| dc.date.accessioned | 2023-07-03T13:13:52Z | |
| dc.date.available | 2023-07-03T13:13:52Z | |
| dc.date.issued | 2023 | |
| dc.identifier.uri | http://hdl.handle.net/10852/102575 | |
| dc.description.abstract | The thesis investigates risk assessment and standardization by standardsetting organizations (SSOs), key governing practices in many societies today. It does so by studying the development of a security risk assessment approach into a Norwegian standard by the SSO Standards Norway (SN 5832:14). The first part investigates the institutionalisation of the standard as a policy process, while the second part investigates sensemaking by security professionals on questions of security risk assessment. The thesis asks how the establishment of the security risk assessment approach as a Norwegian standard can be accounted for. The study is exploratory, and takes an abductive, puzzle-driven approach. It combines data from 40 interviews with document analysis and fieldwork on five courses in risk assessment, security management, and standardization.
The investigation of the standardization process utilises, but also develops, the multiple streams approach originally developed by Kingdon. Special attention is given to the characteristics of SSO standardization and its many ambiguities. The concept of “institutional deficit” is introduced, describing a potential mismatch between SSOs producing policy in a government-like institution, but where SSOs are not structured such that they manage to take responsibility for policies in a government-like way.
The second part investigates security professionals’ sensemaking on risk assessment in a security context. It finds that the risk assessment approach presented in the standard (3FA) reflects many security professionals’ sensemaking, where the tension between protection and risk optimization is evident. The thesis also finds a perceived inconsistency across time between what is expected before and after an incident. Before, there is an expectation of analytical conduct and optimization, whereas afterwards, they expect a judgement of failure to protect, with blame as a potential outcome.
In summary, although the policy process was pivotal for the development of the standard, the standard also reflects struggles to combine contradictory risk logics in protective security management. | en_US |
| dc.language.iso | en | en_US |
| dc.relation.haspart | Paper 1. Heyerdahl, Anne. 2022. “Standardizing policy in a non-standard way – a public/private standardization process in Norway.” Submitted. To be published. The paper is not available in DUO awaiting publishing. | |
| dc.relation.haspart | Paper 2. Heyerdahl, Anne. 2022. “Risk Assessment without the Risk? A Controversy about Security and Risk in Norway.” Journal of Risk Research 25(2): 252–67. doi: 10.1080/13669877.2021.1936610. The article is included in the thesis. Also available at: https://doi.org/10.1080/13669877.2021.1936610 | |
| dc.relation.haspart | Paper 3. Heyerdahl, Anne. 2022. “From Prescriptive Rules to Responsible Organisations – Making Sense of Risk in Protective Security Management – a Study from Norway.” European Security 0(0): 1–23. doi: 10.1080/09662839.2022.2070006. The article is included in the thesis. Also available at: https://doi.org/10.1080/09662839.2022.2070006 | |
| dc.relation.uri | https://doi.org/10.1080/13669877.2021.1936610 | |
| dc.relation.uri | https://doi.org/10.1080/09662839.2022.2070006 | |
| dc.title | Planning for (Not) Taking Risk - The Creation of a Security Risk Assessment Standard in Norway | en_US |
| dc.type | Doctoral thesis | en_US |
| dc.creator.author | Heyerdahl, Anne | |
| dc.type.document | Doktoravhandling | en_US |