Page 33 - the SyI Quarterly
P. 33
Institute Community
Security Community
“When it’s okay to The study also showed that anomalous workplace behaviours have often been seen to be pre-cursors for
welfare issues.
The ‘It’s OK to Say’ programme has been designed to help staff identify behaviours that strike them as
unusual or concerning and to encourage them to take appropriate action, to trust their instincts rather
than just ‘shrugging’ them off. These behaviours will display as acts that are suspicious, unauthorised or
suggest an individual’s vulnerability.
speak up” - By CPNI
CPNI have worked with specialist academics to create a framework for embedding good security behaviour
change. This framework is known as the 5Es and underpins all of the CPNI security behaviour change
campaigns, including ‘It’s Ok To Say’. The 5Es framework recognises that to embed change you must:
Educate why – Education is crucial to encourage staff reporting. Staff need to understand the insider threat
““Oh, I’m sure it’s nothing to worry about.” – that it can happen and have serious consequences to both staff and the organisation.
How often have you said this in your everyday life? Perhaps you have said it in your workplace, when
something is out of place, or someone has behaved or acted in an unusual way? You may have also said to Enable how – Explain the vital part staff can play in mitigating the insider threat by their actions and
yourself “I won’t say anything as I don’t want to cause a fuss and get someone into trouble” or “I don’t know behaviour. The organisation should communicate what unusual and suspicious behaviour looks like and
who to say it to”. develop the right skills to enable staff to identify and report it.
It’s normal to feel like “it’s nothing to worry about”; many believe their colleagues wouldn’t be doing Shape the Environment – Create a physical environment that makes staff intervention and reporting easy.
something wrong. However, identifying and reporting anomalous workplace behaviours is something that Establish the social environment by making any good security behaviour the ‘norm’. Give people permission
can pay dividends in terms of positive improved security and staff welfare. to trust their instincts and intervene where they feel something is not quite right.
Unfortunately global events like the pandemic and cost of living crisis have meant that many businesses Encourage the action – Behaviour change can only occur if the organisation is seen to reward good
have, understandably, been distracted from focusing on security, thereby increasing risk of ‘insider’ activity behaviour. This does not necessarily mean in material terms. It is about recognising and reinforcing the
and the need for people to speak up in their workplace. behaviour and culture you want to encourage.
The Centre for the Protection of National Infrastructure (CPNI) - as the UK’s National Technical Authority Evaluation – When running a security behavioural change campaign, it is important to know if it is working.
for physical and personnel security - has just refreshed the ‘It’s Ok to Say’ programme which promotes Processes should be put in place to enable a consistent, fair and thorough investigative process which will
‘speaking’ up in an ethical way. allow for good metrics as to the effectiveness of the programme.
As part of its role to protect national security and help reduce the vulnerability of the UK from terrorism The ‘It’s Ok To Say’ programme has been developed based on in-depth end-user research with large
and foreign state threats, CPNI has conducted a large data study looking closely at over 100 individual organisations across the UK’s critical national infrastructure. Workforces were asked what prevented
insider cases. Comprising cases from public and private sector organisations, the aim of the study was them from reporting concerns and what would encourage them to do so. Working with creative and
to understand more about these ‘insiders’ and their behaviours: before they acted, during their activity communications experts, a suite of materials was designed to help organisations implement the ‘It’s OK
and afterwards. A key finding of the study was lack of intervention when counter-productive or unusual to Say’ behavioural change programme. These materials have recently been refreshed and are all free to
workplace behaviours were observed by other employees. Typically two or three people close to the insider download on the CPNI website and include:
observed a change in behaviour and yet, for a variety of reasons, did not report it.
• A short introductory Overview of the programme;
• Detailed guidance outlining how to run the programme;
• A new short video illustrating both welfare concerns and security behaviours that should be
reported;
• Training slides and short video clips designed to encourage discussion of the topic;
• Two 15 second clips for use on intranets to promote an internal ‘It’s Ok To Say’ programme.
• It’s Ok to Say’ animated film presenting the behaviours in a light-hearted fashion and
encouraging ‘action’;
• Selection of posters and reminder cards using the ‘It’s Ok to Say’ and ‘Trust Your Instincts’
taglines and a template for organisations to provide their own reporting options;
• Advice and guidance on how to evaluate the outcome of running the programme.
These materials can be branded with an individual organisation’s logo to make them more relevant to a
specific workplace.
Speaking up has never been more important. The philosophy underpinning this work is that it is beneficial
to establish a work environment in which people take personal responsibility for contributing to security
through their everyday activities and interactions in the workplace. As a result of the pandemic many
organisations are embracing remote or hybrid working arrangements, so the drive to educate staff and line
managers about the continuing need to report concerns is more important than ever both from a welfare
and security perspective.
To see the new video, go to:
https://www.cpni.gov.uk/security-campaigns/it’s-ok-say
33
