The security culture self-assessment tool can assist you in assessing if a positive security culture exists within your organisation/s. It is important to consider what the organisation believes a positive security culture should look like, considering those behaviours and attitudes you wish to instil and enhance. The questions on this page can be built into your local quality control and assurance processes, as well as training courses and workshops. This is guidance that will be of great benefit when routinely used.
Security Culture is a set of norms, beliefs, values, attitudes and assumptions that are inherent in the daily operation of an organisation and are reflected by the actions and behaviours of all entities and personnel within the organisation. Each entity, as part of their regulatory requirements, must ensure that there is a present internal policy relating to Security Culture.
Assessing your Security Culture
The following questions can assist you in assessing if a positive security culture exists within your organisation/s. It is important to consider what the organisation believes a positive security culture should look like, considering those behaviours and attitudes you wish to instil and enhance. The questions can be built into your local quality control and assurance processes, as well as training courses and workshops. This is a guidance document and one that will be of great benefit when routinely used.
- Is security an organisation priority and a core value of the organisation?
- Do your employees believe that the organisation takes security seriously?
- Is the importance of building a positive security culture endorsed and led from the top?
- Is there an internal policy and/or supporting procedures in place that define security culture, with a description of what effective security looks like within your organisation?
- Do managers promote a positive security culture by visibly endorsing and executing security initiatives, do they lead by example?
- Are all employees appropriately and regularly vetted?
- Do your employees, including all Managers, consider themselves a part of the team?
- Do you conduct regular reviews on your organisations Security Culture and capture lessons learnt where appropriate?
- Are the findings of the security culture reviews presented to the board for appropriate action?
- Is there an appropriate funded programme of security training awareness and education available to all employees?
- Is there a reporting process in place that allows employees to report security incidents/concerns (both openly and/or confidentially)?
- Are there posters and/or other communication campaigns in and around your organisation that promote positive security behaviours and security culture to all of your employees?
- Does Management communicate with all employees (not just security personnel) and 3rd parties on security matters, e.g. through written communications, team announcements and stakeholder communications?
- Are security messages a core element within your organisation's communications (internal and external), including deterrent communications?
- Are employees provided with the opportunity to suggest ways in which the organisation could improve security, e.g. through employee surveys (question sets), feedback boxes, interviews, workshops, peer reviews?
- Within the organisation, do all employees receive recognition from Managers for positively contributing to security?
- Do employees believe that reported items on security will be acted upon accordingly? Is there a feedback process?
- Do employees within your organisation understand their security responsibilities and how their work contributes to the organisations overall security?
- Are security threats and risks understood across all levels?
- Do employees recognise their roles in mitigating these threats and risks?
- Are security passes that are worn by employees and those accessing your premises, visible at all times? And if not, is this being challenged, recorded and managed appropriately?
- Do training materials (including refresher training materials) contain a description of the current threat to aviation and relevant security processes?
- Does your business have a process to disseminate changes in the threat, out with your training/refresher training?
- Are the elements of a positive security culture built into all of your training programmes?
- Are processes in place to enable and encourage all employees to report security-related incidents (with the option of anonymity)?
- Does the organisation carry out regular Security Culture campaigns as part of the overall security awareness within the organisation, for all employees? Does this support your security awareness training and education for all employees across the organisation?