Last reviewed 24 May 2016

Mike Sopp looks at how employee awareness can ensure the effectiveness of security management systems — employee vigilance for security purposes through a “security behaviour change campaign”.

Introduction

Organisations that use, store or sell hazardous or dangerous substances can be faced with many security related threats. This can include threats related to the theft or misuse of such substances, as well as threats relating to the wider workplace activities and employees.

The application of a robust security management system and associated security measures will go some way in preventing or mitigating threats but without employees being fully aware of the need for vigilance, the measures adopted may be mitigated.

As Government guidance notes, “in a time of varied threats from diverse perpetrators, it’s important that staff understand the role they can play in keeping each other, visitors and their organisation safe”.

The need for employee vigilance

Many organisations are now adopting security measures through the application of a formal security management system. Clearly, to be effective, those with specific security related functions need to be fully aware and competent to fulfil the roles.

However, various guidance documents available in relation to security management all emphasise in some form the need for employees to be aware of and be involved in the implementation of security measures.

For example, British Standard 16000: Security Management — Strategic and Operational Guidelines notes that the workforce has a pivotal role in maintaining effective security but “individuals cannot be expected to change their behaviours, and thereby contribute to the enhancement of the organization’s security culture, without raising awareness”.

More specifically, guidance document Protecting Against Terrorism from the Centre for the Protection of National Infrastructure (CPNI) states that “educating staff about security will not only help them to recognise vulnerabilities and their possible consequences but also help organisations identify new threats through the feedback they receive from staff”.

The CPNI continues by stressing that how employees behave is a key indicator of an organisation’s attitude to security. It states that vigilant security behaviour “will show any hostile individual watching that it’s not just security guards and CCTV they need to worry about. Alert employees are just as likely to spot suspicious activity and report it”.

A workforce that is engaged and aware of security measures can bring clear benefits to an organisation by having:

  • employees who are “security-savvy”

  • increased reporting on actual or potential security threats and concerns

  • employees who are more likely to take on-board additional security advice as required.

Guiding principles

CPNI guidance Running a Staff Vigilance Campaign provides useful information on the general principles to be followed so as to improve employee vigilance for security purposes through a “security behaviour change campaign”.

The above document suggests that to embed security, the following principles should be adhered to:

  • education of employees on the threats faced and about the part they can play in preventing them

  • endorsement in terms of having influential individuals in the organisation support the campaign (ie the voice of the campaign)

  • ease of adoption of the vigilant security behaviours

  • enforcement in terms of punitive measures for serious lapses in behaviour

  • evaluation of the campaign to determine its effectiveness.

In essence, education is about making employees aware of the threats that exist but also the measures the organisation has taken to counter the threats faced. The second aspect is to inform employees of the part they can play in maintaining security.

The CPNI suggests that the following should be included in the education.

  • The type of planning those with hostile intent will go through if preparing an attack.

  • The types of suspicious behaviour hostiles may adopt.

  • The behaviours by employees that could give the impression that the organisation is a “soft target”.

  • The behaviours employees can adopt to discourage hostiles.

  • How they can report something suspicious.

How the education is endorsed is important and should be given the appropriate level of gravitas commensurate with the risk levels. The right message using the right media delivered by the right person/s are key elements to the success of any campaign.

To ensure behaviour change occurs, ease of adopting the vigilant behaviours required is important. For example, the CPNI makes reference to the fact that the simple “Can I help you?” engagement by employees is an excellent deterrent as it “conveys that staff are not only good at spotting people out of place but, critically, will do something about it”.

Of interest, the use of punitive measures against those who may lapse in their behaviour is not ruled out as a principle with the CPNI stating that “security officers should be encouraged and supported to speak directly with individuals who are conveying the wrong message”.

The final principle, as with any other change process, is to evaluate its effectiveness, for example, through staff surveys, focus groups, observations, etc.

Running a campaign

Security behaviour change campaigns can fail to attract lasting commitment unless attitudes and beliefs are also engaged. In order to change behaviours, it is necessary to influence the attitudes. In order to influence attitudes, it is necessary to develop and establish beliefs.

As such, achieving change can be a subtle and lengthy process. If attitudes and beliefs in relation to security are poor, it could be the case that even the most carefully planned communication campaign may fail unless carefully planned by:

  • gaining the support of senior management and internal communications

  • instigating a team to deliver the campaign

  • developing the strategy to run the campaign

  • developing the project plan.

To be successful, the campaign will require the support and buy-in from senior management and will require them to “sign-off” that they accept the objectives and principles of the campaign and ensure adequate resources are provided.

According to the Chartered Institute of Personnel and Development (CIPD), good communication is “about sharing information, trusting people to interpret that information and listening to what people say”.

Developing and implementing a communications plan that tells employees what they need to know in a positive way about how to be vigilant and taking account of their views is central to the overall success of the campaign.

No one method of communication works effectively and, typically, a number of methods of communication can be used taking into account cultural, language and disability issues, etc. The secret is to have a few key messages that will underpin the whole campaign.

The purpose of the strategy is to set a clear framework for employee vigilance throughout the organisation and ensure that any specific objectives set by the organisation are implemented and met. In developing the strategy, there can be many factors to consider not least:

  • existing staff behaviours (positive and negative)

  • current threat and security measure awareness

  • required vigilant behaviours

  • barriers to prevent these behaviours from being implemented.

The CPNI provides a useful template that may be adopted when developing the strategy and emphasise the need to build the principles detailed above into the strategy. It is also suggested that as well as vigilant behaviour, the education element may also include personal safety issues if employees are potentially targets themselves.

The final step is to develop the project plan, which it is suggested consists of three phases, these being:

  1. pre-launch to develop campaign materials, briefings and awareness events

  2. launch of the campaign when the key messages are communicated and reinforced during the launch period

  3. post-launch with a report of the outcomes and regular staff reminders.

Further information

Centre for the Protection of National Infrastructure: www.cpni.gov.uk.

  • Running a Staff Vigilance Campaign

  • Protecting Against Terrorism

British Standards Institution: www.bsigroup.com.

  • BS16000: Security management — Strategic and Operational Guidelines