1. What is security culture?
Security culture is a set of norms, beliefs, values, attitudes and assumptions that are inherent in the daily operation of an organization and are reflected by the actions and behaviours of all entities and personnel within the organization. Security should be everyone's responsibility - from the ground up and top-down. Effective security culture is about:
- Recognizing that effective security is critical to business success;
- Establishing an appreciation of positive security practices among employees;
Aligning security to core business goals; and
Articulating security as a core value rather than as an obligation or a burdensome expense.
Simply put, security culture is the inclusion of security practices in a business or organization's day-to-day operations and is embedded in the actions of all employees.
Security culture is... about embodying effective security behaviours at an airport. For example, understanding security responsibilities as an airport pass holder; challenging those who aren’t following security procedures e.g. tailgating, not wearing their airport pass/ID, breaking policy; and reporting issues of concern e.g. unattended items and suspicious behaviour.
|
Security culture is... about the way in which people think, act and feel about security. It represents how much of a priority security is for an organization/airport, and how much it is part of its ‘DNA’. We want to create an environment where security ‘is just the way we do things’ i.e. in which security culture is embedded in the organization's fabric.
|
2. What are the benefits of an effective security culture in aviation?
The benefits of an effective security culture include:
- Employees are engaged with, and take responsibility for, security issues;
- Levels of compliance with protective security measures increase;
- The risk of security incidents and breaches is reduced by employees thinking and acting in more security-conscious ways;
- Employees are more likely to identify and report behaviours/activities of concern;
- Employees feel a greater sense of security; and
- Security is improved without the need for large expenditure.
Security culture has many benefits... Personnel that think and act in more security-conscious ways represent one of the pillars of a strong, robust and resilient system. Such a system is acquired when personnel understand that they play a critical role in ensuring security within their organization.
|
3. What are the costs of a strong security culture?
The key resources needed are time and buy-in from staff, from management down. It takes time and effort to create an organizational infrastructure that embeds and prioritizes security practices in day-to-day operations. This could include formal actions such as the development of security training for staff, creating and implementing incident reporting mechanisms, including security practices in performance evaluations, and developing communications plans that highlight security and share information and best practices. It also could include informal actions such as taking into account security prompts in existing briefings (to include reiterating best practices or congratulating staff when they follow security guidance) and management leading by example by taking security seriously and following security procedures. Indeed, security culture is developed through the strategic direction agreed upon by senior managers as well as through the associated behaviours managers demonstrate and want staff to follow.
4. How can ICAO help States and airports implement a strong and effective security culture? What tools are available?
ICAO has a number of tools and resources available. These include, but are not limited to:
- A Toolkit on Enhancing Security Culture, which identifies effective security behaviours and actions to support a positive security culture;
- A Security Culture Campaign 'Starter Pack', which supports the development of security awareness programmes and security culture campaigns;
- Discussion Cards to help organizations initiate meaningful discussions about security with all their staff and encourage positive security behaviours;
- Customizable Resources (display posters, staff wallet cards, manager checklists, induction briefings, blogs) to support organizations in promoting a strong and effective security culture;
- An interactive E-learning Package to provide users with a comprehensive understanding of security culture and its importance in an aviation environment; and
- Two educational short Films to help raise security awareness in aviation and to share security information and advice (including on the insider threat).
5. What practical actions can entities take to build and promote a positive
security culture?
A variety of methods can be used to build and promote a positive security culture. This could include public awareness campaigns (please refer to the Security Culture Campaign 'Starter Pack'); promoting the reporting of suspicious activity immediately; and adhering to company policies and procedure that define security culture. Other practical actions include:
- Creating flyers, posters, leaflets and advertising material that highlight the importance of specific security measures;
- Promoting exhibitions and workshops enabling all personnel, including management, to better understand the importance and rationale of security culture in the organization;
- Providing information to personnel directly through public speeches, regular briefings, and handouts that promote sustained security awareness;
- Training on security culture and continuous learning activities, both on an initial and recurring basis;
- Utilizing e-learning tools and digital media that reinforce security culture messages;
- Leveraging internal communication platforms such as intranet articles, newsletters, brochures and videos that promote a positive security culture; and
- Establishing
a framework that affords protection to reports and their sources when reporting
suspicious behaviour or lapses in airport security.
6. Is there training available on security culture?
ICAO offers the Security Culture Workshop, which builds upon the best practices and keys to develop, implement, and sustain security culture principles. Objectives of the workshop include:
- explaining the principles, importance, and benefits of an effective security culture;
- presenting tools and best practices for the development of a strong and sustainable security culture; and
- illustrating the process that can be used to develop behaviour change through campaigns to build and maintain an effective security culture.
ICAO has also partnered with the UK CAA International (CAAi) to offer an Introduction to Security Culture course. The course is designed to help regulated entities and aviation authorities understand the concept and benefits of an effective security culture, and best practices for embedding a positive security culture within an organization.
Further information on the
workshop and training course can be found here.
Also available
on the ICAO Security
Culture website are
sample slides that can be used by States and organizations within their own training that define security culture and the elements of an effective security culture
, along with online
training material.
