A Scientific Approach to Security Culture Assessment

The Measurement Problem

Eighty-two per cent of security breaches involve a human element. Yet when asked how they measure security culture, most organisations point to training completion rates. This disconnect reveals a fundamental problem: we're measuring activity rather than outcomes, compliance rather than culture.

It's rather like measuring physical fitness by counting gym visits instead of actual health indicators. You might have perfect attendance, but are you actually getting fitter?

The Eight Dimensions That Actually Matter

Our scientifically validated framework measures security culture maturity across eight critical dimensions, each weighted by its empirical impact on security outcomes:

1. Leadership & Governance (20%)

Research consistently shows executive commitment is the single strongest predictor of security culture success. When a CEO locks their screen before stepping away, employees notice. When leadership merely delegates security to IT and forgets about it, employees notice that too.

2. Psychological Safety & Just Culture (18%)

If employees fear punishment for honest mistakes, they'll hide incidents rather than report them. This creates blind spots that prevent organisational learning. The difference between "Who did this?" and "What can we learn?" determines whether organisations detect breaches in days or months.

3. Organisational Culture & Norms (13%)

Formal policies represent what organisations claim to value. Peer norms represent what actually happens. When these misalign, the informal culture wins every time. Employees look to colleagues for cues about "what we do here," not policy documents few have read.

4. Awareness & Training (12%)

Training is necessary but insufficient. Knowledge alone rarely changes entrenched behaviours. Effective training must go beyond information transmission to address the real pressures employees face and provide practical strategies for secure behaviour in those contexts.

5. Communication & Engagement (12%)

Fear-based messages may grab attention but often lead to defensive avoidance. Effective security communication requires understanding how humans process messages and creating genuine two-way dialogue rather than one-way broadcasts.

Plus Three Supporting Dimensions

Policy & Procedures (10%), Risk Management & Measurement (10%), and Resources & Enablement (5%) provide essential infrastructure but function as enablers rather than primary drivers of culture change.

From Scores to Action

Organisations at Level 4–5 maturity should experience 40–60% fewer breaches, detect incidents much faster, and gain competitive advantages in procurement. But maturity isn't just about an overall score.

The dimensional breakdown reveals where to focus improvement efforts for maximum impact. An organisation scoring 4.5 overall but 2.0 on psychological safety has a critical vulnerability despite strong performance elsewhere. Conversely, an organisation scoring 2.8 overall but 4.0 on leadership has a foundation on which to build rapid improvements.

The Bottom Line

Security culture is measurable. Organisations that measure it systematically reduce human cyber risk, achieve better audit outcomes, and turn security from a cost centre into a competitive advantage.

The framework provides the diagnostic capability, roadmap, and measurement infrastructure needed to move from intuition to data-driven security culture management.

Because what gets measured gets managed. And what matters most isn't whether employees completed training- it's whether they feel safe reporting mistakes, whether leadership champions security, whether peer norms support secure behaviour, and whether systems enable rather than obstruct secure work.