Stig Ole Johnsen

The long‐term effects of information security e‐learning on organizational learning

Purpose – The purpose of this paper is to measure and discuss the long‐term effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.Design/methodology/approach – The intervention study had two assessments of knowledge and attitudes among employees: one survey, one week before the intervention, and one survey eight months after the intervention. The population was divided into an intervention group and a control group, where the only separated the groups was participation in the intervention (i.e. the e‐learning tool).Findings – The study documents that the effects of the intervention on security awareness and behavior partly remains more than half a year after the intervention, but that the detailed knowledge on information security issues diminished during the period. The study also discusses how such courseware can contribute to long‐term organizational learning compared with human interventions such as action research. Both human resou...

Risk assessment and resilience of critical communication infrastructure in railways

This paper discusses the significant findings of an extended risk assessment of the key communication infrastructure used in emergency communication in railways in Norway. The initial risk assessment was performed in 2008. Resilience was explored as a strategy in the risk assessment to improve safety, security, and quality of service. We have reviewed the results in 2010, documenting mitigating actions and the effect of the actions. In addition, the development of safety and security culture has been evaluated. The risk assessment was based on a socio-technical approach, which considers technical, organizational, and human factors. Action research was used as a method to improve the scope and commitment of the risk assessment. It is suggested that organizational collaboration supported by the action research approach has aided in prioritizing the key mitigating actions, based on improved understanding and commitment. The high stability of the GSM-R system has supported safety of operations in the period. One of the identified unwanted incidents occurred in 2010 and gave credibility to the risk assessment. The risk assessment process seems to have sustained the safety and security culture and improved the knowledge of emergency response supporting resilience. The resilience of the total system seems to have been improved. The main contributions of this article are the empirical results of a risk assessment extended with resilience and suggested indicators related to resilience. In addition, it is suggested that exploration of resilience and action research improves the quality and effect of the risk assessment. Risk assessments in a complex setting with uncertainty should explore resilience as a strategy and explore action research to improve understanding and learning among the stakeholders.

Reducing Risk in Oil and Gas Production Operations

Remote operations are commonly employed in oil and gas installations in the North Sea and elsewhere. The use of information and communications technologies (ICT) has resulted in process control systems being connected to corporate networks as well as the Internet. In addition, multiple companies, functioning as a virtual organization, are involved in operations and management. The increased connectivity and human collaboration in remote operations have significantly enhanced the risks to safety and security. This paper discusses methods and guidelines for addressing different types of risks posed by remote operations: technical ICT-based risks, organizational risks and risks related to human factors. Three techniques are described: (i) ISO 27001 based information security requirements for process control, safety and support ICT systems; (ii) CRIOP, an ISO 11064 based methodology that provides a checklist and scenario analysis for remote operations centers; and (iii) CheckIT, a method for improving an organization’s safety and security culture.

Enhancing the Safety, Security and Resilience of ICT and Scada Systems Using Action Research

This paper discusses the results of a questionnaire-based survey used to assess the safety, security and resilience of information and communications technology (ICT) and supervisory control and data acquisition (SCADA) systems used in the Norwegian oil and gas industry. The survey identifies several challenges, including the involvement of professionals with different backgrounds and expertise, lack of common risk perceptions, inadequate testing and integration of ICT and SCADA systems, poor information sharing related to undesirable incidents and lack of resilience in the design of technical systems. Action research is proposed as a process for addressing these challenges in a systematic manner and helping enhance the safety, security and resilience of ICT and SCADA systems used in oil and gas operations.

Resilience in Risk Analysis and Risk Assessment

Resilience is the ability of a system to react to and recover from disturbances with minimal effects on dynamic stability. Resilience is needed as systems and organizations become more complex and interrelated and the consequences of accidents and incidents increase. This paper analyzes the notion of resilience based on a literature survey and an exploration of incidents. In particular, resilience involves the ability of systems to undergo graceful and controlled degradation, the ability to rebound from degradation, the presence of redundancy, the ability to manage margins close to the performance boundaries, the establishment and exploration of common mental models, the presence of flexibility in systems and organizations, and the reduction of complexity and coupling. The paper describes how resilience can be included in system development and operations by considering organizations, technology and human factors. Also, it shows how past strengths and weaknesses can be considered in risk analysis to enhance safety, security and resilience.

Managing Emerging Information Security Risks during Transitions to Integrated Operations

The Norwegian Oil and Gas Industry is adopting new information communication technology to connect its offshore platforms, onshore control centers and the suppliers. The management of the oil companies is generally aware of the increasing risks associated with the transition, but so far, investment in incident response (IR) capability has not been highly prioritized because of uncertainty related to risks and the present reactive mental model for security risk management. In this paper, we extend previous system dynamics models on operation transition and change of vulnerability, investigating the role of IR capability in controlling the severity of incidents. The model simulation shows that a reactive approach to security risk management might trap the organization in low IR capability and lead to severe incidents. With a long-term view, proactive investment in IR capability is of financial benefit.

Proactive Indicators To Control Risks in Operations of Oil and Gas Fields

Due to increased need for oil and gas, new and more demanding oil fields must be explored in sensitive and challenging areas. Exploration of expert knowledge and new technology must be employed in these challenging situations. This collaboration and use of new technology introduces new ways of operating oil and gas fields. These new practices are often called “field of the future” or “integrated operations” (IO). These new practices are being implemented on the Norwegian continental shelf, leading to increased hydrocarbon recovery and changes in operations and maintenance. These practices may impact health, safety and environment (HSE), but should not increase the risks of major accidents or influence HSE in a negative manner.

A Structured Approach to Incident Response Management in the Oil and Gas Industry

Incident Response is the process of responding to and handling ICT security related incidents involving infrastructure and data. This has traditionally been a reactive approach, focusing mainly on technical issues. In this paper we present the Incident Response Management (IRMA) method, which combines traditional incident response with pro-active learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the oil and gas industry.

A Study of Information Security Practice in a Critical Infrastructure Application

Based on multiple methods we have studied how information security practices, and in particular computer security incident response practices, are handled in the Norwegian offshore oil and gas industry. Our findings show that there is still insufficient awareness regarding the importance of information security in the offshore industry, and that increased vigilance is required in order to respond to mounting threats of tomorrow.

Resilience at interfaces: Improvement of safety and security in distributed control systems by web of influence

Purpose – The purpose of this paper is to support the implementation of safety and security guidelines in the Norwegian oil and gas industry and verify the actual use of the guidelines by industry and authorities.Design/methodology/approach – An action research approach was used, exploring organisational learning as described by Argyris and Schon and by Nonaka and Takeuchi as “The knowledge‐creating company.” Interviews (analysis of interviews), workshops and reviews of guidelines and audits were performed in addition to “learning workshops” trying to create understanding and compliance related to the guidelines among industry and authorities.Findings – The guideline OLF104 is used in the Norwegian oil and gas industry, by operators and by suppliers and checked through audits. However, the guideline should influence working procedures at operators more. The guideline seems to have improved resilience.Research limitations/implications – The impact of the guideline on safety and security should be more syst...