Long Term Security Attitude and Practices Study

What makes security practitioners tick? That’s a simple question with a lot of drivers underneath it.

The Ask

We’re launching a long term study of security practitioners to understand how they approach security, please sign up for our Long Term Security Attitudes and Practices Study here: https://www.surveymonkey.com/r/CZTZY7M.


A few years ago I was in a customer facing role answering questions about security practices of the SaaS company I worked at. My days were filled with answering questions about our security practices and we would give answers that were good and reasonable answers but not always what the other side was expecting. This discrepancies were based on differing risk tolerances, different contexts, varying approaches to security and technology.

This led to many conversations with our executive about changes to our security practices. Often the question would arise: “what’s good enough?” and outside of pointing to ISO27001/2 and HIPAA I didn’t have an answer. I couldn’t tell my executive what would reasonably satisfy our customer’s security expectations beyond pointing to the standards. Clearly though “standards compliance” wasn’t the minimum bar… it was something different. By outcome we could observe that organizations were willing to accept differing security practices but there was never a consistency of what would be accepted and what had to be argued (or changed) across the hundreds of different customers (even ones in the same industry).

Since then I’ve moved on from that company (and changed to an internal role) but those questions have raised for me a more fundamental set of questions: Do we actually understand how security professionals think? Are we all aiming for perfect compliance with PCI 3.X or are we driven by something else? Do we construct policies that are risk centric? Are we pragmatists or purists? Are we advisers or problem solvers?

These are questions that have stuck with me for a while and I’ve not found academic papers that answer these questions and so we’re starting a community based study. Knowing what makes us tick might help make us a stronger profession; at the very least it will be interesting.

Study Details

The study will consists of multiple surveys; once we get going we’ll start inviting you to a new survey every two weeks. Each survey will be a few questions in length and should not take more than a few minutes of your time. The study will run for as long as there is ongoing interest and sufficient participation. The study doesn’t expect you to participate in every survey although that would be nice; in fact some of the component surveys may not be relevant to you from time to time.

The study will be anonymous; we’ll still collect an email address and track your unique responses but we’ll never share your identity. Tracking you across multiple surveys will allow for correlation – connecting the dots between the many different responses which hopefully will allow us to generate insight.

The anonymized data will be released under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License to allow for reuse by the community. Analysis reports and papers will be released under a Creative Commons License as well and code used to perform the analysis (probably Jupyter Notebooks) will be GPL’ed.