Security culture is… strengthened by the use of security awareness training and the culture that it instills e.g. a positive culture driven from the top-down towards embracing security.
|
7. What do you mean by 'security is everyone's responsibility'?
The most important aspect of a strong and effective security culture is that security is a priority within the entire organization. Security-conscious actions have to be embedded in the day-to-day duties of all staff, not just those with a direct connection to security. This also means that all staff, no matter their level or role within the organization, takes security seriously and adheres to security best practices. Therefore, the key message is that security is everyone's responsibility, and not a matter of a person's job title or position.
Security culture is... about making security everyone’s responsibility. It is not about aviation security but security as a whole. From screeners to cleaners, from top government officials and industry leaders to frontline workers, and from taxi drivers to those working in airport retail outlets, all have a vital role in improving security at our airports.
|
8. Why should States or organizations care about security culture if there is a low threat of an act of unlawful interference?
The threat to civil aviation is global and it is prevalent. Adversaries continuously seek to exploit gaps and vulnerabilities in our aviation systems to conduct an attack. A strong and effective security culture increases the 'eyes and ears' of the organization, beyond formal aviation security policies and procedures. This creates an environment of vigilance, enhancing the overall security of an organization and protecting it from an attack. Additionally, this enhanced security posture would also be beneficial to deterring other crimes at the organization, such as smuggling and theft.
Security culture is... really important due to the ever-evolving threat to aviation and the need to safely restart operations following the pandemic. A positive security culture helps to mitigate against a range of risks that could cause fatalities and casualties, and operational, reputational or financial damage.
|
9. How can management and leadership best assess if a security culture has been implemented in an organization?
There are a number of ways that management can assess if an effective security culture has been implemented in their organization. I
CAO offers a Self Assessment Tool. Additionally,
the ICAO Security Culture Workshop includes an exercise that allows participants to conduct an assessment on the level of a security culture that exists within their organization. Before beginning to develop and implement a security culture programme, it is important to understand your current state of play and develop further actions that have the support of an organization's leaders. Leaders in aviation need to endorse messages that foster the widespread adoption of security. Through the promotion of security culture as a key leadership directive, alongside proper resource allocation, aviation personnel will acknowledge security is an important part of their everyday roles and responsibilities.
10. Why should airports implement security culture if they already have a comprehensive set of rules and procedures in place?
A strong and effective security culture will complement existing formal security countermeasures at an airport. While having comprehensive security measures is necessary and vital to protecting the airport, its passengers, and its staff, a strong security culture will enhance the effectiveness of security measures at the airport. By making security a priority and educating staff on good security behaviours, you are expanding the cadre of individuals able to identify suspicious behaviours and report them for action; making them the 'eyes and ears' of the airport. By embedding security postures in everyday operations, your staff becomes an additional security measure.
11. What are some motivating factors to ensure all appropriate stakeholders are involved in creating an effective security culture?
Some motivating factors include, but are not limited to:
- Obtaining leadership buy-in to develop a security culture programme and/or a campaign;
- Including stakeholders from across the organization on the project team to develop security culture programmes, actions, and procedures;
- Including security as a formal part of an organization's performance evaluation process for all personnel; and
- Incentivizing staff to incorporate security in their duties, through measures such as rewards for good behaviour; prompt actions to sanction bad behaviour; effective training programmes; and communications plans.
Airport campaigns can help to promote security culture... Local behaviour change campaigns can raise the profile of security and embed security culture into everything we do across the entire aviation sector. A security culture campaign should focus on all personnel at all levels. It should include Human Resources and Marketing, who will understand the best ways to communicate security messages to staff.
|
12. What role do passengers play in security culture?Security culture is everyone’s responsibility. This includes passengers. We hope airports and other influential organizations can run security awareness campaigns to help educate all, including the general public. A key component of a security culture is awareness campaigns, which could include announcements over public address systems, posters and signage, and slogans that promote security culture and vigilance. As these are developed for staff, they can also be applied, announced, and posted in areas where passengers and the general public will see them. Such measures would further increase an organization's security posture. The more people who are aware of what constitutes suspicious behaviour, and what to do about it, the more secure your organization will be.
13. What should a confidential reporting system look like?
A reporting system - and how it is set up - should depend on an organization's capabilities. Security reports can be sent through texts, phone calls, or by speaking to someone in person. Anonymous or confidential reporting, where people can report incidents (including incidents of poor behaviours), can be very useful as incidents can be addressed without the fear of repercussions. A reporting system should concentrate more on the content of the report, rather than who is reporting it. With confidentiality, that means more that the person being reported doesn't know who reported them rather than the agency not knowing who called in suspicious behaviour.
14. How do human performance and human factors relate to security culture?
Security culture is reliant on everyone in the workforce actively contributing to its maintenance and robustness. We rely on humans to undertake various security functions, so the key is to understand and embrace the concept of human factors and know how to reduce their impact on staff so that they can perform to the best of their ability. To mitigate the impact of human factors, organisations can support staff by ensuring the job roles that they perform are designed with human factors in mind, such as task variation, autonomy and identity, and recognition and feedback. These elements can motivate a workforce and encourage staff to perform to their best ability – and in turn, directly contribute to an effective, robust security culture.