Abstract
The thesis investigates risk assessment and standardization by standardsetting organizations (SSOs), key governing practices in many societies today. It does so by studying the development of a security risk assessment approach into a Norwegian standard by the SSO Standards Norway (SN 5832:14). The first part investigates the institutionalisation of the standard as a policy process, while the second part investigates sensemaking by security professionals on questions of security risk assessment. The thesis asks how the establishment of the security risk assessment approach as a Norwegian standard can be accounted for. The study is exploratory, and takes an abductive, puzzle-driven approach. It combines data from 40 interviews with document analysis and fieldwork on five courses in risk assessment, security management, and standardization.
The investigation of the standardization process utilises, but also develops, the multiple streams approach originally developed by Kingdon. Special attention is given to the characteristics of SSO standardization and its many ambiguities. The concept of “institutional deficit” is introduced, describing a potential mismatch between SSOs producing policy in a government-like institution, but where SSOs are not structured such that they manage to take responsibility for policies in a government-like way.
The second part investigates security professionals’ sensemaking on risk assessment in a security context. It finds that the risk assessment approach presented in the standard (3FA) reflects many security professionals’ sensemaking, where the tension between protection and risk optimization is evident. The thesis also finds a perceived inconsistency across time between what is expected before and after an incident. Before, there is an expectation of analytical conduct and optimization, whereas afterwards, they expect a judgement of failure to protect, with blame as a potential outcome.
In summary, although the policy process was pivotal for the development of the standard, the standard also reflects struggles to combine contradictory risk logics in protective security management.