5.1 Introduction

On 16 January 2013, the largest terrorist attack in the history of the oil and gas industry occurred at the Algerian oil facility in In Amenas; 32 heavily armed terrorists attacked the operation site, where almost 800 workers were present. Many were taken hostage in a siege that lasted four days in the middle of the Algerian desert. Terrorists killed 40 people from 10 countries, including five Statoil employees.

In the aftermath, Statoil appointed a commission to determine the relevant chain of events in the attack and to enable Statoil to improve their security, risk assessment, and emergency preparedness. The investigation report concluded that Statoil had established a security risk management system, but the company’s overall capability and culture needed strengthening in order to respond to security risks associated with volatile and complex environments. The report described security culture as one important explanatory factor behind the attack’s outcome and an important tool for improving security [10].

For many companies, malicious threats such as terrorism constitute a new setting. The management of such threats is often referred to as “security”, in contrast to “safety”, which refers to the management of risks not committed by actors with an intention to harm [6]. Along with the new responsibility for security in the private sector, new management concepts and tools aimed at guiding organizations in fulfilling this role have emerged, such as security risk management systems, security risk analysis, and security culture. The common denominator of these concepts is that they all have their counterpart in safety management, and are now being adopted and applied to the security domain. However, transferring concepts to a new area is not necessarily unproblematic. Compared to safety, security is a relatively new academic field, and “security culture” is a term seldom found in the literature [5]. Nonetheless, the recommendation of Statoil’s investigation report after the In Amenas attack has led to a heightened focus on security culture in the petroleum sector. According to a 2015 study, half of the Norwegian petroleum companies included in the sample actively applied security culture as a means of security improvement [7].

Both safety and security are elements of organizational culture, so how should organizations relate to this new concept of security culture? This chapter explores the adequacy of the concept of security culture. What relationship exists between safety culture and security culture, and should these phenomena be considered as a duality or separate? The adequacy of security culture is discussed in terms of how the concept is used in the In Amenas investigation report. The criteria of conceptual goodness proposed by Gerring [2] are applied to the concept adequacy of security culture.

5.2 Distinctions Between Safety and Security

If security culture should be seen as distinct from safety culture, there is a need to investigate the content of the safety and security domains as well as the interfaces between them. In everyday use, the words “safety” and “security” invoke associations of freedom from threats and harm. Despite often being treated as synonymous, the two concepts also have diverse meanings. Frequently, the concepts are utilized to distinguish between the management of hazards from non-malicious intent (safety) and the management of threats stemming from rational humans with a malicious intent, such as sabotage, hacking, or terrorism (security) [6].

It is malicious intent that distinguishes safety from security, and not intentionality because intentionality also plays a part in safety. The literature on organizational safety has long acknowledged that accidents are neither arbitrary nor random but rather a result of insufficient resources, organization, and planning. According to these perspectives, human intent sometimes plays a role in causing accidents, and organizations should design robust measures that take into account the fact that workers sometimes intentionally diverge from standard procedures. This implies that criminal activity is not just related to security. Safety also includes rational actors that deliberately disobey rules by abusing drugs, for example, or not using safety equipment. Thus, neither intentionality nor crime is sufficient to distinguish safety from security. The difference then should be the malicious intent of the actor who actually plans to cause harm.

In contrast to safety, security is often jeopardized by external threats that most often are beyond the capability of organizations to fully know and handle. Moreover, such risks are not linked as directly to the economic profit and production system as safety risks. This means that, even though a company may have an optimal security culture, it can still be the target of a terrorist attack and experience major damage. Since a hostage crisis or terrorist attack is an extremely low-probability security event—is it really meaningful to apply the concept of culture to such extreme events in the same way as for safety?

5.3 The Investigation Report’s Account of Security Culture

Statoil’s investigation report concluded that Statoil had not developed a culture in which it was generally recognized that security was the shared responsibility of all and that a holistic approach to the management of security was lacking. Security was neither established as a corporate function independent of safety nor recognized for its distinctive characteristics. Furthermore, the commission claimed that, along with a lack of management commitment, security was generally not well understood throughout the organization. Thus, the ability to understand and respond to changes in the environment was characteristic of companies with a strong security culture, which would share the following characteristics (Table 5.1).

