedures inform your organisational intent for action by staff. If these are not aligned to your ideal security culture, then adjustment and realignment may be needed to achieve target outcomes.

Review your policies and procedures:

  • Review policies and procedures specifically considering the security culture outcomes your organisation is trying to reach. This can be an effective means of verifying whether other initiatives undertaken to improve security culture are potentially being undermined by historic or established organisational practice.
  • Test policies and procedures with operational staff to determine if they are fit for purpose, making changes where necessary.
  • Modify or re-draft policies and procedures that are not achieving adequate security performance. It is important to actively take positive steps to implement changes in response to any ineffective security outcomes, including by applying the lessons learned through self-assessment activities.

Use the data

The data collected through self-assessments, staff engagement, investigations, audits, and document reviews must be used effectively to be successful in influencing your organisation’s security culture. Using the collected data, your organisation should assess the extent to which your current performance meets your desired security culture outcomes. This will identify where initiatives have been effective within your organisational context, or where further improvement is required.

Share the data:

  • Consider the most effective way for your organisation to communicate progress in meeting your security culture performance goals. A series of dashboards indicating advancements in initiatives or security culture programmes, and overall security competency, can demonstrate to staff that their efforts are making a real difference. A strong understanding of progress can also clearly highlight specific areas where more work is needed.
  • Allocate resources effectively in response to the lessons learned from your data collection. If your data highlights specific areas that need strengthening, then ensure initiatives are suitably targeted to address shortfalls.
  • Actively implement the activities, initiatives or ideas from this guidance and other materials to enhance your security culture.
  • Frequently re-evaluate your progress to ensure programmes and initiatives continue to have the right impact for your organisation. Re-evaluating your security culture will allow regular reviews of where efforts are directed and can help to detect emerging risk areas early.

Assess your measures of effectiveness [PDF 85 KB]


Previous page: Information security Next page: Appendices