Incident Response is the process of responding to and handling ICT security related incidents involving infrastructure and data. This has traditionally been a reactive approach, focusing mainly on ...technical issues. In this paper we present the Incident Response Management (IRMA) method, which combines traditional incident response with pro-active learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the oil and gas industry.
Purpose - The purpose of this paper is to measure and discuss the effects of an e-learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.Design ...methodology approach - The intervention study has a pre- and post-assessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention (i.e. the e-learning tool).Findings - The study documents significant short-time improvements in security knowledge, awareness, and behavior of members of the intervention group.Research limitations implications - The study looks at short-time effects of the intervention. The paper has done a follow-up study of the long-term effects, which is also submitted to Information Management & Computer Security.Practical implications - The study can document that software that support Information Security Awareness programs have a short-time effect on employees' knowledge, behaviour, and awareness; more interventions studies, following the same principles as presented in this paper, of other user-directed measures are needed, to test and document the effects of different measures.Originality value - The paper is innovative in the area of information security research as it shows how the effects of an information security intervention can be measured.
These proceedings document the various presentations at the Fourth Resilience Engineering Symposium held on June 8-10, 2011, in Sophia-Antipolis, France. The Symposium gathered participants from five ...continents and provided them with a forum to exchange experiences and problems, and to learn about Resilience Engineering from the latest scientific achievements to recent practical applications. The First Resilience Engineering Symposium was held in Söderköping, Sweden, on October 25-29 2004. The Second Resilience Engineering Symposium was held in Juan-les-Pins, France, on November 8-10 2006, The Third Resilience Engineering Symposium was held in Juan-les-Pins, France, on October 28-30 2008. Since the first Symposium, resilience engineering has fast become recognised as a valuable complement to the established approaches to safety. Both industry and academia have recognised that resilience engineering offers valuable conceptual and practical basis that can be used to attack the problems of interconnectedness and intractability of complex socio-technical systems. The concepts and principles of resilience engineering have been tested and refined by applications in such fields as air traffic management, offshore production, patient safety, and commercial fishing. Continued work has also made it clear that resilience is neither limited to handling threats and disturbances, nor confined to situations where something can go wrong. Today, resilience is understood as the intrinsic ability of a system to adjust its functioning prior to, during, or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions. This definition emphasizes the ability to continue functioning, rather than simply to react and recover from disturbances and the ability to deal with diverse conditions of functioning, expected as well as unexpected. For anyone who is interested in learning more about Resilience Engineering, the books published in the Ashgate Studies in Resilience Engineering provide an excellent starting point. Another sign that Resilience Engineering is coming of age is the establishment of the Resilience Engineering Association. The goal of this association is to provide a forum for coordination and exchange of experiences, by bringing together researchers and professionals working in the Resilience Engineering domain and organisations applying or willing to apply Resilience Engineering principles in their operations. The Resilience Engineering Association held its first General Assembly during the Fourth Symposium, and will in the future play an active role in the organisation of symposia and other activities related to Resilience Engineering.
This conclusion presents some closing thoughts on the concepts covered in the preceding chapters of this book. The book documents an Integrated Operations scenario that provided the basis for a ...comparison of two approaches to risk assessment. It approaches the problem described in the scenario from a quantitative risk assessment perspective. The main operational messages are: risk can be assessed by expressing uncertainty regarding the occurrence and severity of events; risk must also include such dimensions as the level of dialogue between stakeholders, the assessor’s understanding of the system being assessed and the performance of the verification process. The book then tackles the problem described in the scenario, but from a Resilience Engineering perspective. The main operational message is in terms of safety management, Resilience Engineering is about the performance of system functions that allow it to be safe; reducing and coping with risk is a normal side effect of a resilient system.
This chapter seeks to help risk managers to identify potential applications. It provides high-level recommendations about how to handle risk assessment in Integrated Operations. Risk assessment is ...deeply rooted in the offshore oil and gas industry’s loss prevention practices. In the traditional risk assessment, risk is typically understood as a combination of the consequences of an event and the likelihood of occurrence. Although Jorn Vatn bases his approach on the steps described in the International Organization for Standardization, his definition of risk is different. He argues that risk describes uncertainty about the occurrence and severity of events. This contrasts with many other interpretations of risk, which is seen as an inherent property of the system. Four abilities of a resilient system responding, monitoring, learning and anticipating are used as a framework to identify the indirect risks in safety management. Uncertainty-based risk assessment involves the structuring and modelling of knowledge about future events and related uncertainties.
