Jan Hovden

Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study

The paper discusses and evaluates the effects of an information security awareness programme. The programme emphasised employee participation, dialogue and collective reflection in groups. The intervention consisted of small-sized workshops aimed at improving information security awareness and behaviour. An experimental research design consisting of one survey before and two after the intervention was used to evaluate whether the intended changes occurred. Statistical analyses revealed that the intervention was powerful enough to significantly change a broad range of awareness and behaviour indicators among the intervention participants. In the control group, awareness and behaviour remained by and large unchanged during the period of the study. Unlike the approach taken by the intervention studied in this paper, mainstream information security awareness measures are typically top-down, and seek to bring about changes at the individual level by means of an expert-based approach directed at a large population, e.g. through formal presentations, e-mail messages, leaflets and posters. This study demonstrates that local employee participation, collective reflection and group processes produce changes in short-term information security awareness and behaviour.

Implementation and effectiveness of organizational information security measures

Purpose – The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.Design/methodology/approach – A survey was designed and data were collected from information security managers in a selection of Norwegian organizations.Findings – Technical‐administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness‐creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical‐administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures.Originality/value – Provides insight into the non‐t...

Public policy and administration in a vulnerable society: regulatory reforms initiated by a Norwegian commission

The aims are to give a contribution to a more enlightened and articulated framework for designing safety and rescue institutions and regulatory regimes in a post-modern vulnerable society. The discussions are based on a case study of a Governmental report on ‘A vulnerable society’ (Norway), and the main points at issue in the follow-up public debate. The main points at issue discussed are: (1) problem identification and definition, (2) principles for organizing, (3) change strategies, (4) public and/or private/market control, (5) conflicting models of reality, and finally (6) some overall problems. The reviews of these issues are brief, but give ideas for further studies. Compared to the situation in a number of other countries the Norwegian case is not unique, i.e. the topics discussed have some general relevance for public administration and policy in societal risk and vulnerability management. However, to evaluate alternative approaches and strategies to risk legislation and regulation comparative international studies are needed, as well as in-depth studies within countries related to specific aspects of political culture and specific contingency factors.

The influence of safety at work on safety at home and during leisure time

It has been argued that the effects of safety programmes extend to safety related behaviour outside the work environment. Data from studies of the behaviour of workers in three industries with a high focus on safety were examined in order to explore this argument. By means of data collected through a questionnaire, safe behaviour and emergency preparedness behaviour at home and during leisure time were measured in a case-control study. The findings indicate that workers in two of the three studies did not transfer safe behaviour from workplaces with a high focus on safety to home and leisure arenas. The safety consciousness acquired by workers at their workplaces in the absence of specially designed home and leisure time intervention projects seems to be insufficiently comprehensive or deep enough to influence safe behaviour in other arenas. While safe behaviour was not transferred, the emergency preparedness behaviour was. This indicates that the contextual and situational aspects of emergency preparedness are shared across risk arenas.

HSE Petroleum: Change — Organisation — Technology

The paper presents the results and main conclusions from a pilot study on technological and organisational changes with a bearing on health and safety conditions in the oil industry. The study applies a cross-disciplinary approach, and focuses specially on human and organisational defences against accident risks, and the importance of workers participation in change processes and discourse arenas for the main stakeholders at different levels on issues regarding facts, means and ends in health and safety management.

Human and Organizational Contributions to Safety Defences in Offshore Oil Production

Offshore petroleum production involves several major hazards. In the tightly coupled production systems, incidents such as gas releases can quickly escalate to major accidents. The industry meets this challenge by introducing various safety defences such as firewalls, emergency shutdown systems, and work permit systems to make the platforms fault tolerant, i.e., to ensure that technical and human failures will not result in incidents or accidents. In high-risk industries the attitude to humans as part of the safety defences has traditionally been sceptic. Humans are perceived to be error prone, and it has generally been seen as desirable to minimize and control humans’ contribution to the extent possible using automation and operating procedures, respectively. In this paper we will argue that humans are essential as part of the safety defences at petroleum installations. Humans’ contributions are of particular importance in situations where the tasks required to defend safety cannot be automated, i.e. reliably accounted for in algorithms, because humans furnish required flexibility into the safety defences. To contribute positively to safety, i.e., in ways that lead to a reduction in the risk level, individuals and work groups need to be supported by appropriate organizational means, such as adequate knowledge, competence, resources, and tools. For this reason, we will refer to defences in which humans are allocated tasks to contribute to plant safety as human and organizational defences. In the paper we will outline three ways in which human and organizational defences are applied at petroleum installations, and discuss what kind of means that are needed to support these types of defences. The paper is based on the outcome of the first part of a research activity on fault tolerance, barriers and resilience [1, 2], which is performed within the framework of the project “HSE Petroleum: Change — Organization — Technology [3]. The issues presented in this paper will be addressed in more details in the following parts of this project.

Internal Control of Safety, Health and Environment (SHE) in Industry: an Effective Alternative to Direct Regulation and Control by Authorities?

The Internal control (IC) concept is still vague and open ended. This gives, however, an opportunity for analyzing IC systems of enterprises in development from the minimum documentation of administrative procedures and deviation control, required by the regulations, to more dynamic and adaptive systems and activities.

Safety Management Systems: Alan Waring, Champion&Hall, London, pp 241. ISBN 0-412-71910-X

It is vital that the aviation industry itself constantly consider safety risks and take proactive action to make aviation as safe as possible. To that end, the implementation of an effective Safety Management System SMS) enables airports, airlines, air navigation service providers and other aviation operations to adopt Safety Management Systems (SMS) aimed at identifying and mitigating potential safety risks long before an accident occurs or, in the best-case scenario, a Regulator could raise an issue during an audit or visit. An SMS is a systematic approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures. To assist organizations in their implementation of an SMS, ICAO conducts Safety Management Systems (SMS) courses upon requests from States and organisations.