The aviation sector faces a complex set of threats. These threats are constantly evolving, becoming more sophisticated and are increasingly designed to undermine effective security measures implemented by the sector.
At the same time, your organisation holds specific and often unique security risks, and potentially significant vulnerabilities.
It’s important that all staff understand these threats and risks, the importance of security in their daily operations, and that they appreciate why they are required to do certain things in the name of security. Understanding what is at stake is at the heart of a good security culture: staff who understand are more likely to exhibit good security behaviours and achieve positive security outcomes for your organisation and the sector.
Understanding threat and risk
Threat describes a person or group with the intent and/or capability to undermine security protections, or exploit a vulnerability, to cause loss or harm.
Risk is the potential for loss or harm as a result of a threat exploiting a vulnerability. It considers the likelihood of the threat materialising, the consequences that could result, and any residual vulnerabilities or weaknesses in your organisation that could be exploited following the implementation of relevant security controls.
Maintaining an up-to-date understanding of security threats is vital to ensuring the security measures applied remain appropriate. Senior managers and security personnel should be well versed on the threats present within the aviation system and should be able to speak about these to staff with credibility and explain clearly to employees the reason why security measures are so important in the aviation sector. Security culture is enhanced when staff feel comfortable that senior members of the organisation are aware of the threat environment and take appropriate measures in response, including interpreting these threats and communicating them across the organisation.
Gain understanding of the threat environment by:
Your organisation’s individual risk profile is often highly specific to the type of work you conduct and where you are located. It is important to have a clear understanding of the unique features that may create security risks for your business, and how these can impact the security of the aviation sector. There should be a focus on risk identification and management, including an emphasis on the mitigation or treatment of risks, either to reduce the likelihood of a harmful event taking place, or to minimise the consequences should it transpire. Translating the threat environment into the tangible implications on the risks for your business is important for building security culture and practice: it helps to contextualise security for your specific circumstances and leads to the development of specific measures needed to keep staff and the aviation sector secure.
Understand and assess the risks for your organisation:
Once senior members of the organisation have a clear understanding of the threat environment, and risks within the organisation, it is important to bring staff along on the journey, gaining buy-in and understanding of these threats and risks too. The aim is to encourage staff to adopt positive security behaviours not just because they are required to, but because they understand the reasons behind them. Threat and risk information should be clearly communicated to all staff, with clear messaging about exactly what your security measures are trying to protect. Staff who become complacent about security or believe that they do not have a role in protecting aviation can be a negative influence on the overall security culture of your organisation. Their complacency may cause security lapses that leave the organisation and the aviation system vulnerable. A baseline understanding of global aviation security threats, and how these are relevant to their roles, better informs staff as to how they can act to mitigate threats and close vulnerabilities.
Inform staff by:
The security threat environment is constantly evolving; therefore, your risk environment is never fixed or static. Risk assessments and security procedures require continual review, adjustment, and revision to make sure they are fit for purpose in your current environment. Security processes and procedures should be flexible and responsive to changes in the external threat environment locally, nationally, and internationally. An elevation in security threats should see a review of internal processes to match. Likewise, any internal changes or specific risk information relevant to your organisation should be taken seriously, and new or adjusted mitigations applied to match. Proactive and relevant security procedures build good security culture by keeping security at the fore of your organisation’s planning and operations, helping staff understand that security is an organisational priority, and part of the fabric of how business is done.
Test, review and improve your procedures regularly:
|Previous page: Security training
|Next page: Staff vigilance