Developing security culture within the ECAC Region and Partner States – ECAC contribution to the year of security culture
The European Civil Aviation Conference (ECAC) promotes security culture by a variety of means, but within its own region and in cooperation with Partner States outside Europe. There activities include development of policy and guidance, internal discussion on how to maintain security culture in the face of events such as the COVID-19 pandemic, and the delivery of capacity building activities both inside and outside Europe.
Background
Founded in 1955 as an intergovernmental organisation, ECAC seeks to harmonise civil aviation policies and practices among its 44 Member States and, at the same time, to promote understanding of policy matters between its Member States and other parts of the world. Its mission is the promotion of the continued development of a safe, efficient and sustainable European air transport system. ECAC's long-established expertise in aviation matters, pan-European membership and close cooperation with European, regional (e.g. ACAO, AFCAC, LACAC) and international organisations (e.g. ICAO) enable it to serve as a unique European forum for discussion of every major civil aviation topic.
Aviation security is a core activity of ECAC. ECAC's work in this area focuses on ensuring that security measures are in place to protect civil aviation against acts of unlawful interference. Key priorities of ECAC in the field of aviation security are defined in a three-year Work Programme (2019-2021) which include, for example: to promote a risk-based approach to aviation security; to promote the development and use of security technology and equipment to address current and emerging threats; to support Member States in achieving full compliance with European requirements and further developing their security regimes; to promote European priorities in aviation security with international partners, regional and international organisations.
Policies and Guidance Material
New provisions intended to promote positive security culture were introduced to ECAC Document 30, Part II (Security), in 2020. The aim of these provisions is to ensure that Member States’ airport operators, air carriers and other entities define appropriate internal policies in their security programmes. The provisions also introduce the need for such entities to establish and implement related measures to enhance staff awareness and to promote positive security culture. Moreover, training of certain categories of personnel should also result in the acquisition of knowledge of elements contributing to the establishment of a robust and resilient security culture in the workplace, including inter alia, mitigation measures relating to insider threat and radicalisation.
ECAC Document 30, Part II (Security) also provides further support for the enhancement of security culture via a focus on the implementation of cyber security culture, as one of the key measures in protecting critical aviation information and communications technology systems and data, used for aviation purposes, against cyber threats.
To provide its Member States with guidance material and best practices for establishing and improving security culture, ECAC has also developed a document called Best Practices for Security Culture in Aviation. This document is incorporated in the ECAC Aviation Security Handbook and contains guidance material and best practices regarding security culture in Appropriate Authorities and other national authorities/organisations and aviation entities. It provides a common definition of security culture, outlines a number of recommendations for its improvement, and describes the complex link between security culture and security performance. Special attention is given to the close connection between culture desired and demonstrated by senior management and the culture that prevails among employees. Guidance is given on how an entity/organisation can make this connection appropriately and establish mechanisms to effect a positive influence. In addition, the document considers the possible methods of measuring security culture and provides an example of a tool for doing so.
Discussions with Member States, Observer States and Organisations
Issues relating to improving security culture were also discussed by ECAC Member States, Observer States and Organisations at several meetings of the ECAC Security Forum conducted in 2021. For example, at the May and October 2021 meetings of the ECAC Security Forum, aviation security experts discussed the impact of the COVID-19 pandemic on aviation security, acknowledging the value of developing a robust and resilient security culture in mitigating the risk of insiders and improving the overall level of aviation security, when returning to normal operations as we head out of the pandemic.
Capacity Building Activities
In September-November 2020 and in January 2021, ECAC organised two series of Insider Risk Webinars. The aim of these webinars was to raise awareness, understanding and engagement in key aspects of insider risk mitigation and to share best practices for establishing and improving security culture at both national and entity levels. Each series brought together more than 70 experts from 20 ECAC Member States, including from the industry.
Furthermore, a similar webinar series has been delivered though the CASE II Project (a project sponsored by the European Union and implemented by ECAC for the benefit of Partner States across Africa, the Middle East and Asia). Nine such webinars have taken place under the CASE II Project over the last 12 months, involving 195 representatives from 35 Partner States.
The key elements of security culture were also discussed in two virtual ECAC Workshops on Security Culture. The first of these was attended by more than 30 security experts from ECAC Member States and Partner States, organised by ECAC under the "Supporting the implementation of aviation agreements in the Eastern Partnership countries and upgrading civil aviation safety and security standards in Central Asia (EaP/CA)" Project on 28-29 April 2021. It was mainly conducted in English, with some breakout sessions also organised in Russian, which facilitated active participation and discussions.
The second workshop, jointly organised with the Arab Civil Aviation Organization (ACAO), was held on 6-8 September 2021 under the CASE II Project and was attended by over 60 participants representing 13 Partner States.
The main objective of these workshops was to raise awareness of the importance of security culture and to improve the understanding of the subject amongst security experts from national authorities and from the industry. This goal was achieved through delivery of presentations by experienced speakers and was bolstered by virtual breakout sessions which provided an opportunity to share knowledge, experience and best practices for promoting and effectively implementing security culture at both national and organisational levels. Both speakers and participants acknowledged the value of the workshops and agreed that cooperation at international, national and organisational levels is one of the key elements contributing to the establishment of a robust and resilient security culture in aviation.
To further support its Member States in establishing and improving security culture and addressing the risks of insiders, ECAC developed a new Webinar on Insider Risk for Human Resources (HR) Managers, with particular focus on the role of HR processes in mitigating insider risks and implementing security culture. Nine webinars were organised in 2021 and more are planned for 2022. In doing so, more than 250 HR and security experts benefited from attending the webinars.
The webinars were delivered on a one-to-one basis, i.e. for one State at a time, to focus on the specific needs and questions of the States. Each webinar brought together HR managers from the Appropriate Authority and regulated entities, i.e. airport operators, air carriers, security service providers, handling companies, regulated agents and air navigation service providers, with aviation security managers to promote awareness and good practices on how to address insider risks and improve security culture in the organisation. HR managers acquired an understanding of insiders from a security context. Moreover, aviation security and HR managers discussed the areas where they could work together in order to contribute to insider risks mitigation and to improving security culture.
In a new training course entitled Best Practices for National Auditors – Cyber Security (basic) developed by ECAC in 2021, particular attention is also paid to developing and implementing cyber security culture within the organisation as one of the key measures aimed to address cyber threats to critical aviation information and communications technology systems and data, used for aviation purposes. The course provides national auditors/inspectors from ECAC Member States with an understating of the concept of “cyber security culture” and its applicability to civil aviation, the key elements of effective cyber security culture as well as best practices for establishing and improving cyber security culture (e.g. training and awareness campaigns, cyber security documentation, cyber security just culture system).
Development of security culture is not a one-off activity but a constant process of renewal. In this spirit, ECAC continues to develop its own thinking and its activities in the light of its own experience and its dealing with States and organisations, and welcomes the views of participation of all interested parties in doing so.