Our approach is built on research and designed for real-world application. The publications below highlight the work behind our methods and provide deeper insight into how we measure, understand, and improve security behavior and culture.
A Mixed-Method Case Study of Information Security Culture at an Energy Firm
By Samantha Phillips, Sal Aurigemma, Bradley Brummel, and Tyler Moore
This paper presents a mixed-method approach for assessing information security culture and applies it within a global energy firm. The approach combines multiple data sources, including behavioral assessments, leadership perspectives, and organizational artifacts, to evaluate culture across different levels. Most assessments rely on a single method and miss important context. This approach provides a more complete view of how culture influences security behavior and highlights areas where leadership expectations and employee behavior may not fully align.
Read the full paper here.
Measuring Dimensions of Information Security Culture Across Industries with Situational Judgment Tests
By Samantha Phillips, Bradley Brummel, Sal Aurigemma, and Tyler Moore
This paper introduces the Information Security Culture Situational Judgment Test (ISC SJT), a measurement approach designed to assess how employees think and act in common security situations. It evaluates both security behavior tendencies and the type of culture present within an organization. Most organizations measure security culture through surveys that capture perceptions, but not decision making in context. This approach provides a more structured way to understand how employees are likely to behave and shows how different types of culture influence security outcomes across industries.
Read the full paper here.
Leveraging Situational Judgment Tests to Measure Behavioral Information Security
By Samantha Phillips, Sal Aurigemma, Bradley Brummel, and Tyler Moore
This paper explores how situational judgment tests (SJTs) can be applied to information security to measure behavior tendencies. SJTs present employees with realistic, job-related scenarios and ask them to evaluate or choose responses, providing insight into how they are likely to act in security situations. Traditional self-reported measures often rely on general attitudes or perceptions. SJTs provide a more structured way to assess decision-making in context, offering a closer approximation of how employees may respond to real security situations.
Read the full paper here.
Information Security Culture: A Look Ahead at Measurement Methods
By Samantha Phillips, Bradley Brummel, Sal Aurigemma, and Tyler Moore
This paper examines the current state of information security culture research and highlights key challenges, including the lack of a consistent definition and standardized measurement approach. It proposes a definition grounded in organizational culture theory and outlines a multi-method approach to measuring security culture across organizations. Most organizations rely on a single method, such as surveys, to assess security culture, which often provides an incomplete picture. A multi-method approach combining behavioral scenarios, document analysis, and observations can offer a more comprehensive and practical way to measure and understand security culture.
Read the full paper here.
Expanding the Scope: An Empirical Approach for Identifying High-Risk Users
By Corey Bolger and Tyler Moore
This paper presents a data-driven approach to identifying high-risk users based on their likelihood of being targeted by cyber attacks. Using over a year of phishing incident data, it examines how factors such as email exposure, role, and department influence which users are more likely to receive attacks. Most organizations define high-risk users based on access or impact, such as administrators or executives. This research shows that risk can also be driven by likelihood, meaning some users are more frequently targeted regardless of their access. Identifying these users allows organizations to better focus training, monitoring, and protective controls.
Read the full paper here.