The aviation sector faces a complex set of threats. These threats are constantly evolving, becoming more sophisticated and are increasingly designed to undermine effective security measures implemented by the sector.

At the same time, your organisation holds specific and often unique security risks, and potentially significant vulnerabilities.

It’s important that all staff understand these threats and risks, the importance of security in their daily operations, and that they appreciate why they are required to do certain things in the name of security. Understanding what is at stake is at the heart of a good security culture: staff who understand are more likely to exhibit good security behaviours and achieve positive security outcomes for your organisation and the sector.

Understanding threat and risk

Threat describes a person or group with the intent and/or capability to undermine security protections, or exploit a vulnerability, to cause loss or harm.

Risk is the potential for loss or harm as a result of a threat exploiting a vulnerability. It considers the likelihood of the threat materialising, the consequences that could result, and any residual vulnerabilities or weaknesses in your organisation that could be exploited following the implementation of relevant security controls.

Understand your threat environment

Maintaining an up-to-date understanding of security threats is vital to ensuring the security measures applied remain appropriate. Senior managers and security personnel should be well versed on the threats present within the aviation system and should be able to speak about these to staff with credibility and explain clearly to employees the reason why security measures are so important in the aviation sector. Security culture is enhanced when staff feel comfortable that senior members of the organisation are aware of the threat environment and take appropriate measures in response, including interpreting these threats and communicating them across the organisation.

Gain understanding of the threat environment by:

  • Developing systems and processes to increase your understanding of the current threat environment: maintain an awareness of overseas and domestic security events that impact the security of the aviation sector and how these may impact your threat locally; and ensure that the threat environment is regularly scanned and reviewed, and understood by executive leadership to enhance security decision-making.
  • Considering subscriptions to commercial, sector, or government newsletters or alerts relating to aviation security matters, both domestically and internationally. This information will inform your understanding of developing threats to the sector and keep you updated on any emerging issues of concern that may require a response.
  • Drawing on resources available within your organisation, or within wider sector groups, to identify experts with security knowledge to keep your knowledge current. These could be IT, HR, security personnel, or anyone else with security roles and responsibilities.

Understand your organisation’s risk profile

Your organisation’s individual risk profile is often highly specific to the type of work you conduct and where you are located. It is important to have a clear understanding of the unique features that may create security risks for your business, and how these can impact the security of the aviation sector. There should be a focus on risk identification and management, including an emphasis on the mitigation or treatment of risks, either to reduce the likelihood of a harmful event taking place, or to minimise the consequences should it transpire. Translating the threat environment into the tangible implications on the risks for your business is important for building security culture and practice: it helps to contextualise security for your specific circumstances and leads to the development of specific measures needed to keep staff and the aviation sector secure.

Understand and assess the risks for your organisation:

  • Consider using standard risk assessment practice and methodologies, such as ISO 31000, to develop your own risk profile. Assessments of risks should be reviewed regularly to ensure they are still correct considering the overall threat environment.
  • Make risk information available to operational staff so they understand the reasons why security measures are important, making them more likely to adhere to policies and procedures.
  • Ensure senior leadership have a high level of familiarity with the security risks facing the organisation so that strategic decisions can be well-informed and appropriate resources can be allocated to security matters. An executive leadership team with a strong understanding of security risk is better equipped to ask the right questions and make good decisions relating to security matters, enhancing leaders’ ability to influence security culture throughout the wider organisation.
  • Consider vulnerabilities that are specific to your organisation when assessing risks. This might include staff, information your organisation handles, digital access maintained, swipe card access maintained, or equipment used. Ensuring security risks are specifically assessed for your organisation’s profile and context is vital to making risks and identified vulnerabilities relevant to your staff.

Communicate threat and risk information to staff

Once senior members of the organisation have a clear understanding of the threat environment, and risks within the organisation, it is important to bring staff along on the journey, gaining buy-in and understanding of these threats and risks too. The aim is to encourage staff to adopt positive security behaviours not just because they are required to, but because they understand the reasons behind them. Threat and risk information should be clearly communicated to all staff, with clear messaging about exactly what your security measures are trying to protect. Staff who become complacent about security or believe that they do not have a role in protecting aviation can be a negative influence on the overall security culture of your organisation. Their complacency may cause security lapses that leave the organisation and the aviation system vulnerable. A baseline understanding of global aviation security threats, and how these are relevant to their roles, better informs staff as to how they can act to mitigate threats and close vulnerabilities.

Inform staff by:

  • Delivering training specifically on security threats and risks in the aviation context. Regular specific briefings on security threats, risks and vulnerabilities are important to grow security knowledge and understanding as there is a constantly evolving nature of threats and risks in the aviation sector.
  • Incorporating real-world examples in threat and risk communications where possible, including security incidents, vulnerabilities, attacks, failures, and successes (both locally and globally) to help staff grasp the reality of threats in their environment and the possible consequences when things go wrong.
  • Engaging staff in the security risk assessment process as they are often, the best placed to understand their environment, where specific vulnerabilities exist, and what mitigations might be possible to lower residual security risk. Staff who input into the process are more likely to feel engaged, and exercise better security behaviours in the future.

Regularly review procedures in response to your environment

The security threat environment is constantly evolving; therefore, your risk environment is never fixed or static. Risk assessments and security procedures require continual review, adjustment, and revision to make sure they are fit for purpose in your current environment. Security processes and procedures should be flexible and responsive to changes in the external threat environment locally, nationally, and internationally. An elevation in security threats should see a review of internal processes to match. Likewise, any internal changes or specific risk information relevant to your organisation should be taken seriously, and new or adjusted mitigations applied to match. Proactive and relevant security procedures build good security culture by keeping security at the fore of your organisation’s planning and operations, helping staff understand that security is an organisational priority, and part of the fabric of how business is done.

Test, review and improve your procedures regularly:

  • Implement systems for threat and risk information to be used to influence security behaviours in a practical and effective way. Developing procedures in response to a changing environment demonstrates to staff that security is taken seriously, and that the measures they are required to implement are tied to a practical and systematic process.
  • Run workshops to test whether your current security procedures stand up to a real-world threat scenario. Adjust processes or procedures that do not achieve the security outcomes desired.
  • Develop methods to maintain awareness of emerging threats to your immediate security environment, and the aviation sector, and consider how your organisation may be vulnerable to any changes or emerging threats.

Assess your understanding of your threat and risk environment [PDF 82 KB]

 

Previous page: Security training Next page: Staff vigilance