Limitations of the Framework
Noted statistician George Box once wrote, "Essentially, all models are wrong, but some are useful.” My hope is that the CSCF helps organizations by serving as a useful tool for achieving people-centric security. But it is just as important to acknowledge its limits. The CSCF does not pretend to fully describe or explain every organization's security culture. Instead, the CSCF is intended to be a tool for learning and exploration, a method by which people working within the context of an organization's security culture can learn more about that culture, assign terms and concepts to it, and identify areas of risk that emerge when security priorities and values come into opposition with one another. Organizational culture researchers understand how difficult it is to measure or analyze anything as complex as the shared beliefs and relationships of a large social group. Without a place to start, without some method of simplifying the complexity of cultural transformation to achieve actionable strategies, no progress is likely to be made. Some critics complain that this simplification makes the model worthless for real-world analyses. I appreciate a reluctance to oversimplify, which is a core security behavior I will discuss later in the book, but all models are simplifications by necessity. No one expects a balsa wood model of an airplane to fly like the real thing, or an architectural model to be a real, livable building. For these purposes, the models are wrong. But they remain useful nonetheless, used by engineers and architects everywhere to understand on a smaller scale the things they build on a large one.