Table 5.1 Characteristics of a strong security culture [10]

The way the commission uses the concept of security culture and their recommendations correspond with current understandings of how a security culture should be achieved. However, the recommendation to build a security culture distinct from safety might be more problematic than it seems. If organizations should put resources into building a strong security culture, such programs should be based on a scientific foundation. So how does the concept of security culture stand up to scientific scrutiny?

5.4 Conceptual Adequacy of Security Culture

According to Gerring [2], concepts are critical to the functioning and evolution of science. He argues that conceptual adequacy should be perceived as an attempt to respond to the criteria delineated in Table 5.2.

Table 5.2 Criteria of conceptual adequacy based on Gerring [2]

5.5 Familiarity and Resonance

Security today incorporates more than just technical solutions and physical protection; it entails the management of threats from rational, strategic actors. Thus, a component that involves perception, shared understanding, and management of threats seems like a favorable contribution to the field. For this reason, the concept of security culture appears to be a promising tool for enhancing corporate security.

The degree to which a new concept “makes sense, or is intuitively” clear depends critically upon the degree to which it conforms, or clashes, with established usage in everyday language and within a specialized language community [2]. Safety culture is a well-established concept familiar to laypeople, professionals, and academics. Statoil’s investigation report described security culture as a common set of beliefs, attitudes, practices, and behaviors perceived, internalized, and shared across geographic units and levels [10]. This definition corresponds to how organizational culture, safety culture, and security culture are often defined [5].

The term “safety culture” was first used as an explanatory factor in the investigation following the Chernobyl accident in 1986 [1]. Since then, the phenomenon of safety culture has been regarded as being crucial for preventing accidents in multiple sectors. Although the term and methods of measuring and achieving it remain contested, the concept is widely accepted and applied as a contributing factor to the safety of organizations [4]. By drawing on the connotations of this well-established concept, the concept of security culture suggests that security can also be achieved by applying the same tools. Thus, the concept of security culture is familiar and resonates well.

5.6 Parsimony, Coherence, Differentiation, and Depth

Even though the investigation report’s definition, understanding, and recommendations on security culture align with existing theoretical perspectives in the field, the concept is new to the academic literature. The literature on security culture is minor compared to the enormous amount of research and diverse perspectives on safety culture, and is mainly developed within the nuclear, chemical, and aviation industries, building on existing theories in safety culture research. With a few exceptions, little has been written on how to achieve optimal security culture. Consequently, security culture lacks clear indicators or attributes, is poorly defined and operationalized, and lacks research linking security to organizational performance [8].

Existing definitions of security culture are tied to a specific sector, and often to a specific threat. Most of the literature that uses the term deals with information security, and not sabotage or terrorism. Thus, the literature does not take into account the polysemy of the security field. This means that security culture is not an overarching phenomenon that covers all possible security threats. Although all security threats are a crime, their modus operandi, target selection, and motivation differ widely and need to be addressed in very different ways.

Perhaps the greatest challenge with the term “security culture” is how it relates to and differentiates from similar terms such as “organizational culture” and “safety culture”. The majority of the academic literature that uses the term argues for a holistic perspective and claims that it should be seen as an integrated part of safety culture. When attributes of security culture are defined, they are often described in the same manner as safety culture, and the specific characteristics of security are not considered. This makes it hard to differentiate the concepts from each other, both theoretically and practically. Theoretical perspectives that deal with security culture do not account for the relationships between organizational, safety, and security cultures and do not answer the fundamental questions of whether security culture is a subculture of a safety or organizational culture and what relationship exists between them.

For companies in the petroleum industry, the distinctions and overlaps between safety and security culture are of real consequence. According to the Norwegian Petroleum Framework Regulation, companies are obliged to build a safety culture ([11], Sect. 15). If security culture is seen as a subculture of safety culture, this implies that companies are also legally obligated to build a security culture.

