Integrating PSL, ChangeShop, SEM, and Satir OD¶

The four approaches address different aspects of the same underlying problem: organisations that cannot solve their own security problems, not because the technical knowledge is absent, but because the conditions for acting on it do not exist.

Each approach has a distinct diagnostic role.

SEM tells you what is broken by identifying the model failures producing recurring errors. PSL tells you where the leverage is by mapping the rational, emotional, and political constraints on acting. ChangeShop tells you where the resistance is by running small experiments that surface what the system actually does rather than what it is supposed to do. Satir OD gives you the tools to shift the human conditions: communication patterns, trust, congruence, the ability to be honest under pressure.

In practice, these run concurrently rather than sequentially.

Four loops, continuously running¶

Model mapping (SEM)¶

Identify what the organisation believes about itself that may be wrong. Where are decisions being made on assumptions that have not been validated recently? Which beliefs, if incorrect, would explain the recurring failures?

This is not a one-time exercise. Models drift as environments change. The assumptions that were accurate eighteen months ago may no longer be, and no alarm fires when they stop being true.

Friction discovery (ChangeShop)¶

Run small, reality-based experiments. Ask a team to apply a control, reduce a permission set, or go through the escalation process, and observe what actually happens. Not what they report happening in a survey, but what you can see happening in practice.

The friction that appears is the information you need. Where do things stall? Who hesitates? What gets deflected or rescheduled? This is the map of where the system resists doing the right thing.

Intervention design (PSL)¶

Design changes that address all three layers: rational (tooling, automation, clear process), emotional (reducing the fear that produces avoidance, making safe behaviour easier than unsafe), and political (aligning incentives, making ownership unavoidable, connecting security outcomes to the things that are already being measured and rewarded).

Interventions that address only one layer will be undone by the others. A new tool that does not address the fear of using it will not be used. A policy that does not address the political constraint will be worked around.

Behaviour change (Satir OD)¶

Create the conditions under which people can actually adopt the change. This means attending to communication patterns, building the trust that makes honest reporting possible, and designing processes that account for how people behave under pressure rather than assuming they will behave as the process requires.

What this produces¶

Not a completed security programme. Security is not a state that can be achieved and maintained. It is a system property that degrades when not actively sustained.

What the integrated approach produces is an organisation that can see its own failure modes, has the conditions for acting on them, and has built the trust and communication patterns that allow problems to surface before they become incidents. That is a different and more durable goal than compliance with a framework.

Measuring what matters¶

The metrics that correspond to this model are not the ones most security programmes track.

Time-to-detect and time-to-fix measure whether the system is becoming more responsive to problems. Ownership clarity measures whether accountability is real or nominal. The frequency with which teams escalate unusual situations without being prompted measures whether the psychological safety conditions exist. Communication quality in incident reviews measures whether the organisation is learning from experience or reproducing the patterns that made the experience likely in the first place.

None of these is easy to capture. All of them are more predictive of actual security posture than the metrics that appear in most dashboards.