With the ICAO Year of Security Culture 2021 well underway, we are all becoming familiar with the overarching concept of ensuring security is everyone’s responsibility. What ICAO, Authorities and organizations now need to focus on are the practical steps to make this ambition reality. In this article, Kevin Sawyer, Aviation Security lead for CAA International, explores the practical tools available for those looking to measure, assess and improve the security culture within their organizations.
“Positive security culture plays an essential role in rebuilding a successful and sustainable civil aviation sector.”
In his opinion piece, ‘The importance of an Effective Security Culture in Aviation Operations’, Mr. Sylvain Lefoyer, Deputy Director Aviation Security and Facilitation at ICAO, recognized not only the continued threat to civil aviation during COVID-19, but also the opportunity presented that exists in the recovery phase to reinforce effective security behaviors in the returning workforce.
This message is consistent with the ‘build back better’ message given by Dr. Rannia Leontaridi OBE FRSA, Director General of Civil Aviation for the UK Department for Transport in her paper, ‘An effective security culture in aviation as we recover from COVID-19’. What is clear from these articles, and the many other insightful pieces published on the ICAO Security Culture website, is the essential role a positive security culture will play in rebuilding a successful and sustainable civil aviation sector.
“Making security everyone’s responsibility is now not only ‘nice to do’ – but is a ‘must do’”
Embedding security in the DNA of our organizations and ensuring security is everyone’s responsibility, is not only ‘nice to do’, it is a ‘must do’, given the new operating environment and constraints we now face. By instilling a positive security culture across our organizations, from top to bottom and across all capability areas, we create an environment where all staff can be security assets and suspicious behavior or poor security practices stand out.
The case for action having been made, what organizations now need to focus on is the how:
- How do we make improvements to our security culture?
- How do we know what ‘good’ security culture looks like?
- And possibly most important of all, how do we know what our current security culture is like?
Whilst assessing an organization’s current security culture might be a difficult step to take, the last question is possibly the most important because it will determine where and how much effort is required.
To assist our endeavors, the ICAO Security Culture website hosts some excellent resources which, when combined with some research into what other sectors have done, provides us with valuable tools and techniques.
Defining Security Culture and its components
The ICAO Security Culture toolkit clearly defines security culture as “A set of norms, beliefs, values, attitudes, and assumptions that are inherent in the daily operation of an organization and are reflected by the actions and behaviors of all entities and personnel within the organization. Security should be everyone’s responsibility – from the ground up and top-down”.
This clear mission statement is supported by several ‘intervention areas’ and ‘desired outcomes’, which provide a useful guide to the facets or components that make up a positive security culture in aviation. These include:
- Positive work environment
- Training
- Leadership
- Understanding the threat
- Vigilance
- Reporting systems
- Incident response
- Information decurity
- Measures of effectiveness.
If we can understand how we are performing in each of these areas, we begin to build a picture of our overall security culture.
Measuring the components
For each component identified, organizations must assess how they are currently performing. A helpful way of doing this may be to measure the extent to which the desired outcome is being achieved. This is where a look at what other safety and security sectors have done in the area of culture can provide some useful insight. Across the safety and security regulatory landscape, a range of practical tools have been developed to measure the attitudinal and behavioral indicators that make up a prevailing culture.
Surveys
Security culture surveys provide a cost-effective and efficient way of reaching a large audience. Surveys are best used to measure attitudes rather than knowledge with the additional benefit of being anonymous, and they produce a large amount of quantitative data. A good example of a survey is provided by the Health Foundation in their 2011 document ‘Measuring Safety Culture’.
Self-Assessment
Similar to the survey approach is the self-assessment which provides an organization with a predetermined set of questions to be answered. With many of the same features of a survey, the self-assessment can be used in several ways. For example, to be answered by multiple individuals, groups, or as a single return complied on behalf of an organization. ICAO has produced such a self-assessment tool on their security culture website.
As part of the Security Management System (SeMS) approach, the UK CAA has produced a security culture self-assessment tool to assist organizations in evaluating their current security culture.
Interviews
Interviews can provide an effective method for measuring an individual’s knowledge and attitudes. Whilst time consuming and likely to reach a significantly lower proportion of a population than other methods, interviews provide the opportunity to probe and follow up on responses and produce a significant amount of qualitative data. In their technical guidance document, the International Atomic Energy Agency provides a useful overview of the considerations to be factored into interviews.
Workshops
Undertaking workshops can be a valuable way of reaching a wide audience whilst also ensuring interaction and providing an opportunity to probe responses. Workshops can provide significant amounts of qualitative data, which can be insightful (albeit time-consuming) to analyze. Workshops should also be well structured and facilitated to ensure all participants are given the opportunity to participate. The Eurocontrol safety culture discussion cards provide an excellent example of how workshops can be structured and managed.
Observations, Audits and Inspections
Conducting security observations and audits or inspections provides a real-world, real-time view of what individuals are doing as appose to what they say they are doing. This method is not reliant on volunteers like other methods, but those conducting the activity should be aware of the possible behavior change that may occur if those being observed are aware of the activity. The Health and Safety Executive provide a useful checklist for similar safety-related activity.
Document Review
The review of documentation such as company policy and procedures can provide helpful insight into the organizational approach and how this is communicated. This objective measure, whilst time-consuming, is a useful means of verifying or following up on what has been said during interviews or workshops (triangulation).
For each of the security culture components, organizations will want to select the most appropriate method to conduct their assessment. For example, organizational leadership may be best measured by conducting surveys or interviews with staff members, whereas document review may be a good method for measuring an organization’s reporting systems.
Using the data
Once data has been collected, organizations need to assess the extent to which current performance is meeting the desired outcome or where improvement is required. A useful way of visualizing this may be with the use of a maturity model such as the one developed by the World Institute for Nuclear Security. As part of the Safety Management System (SMS), aviation safety practitioners have used the maturity model to plot organizational safety culture for many years, thus providing a common language to describe the current state and desired end state. Having assessed current performance, organizations are able to identify the areas or components requiring improvement. Here, the ICAO Security Culture Toolkit and Campaign Starter Pack provide an excellent starting point for organizations looking for ideas on the activities that can be undertaken.
Training
In support of ICAO’s Year of Security Culture 2021, CAA International and ICAO Global Aviation Training have launched a 2-day virtual training course under the TRAINAIR PLUS Programme. The Introduction to Security Culture course, delivered by Kevin Sawyer, provides a comprehensive understanding of security culture benefits and the practical tools and techniques for assessing and improving security culture in aviation.
Registrations for the Introduction to Security Culture course are now open, with virtual courses scheduled throughout the year. For more information and to reserve your place, please visit the CAAi website.