ICAO defines Security Culture as “a set of norms, values, attitudes and assumptions that are inherent in the daily operation of an organisation and are reflected by the actions and behaviours of all entities and personnel within the organisation”.
Each entity, as part of their regulatory requirements, must ensure that there is a present internal policy relating to Security Culture.
Each entity must ensure they have a policy promoting a Positive Security Culture to meet regulatory requirements.
Assessing your Security Culture
The Security Culture Self-Assessment Tool is designed to help organisations explore and understand the nature of their existing security culture. The tool encourages reflection on what that culture looks like today and how it might evolve. Each organisation should determine for itself the behaviours, attitudes, and values it wishes to promote and develop.
The questions provided can be integrated into local quality control and assurance processes, as well as training courses and workshops. This assessment can support meaningful cultural development tailored to your organisation’s unique context.
Leadership
- Is security an organisation priority and a core value of the organisation?
- Do your employees believe that the organisation takes security seriously?
- Is the importance of building a positive security culture endorsed and led from the top?
- Is there an internal policy and/or supporting procedures in place that define security culture, with a description of what effective security looks like within your organisation?
- Do managers promote a positive security culture by visibly endorsing and executing security initiatives, do they lead by example?
- Are all employees appropriately and regularly vetted?
- Do your employees, including all Managers, consider themselves a part of the team?
- Do you conduct regular reviews on your organisations Security Culture and capture lessons learnt where appropriate?
- Are the findings of the security culture reviews presented to the board for appropriate action?
- Is there an appropriate funded programme of security training awareness and education available to all employees?
- Is there a reporting process in place that allows employees to report security incidents/concerns (both openly and/or confidentially)?
Communication
- Are there posters and/or other communication campaigns in and around your organisation that promote positive security behaviours and security culture to your employees?
- Does Management communicate with all employees (not just security personnel) and third parties on security matters, e.g. through written communications, team announcements and stakeholder communications?
- Are security messages a core element within your organisation's communications (internal and external), including deterrent communications?
- Are employees provided with the opportunity to suggest ways in which the organisation could improve security, e.g. through employee surveys (question sets), feedback boxes, interviews, workshops, peer reviews?
- Within the organisation, do all employees receive recognition from Managers for positively contributing to security?
- Do employees believe that reported items on security will be acted upon accordingly? Is there a feedback process?
Staff awareness and understanding
- Do employees within your organisation understand their security responsibilities and how their work contributes to the organisation’s overall security?
- Are security threats and risks understood across all levels?
- Do employees recognise their roles in mitigating these threats and risks?
- Are security passes that are worn by employees and those accessing your premises, visible at all times? And if not, is this being challenged, recorded, and managed appropriately?
- Do training materials (including refresher training materials) contain a description of the current threat to aviation and relevant security processes?
- Does your business have a process to disseminate changes in the threat, out with your training/refresher training?
- Are the elements of a positive security culture built into all training programmes?
- Are processes in place to enable and encourage all employees to report security-related incidents (with the option of anonymity)?
- Does the organisation conduct regular Security Culture campaigns as part of the overall security awareness within the organisation, for all employees? Does this support your security awareness training and education for all employees across the organisation?