Assessing Your Complexity Value Behaviors
Use the Security FORCE Survey and Security FORCE Metrics to determine how well your organization adheres to the key complexity value behaviors and to provide empirical evidence of those behaviors.
Scoring the Complexity Value Behavior Survey
The Security FORCE Survey includes statements related to the security value of complexity. The five statements under Security Value of Complexity are listed in the sample of the FORCE Survey shown in Figure 14-1. As with previous chapters, scoring assumes Likert responses normalized on a 1 to 5 scale:
- ? An average score of 4 or above (most responses indicate Agree or Strongly Agree) signifies the organization exhibits behaviors found in an HRSP.
- ? An average score of 3 (most responses indicate the respondent felt Neutral) signifies the organization may or may not behave like an HRSP.
- ? An average score of 2 or below (most responses indicate Disagree or Strongly Disagree) signifies the organization does not exhibit the behaviors found in an HRSP.
For complexity value behaviors, an average score of 4 or greater indicates that the organization behaves in ways that will minimize oversimplification and reduce risks associated with blind spots and unrealized assumptions regarding the organized complexity of the information security environment. An average score of 2 or below indicates that the organization does not behave like an HRSP
Figure 14-1 FORCE Value Survey statements for complexity value behaviors
and is more likely to oversimplify the information security environment and the challenges the security program faces, and may create and increase risk and uncertainty by not making assumptions explicit, by not collecting sufficient evidence to support assertions or decisions, and by using outdated or flawed frameworks and models.