5.7 Theoretical and Field Utility

Concepts are the building blocks of all theoretical structures, and the formation of many concepts is legitimately theory-driven. How is the concept of security situated within the broader science of security? The security field, with a few exceptions, lacks theories on organizational security, and most of its literature covers normative theories on how to achieve security without building on research because security has traditionally been connected to the Military and the Police and this been considered classified material. The concept of security culture is seldom used, and the academic literature that outlines the core elements of security science does not mention security culture [9]. Consequently, no studies describe how to establish a security culture and how security culture should be situated within the broader context of cooperate security. Thus, security culture could be a promising contribution to the literature since security science has been turning toward softer measures such as awareness, mindfulness, and resilience. A concept such as security culture could thus function as a uniting concept for how to conduct corporate security management. However, for the concept to be useful in theory formation, there is a need for both theoretical developments based on empirical studies about the role of security culture and how security culture affects security in organizations.

To enhance theoretical development, it is important to establish relationships with neighboring terms, such as safety culture. When the definitions heavily overlap, phenomena become hard to distinguish, and the newer literature attempting to operationalize the concept uses the same descriptions, attributes, and indicators [12]. Thus, there is a need to articulate the overlaps and boundaries of the concepts. Additionally, it is necessary to investigate whether a good safety culture is a prerequisite for a good security culture, and vice versa.

In practical reality, every organization has a culture (or series of subcultures) that can be expected to impact safety and security. However, it is not necessarily beneficial to simply transfer theories and concepts from the field of safety to that of security. Many aspects of the term’s usage are not directly transferable to a security context. What does, for example, a “just culture” mean in the context of security when the attacker has malicious intent? This affects the possibility of transparency and openness outside trusted communities.

The investigation report states that Statoil should have a culture where every employee is dedicated to security, but is this possible or even desirable? Does a security culture mean being suspicious of colleagues and others, and is mistrust not counter to the creation of a safety culture? Detection and learning from weak signals is also problematic when perpetrators are strategic and uninterested in revealing their plans.

Theoretical discussions are often arcane and best kept within scholarly communities; however, the adequacy of the security culture concept has relevance for practical corporate security because security culture is currently not only a theoretical term but also a pragmatic tool implemented in multiple petroleum companies after the publication of the In Amenas investigation report. A study examining Norwegian petroleum companies’ usage of the term concluded that although half of the companies in the study used the term, that usage did not seem to directly influence how these organizations organized their security system. The companies that rejected the security culture concept claimed this rejection was due to the difficulty of separating security from safety culture [7]. Thus, there is a practical need for security culture to be operationalized. However, we already know from safety research that a culture in an organizational context covers almost everything an organization does; thus, it becomes hard to measure the culture’s impact on safety [3]. This also applies to security culture. In safety research, there is also a discussion of the relationship between culture and what is actually done in the organizations. The fact that the concept of safety culture is contested makes the transfer of perspectives from the safety to the security realm difficult.

5.8 Conclusions

There is undoubtedly a need for the concept of security culture in today’s threat landscape. In complex and volatile environments, such as In Amenas, companies should implement systems that generate awareness of external threats and provide ways to handle them. For such threats, clear tactical warnings with specific information on where, when, and how a potential adversary may attack will seldom occur. This means that organizations should strive to build resilience against multiple threats, including low-probability security scenarios. These are all arguments for building a strong organizational culture with a collective security mindfulness that seeks out weak signals and strives for resilience.

Although the concept of security culture might superficially seem like a promising trajectory, the operationalization and demarcation of the concept of safety culture are so imprecise that the use of the concept may be counterproductive. However, the same can be said about the concept of safety culture, so this is not an argument for rejecting the concept.

From a practical point of view, an organization needs to deal with both safety and security risks; both influence the organizational culture. Thus, from a practical perspective, there is a need to see these concepts as a duality and not as separate phenomena. Security threats have different dynamics than safety risks, and thus security is often neglected in organizations. This is the advantage of the concept of security culture: it makes security a priority and shared responsibility.

As digitalization across industries increases and more digital assets connect to the Internet, organizations will have to increase their focus on security threats where the cultural component will play an important role, since technical solutions will be insufficient. Thus, given the increased focus on security threats in organizations today, there is a need to further develop security culture as a theoretical and practical element. Consequently, security culture could be a promising addition to the existing literature because security science is turning toward softer measures such as awareness, mindfulness, and resilience—all of which are important components of security culture.