With the ICAO Year of Security Culture 2021 well underway, we are all becoming familiar with the overarching concept of making security everyone’s responsibility. What ICAO, Authorities and organisations now need to focus on are the practical steps to make this ambition reality.
In this blog, Kevin Sawyer – Aviation Security lead for CAA International, explores the practical tools available for those looking to measure, assess and improve the security culture within their organisations.
“Positive security culture plays an essential role in rebuilding a successful and sustainable civil aviation sector.”
In his opinion piece, ‘The importance of an Effective Security Culture in Aviation Operations’, Mr. Sylvain Lefoyer, Deputy Director Aviation Security and Facilitation at ICAO, recognises not only the continued threat to civil aviation during COVID-19. But also the opportunity presented during the re-shape and recovery phase to reinforce effective security behaviours in the returning workforce.
This message is consistent with the ‘build back better’ message given by Dr. Rannia Leontaridi OBE FRSA, Director General of Civil Aviation for the UK Department for Transport in her paper, ‘An effective security culture in aviation as we recover from COVID-19’. What is clear from these articles, and the many other insightful pieces published on the ICAO Security Culture website, is the essential role a positive security culture will play in rebuilding a successful and sustainable civil aviation sector.
“Making security everyone’s responsibility is now not only ‘nice to do’ – but is a ‘must do’”
Embedding security in the DNA of our organisations and making security everyone’s responsibility, is now not only ‘nice to do’. But it is a ‘must do’, given the new operating environment and constraints we now face. By instilling a positive security culture across our organisations, from top to bottom and across all capability areas, we create an environment where all staff can be security assets and suspicious behaviour or poor security practices stand out.
The case for action having been made, what organisations now need to focus on is the how:
- How do we make improvements to our security culture?
- How do we know what ‘good’ security culture looks like?
- And possibly most important of all, how do we know what our current security culture is like?
Whilst assessing your current security culture can be the most difficult step to take, the last question is possibly the most important. This is because it will determine where and how much effort is required.
To assist our endeavours, the ICAO Security Culture website hosts some excellent resources which, when combined with some research into what other sectors have done, provides us with valuable tools and techniques.
Defining Security Culture and its components
The ICAO Security Culture toolkit clearly defines security culture as “A set of norms, beliefs, values, attitudes and assumptions that are inherent in the daily operation of an organisation and are reflected by the actions and behaviours of all entities and personnel within the organisation. Security should be everyone’s responsibility – from the ground up and top down”.
This clear mission statement is supported by several ‘intervention areas’ and ‘desired outcomes’, which provide a useful guide to the facets or components that make up a positive security culture in aviation. These include:
- Positive Work Environment
- Understanding the Threat
- Reporting Systems
- Incident Response
- Information Security
- Measures of Effectiveness.
If we can understand how we are performing in each of these areas, we begin to build a picture of our overall security culture.
Measuring the components
For each component identified, organisations must assess how they are currently performing. A helpful way of doing this may be to measure the extent to which the desired outcome is being achieved. This is where a glance to see what other safety and security sectors have done in the area of culture provides some useful insight. Across the safety and security regulatory landscape, a range of practical tools have been developed to measure the attitudinal and behavioural indicators that make up a prevailing culture.
Security culture surveys provide a cost-effective and efficient way of reaching a large audience. Surveys are best used to measure attitudes rather than knowledge with the additional benefit of being anonymous. Surveys produce a large amount of quantitative data. A good example of a survey is provided by the Health Foundation in their 2011 document ‘Measuring Safety Culture’.
Similar to the survey approach is the self-assessment which provides an organisation with a predetermined set of questions to be answered. With many of the same features of a survey, the self-assessment can be used in several ways. For example, to be answered by multiple individuals, groups, or as a single return complied on behalf of an organisation. ICAO have produced such a self-assessment tool on their security culture website.
As part of the Security Management System (SeMS) approach, the UK CAA have produced a security culture self-assessment tool to assist organisations evaluate their current security culture.
Interviews can provide an effective method for measuring an individual’s knowledge as well as attitudes. Whilst time consuming and likely to reach a significantly lower proportion of a population than other methods, interviews provide the opportunity to probe and follow up on responses and produce a significant amount of qualitative data. In their technical guidance document, the International Atomic Energy Agency provide a useful overview of the considerations to be factored into interviews.
Undertaking workshops can be a valuable way of reaching a wide audience whilst also ensuring interaction and providing an opportunity to probe responses. Workshops can provide significant amounts of qualitative data, which can be insightful (albeit time-consuming) to analyse. Workshops should also be well structured and facilitated to ensure all participants are given the opportunity to participate. The Eurocontrol safety culture discussion cards provide an excellent example of how workshops can be structured and managed.
Observations, Audits and Inspections
Conducting security observations and audits or inspections provides a real-world, real-time view of what individuals are doing as appose to what they say they are doing. This method is not reliant on volunteers like other methods. But those conducting the activity should be aware of the possible behaviour change that may occur if those being observed are aware of the activity.
The review of documentation such as company policy and procedures can provide a helpful insight into the organisational approach and how this is communicated. This objective measure, whilst time-consuming, is a useful means of verifying or following up on what has been said during interviews or workshops (triangulation).
For each of the security culture components, organisations will want to select the most appropriate method to conduct their assessment. For example, organisational leadership may be best measured by conducting surveys or interviews with staff members, whereas document review may be a good method for measuring an organisation’s reporting systems.
Using the data
Once data has been collected, organisations need to assess the extent to which current performance is meeting the desired outcome or where improvement is required. A useful way of visualising this may be with the use of a maturity model such as the one developed by the World Institute for Nuclear Security. As part of the Safety Management System (SMS), aviation safety practitioners have used the maturity model to plot organisational safety culture for many years, thus providing a common language to describe the current state and desired end state. Having assessed current performance, organisations are able to identify the areas or components requiring improvement. Here, the ICAO Security Culture Toolkit and Campaign Starter Pack provide an excellent starting point for organisations looking for ideas on the activities that can be undertaken.
In support of ICAO’s Year of Security Culture 2021, CAA International and ICAO Global Aviation Training have launched a 2-day virtual training course under the TRAINAIR PLUS Programme. The Introduction to Security Culture course, delivered by Kevin Sawyer, provides a comprehensive understanding of security culture benefits and the practical tools and techniques for assessing and improving security culture in aviation.
Registrations for the Introduction to Security Culture course are now open, with virtual courses scheduled throughout the year. For more information and to reserve your place, please visit course webpage.