Integrating PSL, ChangeShop, SEM, and Satir OD¶
The four approaches address different aspects of the same underlying problem: organisations that cannot solve their own security problems, not because the technical knowledge is absent, but because the conditions for acting on it do not exist.
Each approach has a distinct diagnostic role.
SEM can show what is broken by identifying the model failures producing recurring errors. PSL can show where the
leverage is by mapping the rational, emotional, and political constraints on acting. ChangeShop can show where
resistance is by running small experiments that surface what the system actually does rather than what it is supposed
to do. Satir OD gives the tools to shift the human conditions: communication patterns, trust, congruence, the
ability to be honest under pressure.
In practice, these run concurrently rather than sequentially.
Four loops, continuously running¶
Model mapping (SEM)¶
Model mapping asks what an organisation may believe about itself that could be wrong. Where are decisions being made on assumptions that have not been validated recently? Which beliefs, if incorrect, could explain the recurring failures?
This is not a one-time exercise. Models drift as environments change. The assumptions that were accurate eighteen months ago may no longer be, and no alarm fires when they stop being true.
Friction discovery (ChangeShop)¶
Friction discovery runs on small, reality-based experiments. A team applies a control, reduces a permission set, or goes through the escalation process, and what actually happens becomes visible. Not what they report happening in a survey, but what can be seen happening in practice.
The friction that can appear is the information needed. Where do things stall? Who hesitates? What gets deflected or rescheduled? This is a map of where the system resists doing the right thing.
Intervention design (PSL)¶
Intervention design addresses all three layers: rational (tooling, automation, clear process), emotional (reducing the fear that produces avoidance, making safe behaviour easier than unsafe), and political (aligning incentives, making ownership unavoidable, connecting security outcomes to the things that are already being measured and rewarded).
Interventions that address only one layer are likely to be undone by the others. A new tool that does not address the fear of using it may go unused. A policy that does not address the political constraint gets worked around.
Behaviour change (Satir OD)¶
This work creates the conditions under which people can actually adopt the change. It means attending to communication patterns, building the trust that makes honest reporting possible, and designing processes that account for how people behave under pressure rather than assuming they will behave as the process requires.
The integrated outcome¶
Not a completed security programme. Security is not a state that can be achieved and maintained. It is a system property that degrades when not actively sustained.
What the integrated approach produces is an organisation that can see its own failure modes, has the conditions for acting on them, and has built the trust and communication patterns that allow problems to surface before they become incidents. That is a different and more durable goal than compliance with a framework.
Measuring what matters¶
The metrics that correspond to this model are not the ones many security programmes track.
Time-to-detect and time-to-fix measure whether the system is becoming more responsive to problems. Ownership clarity measures whether accountability is real or nominal. The frequency with which teams escalate unusual situations without being prompted measures whether the psychological safety conditions exist. Communication quality in incident reviews measures whether the organisation is learning from experience or reproducing the patterns that made the experience likely in the first place.
None of these is easy to capture. All of them are likely more predictive of actual security posture than the metrics that appear in many dashboards.