This conclusion presents some closing thoughts on the concepts covered in the preceding chapters of this book. Section two of the book discusses the usefulness of risk analysis, taking the Deepwater ...Horizon accident and the Gullfaks C incident as examples. The main operational message is the Integrated Operations (IO)-based solutions may improve the usefulness of risk analysis by providing access to onshore expert centres and more up-to-date risk analyses. The book then presents a human–machine interaction assessment method for IO-based solutions to improve drilling and well operations. It documents the use of the Resilience Analysis Grid for Integrated Planning. The book also outlines the use of the Functional Resonance Analysis Method to analyse unwanted consequences related to modifications to oil and gas installations. It then discusses the IO Maintenance and modification Planner tool, designed to contribute to safer decision-making in collaborative environments. This tool facilitates hazard identification by means of visualization using shared collaboration surfaces.
This conclusion presents some closing thoughts on the concepts covered in the preceding chapters of this book. Section one of the book explains what Integrated Operations (IO) is. The main ...operational messages are: adequate IO-based solutions can improve risk management; inadequate IO-based solutions can increase the risk of major accidents. There have been inadequacies in IO-related solutions in recent major incidents in the industry. The book then carries out fieldwork in the oil and gas domain and outlined the development of a human factors’ checklist for risk assessment. The main operational messages are: the introduction of IO generates several challenges in terms of human and organizational factors; if the checklist is intended to cover organizational aspects of risk management, it must focus on latent conditions. The book also addresses complexity in safety-critical systems from a theoretical perspective. The main operational message is IO refers to a class of socio-technical systems so complex that their behaviour cannot always be predicted.
Introduction and Overview Albrechtsen, Eirik; Besnard, Denis
Oil and Gas, Technology and Humans,
2013
Book Chapter
This introduction presents an overview of the key concepts discussed in the subsequent chapters of this book. The book provides a variety of perspectives related to decision support for the ...prevention of major accidents. It discusses risk processing and its role in the acquisition of safety-related knowledge. The book focuses on human–machine interactions in remotely-operated drilling operations and describes the deployment of a risk assessment method, from the theoretical building blocks to its production and use. It also describes the implementation of a functional resonance risk assessment method that was used to assess the impact of variability in the planning of oil and gas production activities. With this method the risk assessment exercise could be carried out at organizational level. The book shows how qualitative factors such as communication between stakeholders, understanding of assumptions, and verification can be integrated into a quantitative assessment and also provides an alternative, resilience-based analysis method.
Purpose The purpose of this paper is to measure and discuss the effects of an elearning tool aiming at improving the information security knowledge, awareness, and behaviour of employees. ...Designmethodologyapproach The intervention study has a pre and postassessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention i.e. the elearning tool. Findings The study documents significant shorttime improvements in security knowledge, awareness, and behavior of members of the intervention group. Research limitationsimplications The study looks at shorttime effects of the intervention. The paper has done a followup study of the longterm effects, which is also submitted to Information Management & Computer Security. Practical implications The study can document that software that support Information Security Awareness programs have a shorttime effect on employees' knowledge, behaviour, and awareness more interventions studies, following the same principles as presented in this paper, of other userdirected measures are needed, to test and document the effects of different measures. Originalityvalue The paper is innovative in the area of information security research as it shows how the effects of an information security intervention can be measured.
Resilient abilities among actors in complex collaboration make it possible to succeed drilling wells in complicated reservoirs. However, the last decade has shown that drilling operations can lead to ...disastrous outcomes. In a resilience engineering perspective we study the blowouts at Deepwater Horizon and Snorre A, to see how poor resilient abilities contributed to the incidents. The study show that combinations of poor resilient abilities contributed to both incidents. Abilities to anticipate what can go wrong and abilities to monitor what is going on in present time have in particular been inadequate. Poor planning processes and communication among involved actors in particular impacted resilience.