Security Assessment Report as Critique, Not Criticism

The goal of most information security assessments is to identify vulnerabilities and recommend ways to address them. The resulting report tends to be filled with criticism. Even when the document is filled with insightful observations and advice, it’s often viewed defensively by the readers, who feel like they are under a personal attack.

To create an assessment report that is more likely to be accepted by the readers and that provides more constructive advice, write it as a critique rather than criticism.

In an essay What is Critique?, Judith Butler pointed out philosopher Raymond Williams’ concern that the practice of criticism has been unduly restricted to “fault-finding,” which lead him to propose that we find a vocabulary that does not “assume the habit (or right or duty) of judgment.” The notion of critique involves providing a well-rounded assessment of the subject’s structure, rather than personalizing the identified issues.

A security assessment report that offers critique, comments on the factual findings, on the processes that contribute to the security issues and on the structure of the organization that may need to be adjusted to improve security. This means staying away from chastising specific individuals, unless you are prepared to deal with their anger and defensive counter-accusations. An angry reader will ignore the report’s key messages.

Another element of a critique-focused report involves the discussion of positive findings of the assessment. As the saying goes, a spoonful of sugar makes the medicine go down. Furthermore, seeing what aspects of security you liked, will help the organization learn from what is working, so it better understands how to address the processes that aren’t. Positive reinforcement is often even more effective than negative reinforcement in changing behavior.

This note is part of a 4-post series on creating security assessment reports. For more, see:

For more on the topic of delivering better security assessments, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more