Fourth, key characteristics of program success may not be articulated in the vocabulary of outcomes and may not yield to measurement. One such dimension of the SCR program was the variable culture of e-governance across different organisations (e.g., the extent to which it was acceptable for staff to forget their passwords or leave machines “logged on” when going to lunch).
http://plosmedicine.org/article/info:doi/10.1371/journal.pmed.1000360#article1.body1.sec2.p7

I'm not clear how the SCR example used relates to the fourth point. The example seems to be a variable in organisations that would access the SCR. The implication is that the less robust an organisation's security policies are, the less 'secure' the SCR itself was going to be. I'd have thought that this is describable as an outcome and measurable?

IF the SCR had a goal of being 'secure', this could be measured by the amount of potential for insecure access e.g. what proportion of accessing organisations have robust security policies (e.g. what proportion of organisations allow or report practice of using shared passwords). Presumably there are even ways of roughly determining (for a small sample) when access is via shared passwords. For example comparing access logs with staff rotas.

The SCR could (and I think did?) influence this variable by encouraging (requiring?) certain levels of information security in accessing organisations.