Qualitative Measures and Techniques

Culture is about beliefs and assumptions, about motivations and values that may not even be explicit within an organization or conscious on the part of its members. Culture tends to stay hidden below the surface, unless you deliberately seek it out. Yet you can't just go out and start counting culture. People's behaviors are more directly observable and lend themselves to more quantitative analysis, but knowing who did what and when and where they did it, does not tell you how or why they behaved that way. These questions of how and why, which are more important when attempting cultural transformation, are the domain of qualitative research and analysis. Qualitative researchers use surveys, interviews, and other interactions between people to facilitate understanding of the topics they explore.

Lord Kelvin's "Meagre Understanding"

When I wrote my book IT Security Metrics a few years back, it was fashionable among some security metrics proponents to quote Lord Kelvin's adage on measuring something, "when you can measure...and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind.” I would usually ask whoever threw out the quote to express the measurement reasoning behind it in the form of a number. I never got one. Instead, I got stories and anecdotes that demonstrated both the "meagre understanding” of Kelvin's claim as well as the incredible utility of qualitative data such as stories and anecdotes.

Different traditions of qualitative research methods have developed in various fields. Table 3-1 lists the major qualitative research approaches. Some of these are going to look a bit strange to an information security professional with an engineering background, although they might look less so to anyone who has studied psychology or business administration. In fact, all of these research approaches are used in industry in one form or another. The fact that information security has not made much use of them says more about the inadequacy of our own research methods and our bias against qualitative research than it does about the effectiveness of qualitative techniques.

I've gone into some detail in Table 3-1 about these qualitative techniques because they are often the only way to measure and understand organizational culture. As such, they belong in the conceptual toolkit of every organization looking to improve and transform security culture and make it people-centric.

You do not have to be a Ph.D. anthropologist to do basic qualitative research. You just have to recognize that sometimes you are not going to find the answers you are looking for in any way other than talking with people, listening to what they say, and looking for the meaning you seek in the stories they tell.