Aligning security to core business goals; and
Articulating security as a core value rather than as an obligation or a burdensome expense.
ICAO has a number of tools and resources available. These include, but are not limited to:
A variety of methods can be used to build and promote a positive security culture. This could include public awareness campaigns (please refer to the Security Culture Campaign 'Starter Pack'); promoting the reporting of suspicious activity immediately; and adhering to company policies and procedure that define security culture. Other practical actions include:
ICAO has also partnered with the UK CAA International (CAAi) to offer an Introduction to Security Culture course. The course is designed to help regulated entities and aviation authorities understand the concept and benefits of an effective security culture, and best practices for embedding a positive security culture within an organization.
Further information on the
workshop and training course can be found here.
8. Why should States or organizations care about security culture if there is a low threat of an act of unlawful interference?
A strong and effective security culture will complement existing formal security countermeasures at an airport. While having comprehensive security measures is necessary and vital to protecting the airport, its passengers, and its staff, a strong security culture will enhance the effectiveness of security measures at the airport. By making security a priority and educating staff on good security behaviours, you are expanding the cadre of individuals able to identify suspicious behaviours and report them for action; making them the 'eyes and ears' of the airport. By embedding security postures in everyday operations, your staff becomes an additional security measure.
A reporting system - and how it is set up - should depend on an organization's capabilities. Security reports can be sent through texts, phone calls, or by speaking to someone in person. Anonymous or confidential reporting, where people can report incidents (including incidents of poor behaviours), can be very useful as incidents can be addressed without the fear of repercussions. A reporting system should concentrate more on the content of the report, rather than who is reporting it. With confidentiality, that means more that the person being reported doesn't know who reported them rather than the agency not knowing who called in suspicious behaviour.
Security culture is reliant on everyone in the workforce actively contributing to its maintenance and robustness. We rely on humans to undertake various security functions, so the key is to understand and embrace the concept of human factors and know how to reduce their impact on staff so that they can perform to the best of their ability. To mitigate the impact of human factors, organisations can support staff by ensuring the job roles that they perform are designed with human factors in mind, such as task variation, autonomy and identity, and recognition and feedback. These elements can motivate a workforce and encourage staff to perform to their best ability – and in turn, directly contribute to an effective, robust security culture.