What is security culture? Does it differ in content from general organisational culture?

There is increasing interest from regulators and government departments concerned with enhancing security in organisational culture, more specifically the notion of security culture. Recent research conducted by QinetiQ has demonstrated that the security system, however sophisticated the screening technology, can be significantly influenced by the attitudes and behaviour of personnel and the supporting security policies. Culture is essentially a "set of common understandings, expressed in language" [1], or "shared patterns of meaning" [2], or "shared values and beliefs that interact with an organisation\´s structures and control systems to produce behavioural norms" [3]. Culture is of interest in a security context if it can be proven to affect security outcomes. Substantial evidence supports this notion, for example Kotter and Heskett [4] found that culture was a predictor of business outcomes such as revenue and workforce growth. Although specific research on security culture has been limited, it has been suggested that relationships exist between security culture and organisational security metrics (for example security breaches). Understanding and then enhancing the security culture within organisations where security is a critical success factor is likely to lead to those organisations being better able to achieve their primary goals and maintain their reputation. QinetiQ was commissioned to conduct research to explore and define the notion of security culture in a range of organisations. These organisations were grouped in terms of having common, primary threats: those providing safety critical products or services (for example energy, chemical, food, water); those dealing with people and crowded places (for example airports and transport networks); and those at risk of fraud, theft, or espionage (for example finance). A literature review revealed that: there is no accepted, practical definition of security culture; there is no accepted way of measuring securi- ty culture that can be used outside narrow domains (for example the nuclear industry) to compare culture across organisations; research into how security culture can be engendered and enhanced is narrowly focused on specific aspects of culture; and there is a lack of research relating security culture to organisational performance. Qualitative research was conducted to explore what security culture means. Three main techniques were used in the gathering of qualitative data. These were: the Twenty Statements Test (TST) [5], repertory grids technique [6], and critical incidents technique [7]. The analysis of the data gathered by these techniques yielded nine categories or themes relating to security culture. The themes, listed below, could support the creation of an item bank for the development and trialling of the security culture audit tool. The themes demonstrate the content of security culture: what is contained within it. The emergent themes are: 1 External Influences; 2 Human Resource Activities; 3 Impact on Business; 4 Infrastructure; 5 Information Security; 6 Management; 7 Organisational Staff; 9 Physical Security; 10 Working with External Others. As a result of this work a working definition of security culture has been derived, and is stated as: "Security culture is indicated in the assumptions, values, attitudes and beliefs, held by members of an organisation, and behaviours they perform, which could potentially impact on the security of that organisation, and that may, or may not, have an explicit, known, link to that impact". This paper will suggest implications of these findings for Aviation Security. Some aspects of an organisation\´s security culture have evolved as a logical response to security threats, and are espoused by the management of the organisation. These manifest themselves in the security practices and policies of the organisation, the level of compliance with, and understanding of, those practices and policies, and the acknowledgement